A HIPAA risk assessment should set priorities and deliver measurable business value
I recently visited with the owners of a small healthcare practice who flew into a panic after spotting a minor HIPAA problem in their office. Staff were fat-fingering stacks of paper from the copier, occasionally grabbing and stuffing a sheet into the wrong patient’s envelope.
The owners reacted in perfect crisis management mode, egged on by an eager IT vendor. A major technology upgrade, dozens of hours of staff downtime, and a fancy new collating printer solved the problem.
Total cost: $10,000. Total patient records protected: About 50 per year.
I’ve yet to see a healthcare practice whose biggest HIPAA headache is 50 sheets of paper going astray. You don’t have to dig deep to find the really scary stuff. Untrained staff and vendors who can breach tens of thousands of electronic records with a few careless clicks of the mouse. Cybersecurity protections designed for the era of floppy disks and modems. Policy and procedure documents no one can find, business associate agreements no one ever signed.
The bad news is how often the big risks get overlooked. The good news is that most of them can be mitigated for a lot less than $10,000. But only if you know how to look for them and prioritize them. Without a strategic view, you’ll spend time and money on knee-jerk reactions that don’t help” or just shut your eyes, cross your fingers, and hope for the best.
How do you decide where to focus your efforts and resources to improve privacy, security, and compliance at your small healthcare practice? Your best tool is the risk assessment. It’s required by HIPAA, it’s the foundation of any compliance plan, and it’s also a strategic best practice for any small business.
Unfortunately, too many small, private practices haven’t conducted a risk assessment in the last 12 months. A surprising number have never conducted a risk assessment. If your organization hasn’t conducted a risk assessment in the last 12 months, you’re not only unprepared for a HIPAA audit, you’re unprepared to honor the trust your patients have placed in you.
And if you have conducted a risk assessment, is it just a compliance checkmark, just a red-tape exercise to satisfy a bureaucratic mandate? Because that’s a real missed opportunity. Read on to learn how your risk assessment can guide strategic business decisions at your practice.
The limits of a checklist
A lot of risk assessment reports look the same. A long list of checkboxes: been there, did that, better do that other thing. The real fancy ones have grids with red boxes, yellow boxes, and green boxes (spoiler alert: red means bad).
You can get a good checklist from an automated network vulnerability scan. Unfortunately, we sometimes see uninformed or unscrupulous IT companies selling vuln-scans and calling them “risk assessments”. An automated network scan can help you find outdated software, exposed applications, and missing security settings on your internal computer systems. This is a good checklist to have, but it’s not a risk assessment.
It’s also common to see checklists from the HIPAA implementable specifications, mandated safeguards like auto-logoff timers, password management policies, encryption. At least these lists will cover administrative and policy controls that a network scan can’t touch, but they suffer from the limitation common to every checklist.
A checklist of vulnerabilities, weaknesses, or missed implementations is just information. Yes, it’s crucial information, but it’s not a strategy. Checklists can inform, but not replace, your real risk assessment.
Set priorities according to risk
Assuming you don’t have infinite time and money to spend fixing everything, you set priorities. And as a business owner, you’ll want to start on the biggest risks you can fix for the least cost.
How do you evaluate risk level for an identified vulnerability? There are three factors to consider.
Likelihood of an exploit
First, you need to make a realistic assessment of how likely it is that this vulnerability could be exploited by an attacker, or inadvertently exercised, either by a trusted user or just in the day-to-day goings-on in an imperfect world.
Think of all the pesky daily hassles of running a business. Hard drives crash, computers fail when you need them.Staff make mistakes no matter how much you train them. People leave laptops unprotected in their cars, they fall for phishing scams, they don’t follow policy, and they never read the manual.
Those are all very likely threats. Be careful not to get bogged down in imaginative scenarios from the latest heist-thriller topping the box office charts. Keep it mundane and focus on the boring.
And don’t leave this to your IT department. Tech-minded folks are notorious for exaggerating technology threats while down-playing people and process threats. Here’s a crazy scare-tactic advertisement from a printer manufacturer, autonomous drones buzzing the 20th floor to hack your network:
Guess what that company sells? Yep, technology to stop Phones-On-Drones. But you probably should worry more about doctors leaving their smartphones behind at a restaurant than hackers piloting them around your clinic.
