You want to be HIPAA-compliant? You need to perform a risk assessment.
It shouldn't be a surprise to know that security research shows that the healthcare industry is a prime target for hackers and assorted cybercriminals.
From insurance companies to small doctors offices to research facilities to hospitals, all have a treasure-trove of personal information that criminals are itching to get their hands on.
Not involved in the healthcare industry? If you're reading this and are in manufacturing, financial services, government, or transportation; those round out the top five targets.
“Only” a small business and think you're safe?
Think again. Cyberattacks on small businesses continue to increase as criminals realize that they are easier targets. Some research shows that 43% of phishing attacks target small business and that 1 in 40 small businesses will be targeted (that second number will increase).
What Can I Do?
Every company needs a security strategy and the basic elements of data and network security – data backup, anti virus software, network monitoring, etc. You can either do that yourself or outsource to a managed network partner.
You can also perform a risk assessment on your company. The remainder of this is geared towards HIPAA-compliance. That said, a cybersecurity risk assessment can be done for any industry, whether you need to comply with other industry-specific regulations or just want to ensure your security strategy is as airtight as possible.
Healthcare providers, payers, clearinghouses, and business associates and their subcontractors all must comply with HIPAA.
I want to remind all of you reading this that there is no such thing as HIPAA-in-a-box compliance!
There are technologies that can help you implement your HIPAA-compliance strategy, but you can't buy HIPAA compliance.
Breaches cost money. Research from PwC Health Research Institute estimates that a data breach costs $200 per patient record.
While the cost per breach will vary for other industries, can you afford that? There's also the hit to your reputation and other under the radar costs that can be more harmful to business success than the initial cost.
Assess Your Risk
How at risk are you? It's hard to defend yourself properly if you don't know the potential points of exposure.
That's why a cybersecurity assessment is so useful. By discovering gaps and cracks in your security and potential to lose PHI (personal health information) to a data breach, you can prioritize and take steps to present a nearly-impenetrable wall to hackers (“nearly” because 100% information security is impossible, regardless of anything advertising and marketing materials say).
The HIPAA Security Rule mandates assessing risk, “Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI.”
This isn't just an exercise performed on paper or whiteboards, a technical review needs to be completed.
ecfirst, a provider of compliance and security training and solutions, outlines seven steps to enterprise HIPAA compliance:
- Security responsibility
- Risk analysis
- Security strategy and policies
- BA supply chain
Assessing Risk: Getting Started
The first step is to gather documentation (a partial list includes):
- Security plan
- Any previous risk analysis
- Vulnerability planning and most recent scan results
- Network penetration testing policy and procedure and most recent results
- Encryption measures
- User access rules and processes
- Physical security
- Data backup strategy and procedures
- PII policies and procedures, including staff org chart with compliance responsibilities
Risk Assessment: What Needs to Be Assessed?
Great, you're thinking. What specifically do I need to assess? Here's a list:
- Document regulations and standards that your business is mandated to comply with (privacy, security, Federal or state)
- Assess policies
- Assess procedures
- Review asset management process and documents
- Review vendor agreements
- Assess deployed security controls
- Identify missing security controls
- State of encryption implementation
- Review cloud security for deployed apps and PII/PHI
- Conduct a technical vulnerability assessment for both external and internal threats
- Conduct wireless assessment
- Review firewall architecture and configuration
- Review mission-critical applications and their security
- Assess requirements for penetration testing
- Evaluate risk management program
- Assess quality and depth of security awareness training
- Review information security skill capabilities
- Assess executive priority and reporting structure for security and compliance
I know; it's an intimidating list.
Regardless of how intimidating the list looks, it's still good for your business. One element of risk assessment is to assess your networks.