Effectiveness of existing controls
The second factor is the effectiveness of existing controls, both technical controls and policy controls. You’re certain to find lots of vulnerabilities at your practice” any complex system has vulnerabilities” so now you have to evaluate how well they are protected.
Some practices make the mistake of rushing over the documentation of their existing controls. Don’t do this! Make sure your risk assessment gives full credit where credit is due. It may seem like overkill, but you should document every deadbolt, every password, every policy that protects your practice. If something goes wrong and the OCR asks to see your risk assessment, you want to lead with your strengths!
It’s good to be able to compare against a comprehensive checklist of new controls you could implement. There’s always room for improvement and your risk assessment should evaluate the feasibility of improving your policies or leveraging new cybersecurity protections like two-factor authentication or encryption.
But there’s one more factor to consider before you can tell where your priorities should lie.
This third factor that determines risk level is the potential impact on privacy and security. If a vulnerability is exercised, in spite of your existing controls, what kind of damage are you looking at?
Potential impact is the factor our friends with the $10,000 printer lost sight of. There was definitely a vulnerability at that practice and prohibited disclosures were definitely taking place. But the potential impact” 50 records breached per year” is completely out of proportion to the cost and complexity of the new controls set up to prevent them.
This is not to say some breaches are freebies. Every data breach, no matter how small, is a violation of a patient’s civil right to privacy. But you almost certainly have bigger problems than a mere 50 records, and the money you spend plugging that pinhole leaves you with less money to shut the barn door that could expose thousands of other records.
A real risk assessment” one that sets priorities and risk levels based on likelihood, effectiveness, and impact” is one of the best investments you can make in your small business. It will prepare you for realistic threats and improve your privacy and security safeguards.
And a risk assessment will ensure that you’re allocating resources effectively, fixing real problems and implementing realistic solutions. It can save you from wasting thousands of dollars on fancy technology or burdensome procedures that don’t fit the way your healthcare practice operates.
Remember, HIPAA doesn’t demand heroic measures. The standard you’re aiming for is “reasonable and appropriate” after considering all factors, including the size, nature and, yes, the budget of your organization. The risk assessment report is where you document all those factors and justify the decisions you make.
And by improving your business processes, by improving your security and privacy safeguards, you’re automatically improving your compliance posture. HIPAA compliance doesn’t come from marks on a checklist; it grows out of mature business processes. If you establish good procedures and modern security protections appropriate for your type of healthcare practice” all documented!” you can feel confident if you ever receive one of those letters from the Office of Civil Rights.
The new normal
Or maybe I should say when, not if. Because unfortunately, data breaches and impermissible disclosures can happen even in spite of the best security controls and the best professional efforts of awell-trained staff.
Healthcare is a target in this golden age of data breaches, because the patient data you are holding is extremely valuable. If a criminal can get hold of your patient records, they’ve got everything they need to commit insurance fraud, tax fraud, banking fraud, or even obtain controlled prescriptions and medical care. There are organized criminal enterprises trying to steal your patient data” and they’re looking for the easiest way, not the coolest way.
So when your small healthcare practice experiences a data breach” not if, but when” it’s your risk assessment that determines how high the fines go. You already know that those fines are no joke:
- Twelve-physician practice. Lost flash drive: $150,000
- Thirteen-physician practice. Laptop smash-and-grab from employee’s car: $750,000
- Two-physician practice, 441 patient records. Stolen laptop: $50,000
- Snooping employee, two patient records compromised: $865,500
In each of these cases, the Office of Civil Rights identified the primary HIPAA violation as the failure to conduct a risk assessment. When you suffer a breach, you don’t want to pay the added premium they tack on for practices who demonstrate reckless disregard of their obligation to conduct a risk assessment.
Plan ahead for peace of mind
A regular risk assessment is a HIPAA requirement, but there are many different ways you can satisfy the obligation.There’s nothing in the law that requires a third-party risk assessment and small practices can do a lot of the work in-house, with the proper support.
Beyond a certain size and complexity, risk assessment can become a daunting task for an already over-committed practice manager or owner. I often meet harried practice managers who are frustrated after combing through piles of paperwork for months without ever making any real progress.
If you’re struggling with your risk assessment, please reach out. We can turn that millstone into a milestone and get your compliance strategy back on track. Our unique risk assessment process and philosophy will save your staff dozens or even hundreds of hours of work. You’ll sleep better knowing you have a real risk assessment to guide the improvements you want to make at your healthcare practice.