The HIPAA Security Rule on protection of electronic personal health (e-PHI) records kicks off the compliance process with a requirement to conduct a risk assessment but quickly adds that “an organization should determine the most appropriate way to achieve compliance,” as the HHS Guidance on Risk Analysis says.
Forward-looking healthcare payer and provider organizations are now taking that as an invitation to use cyber risk quantification with FAIR™ (Factor Analysis of Information Risk) to:
- Better meet the spirit of the rule’s direction to find the “most effective and appropriate” technical safeguards for e-PHI
- Build a risk analysis and risk management process good enough to stand up to an OCR audit for HIPAA compliance
- Gain real business value from HIPAA compliance requirements
Failing to perform an organization-wide risk analysis and lack of a risk management process are two of the most common HIPAA violations, and most heavily punished. OCR levied its largest penalty ever, $6.85 million, on Premera Blue Cross after the investigation of the 2014 data breach (involving e-PHI for 10 million persons) revealed a failure to conduct comprehensive risk assessments or take appropriate action to reduce risks.
Learn cyber risk quantitative analysis from experienced practitioners
The FAIR standard provides a consistent way to define risk, gather data on the contributing factors to risk, model risk scenarios, and quantify the probable financial impact of loss events and of risk reduction measures. Here are five reasons to take a quantitative approach to meet HIPAA’s PHI Security Rule sections on risk analysis and risk management with FAIR and the RiskLens Platform, built to run FAIR analysis.
1. Align with the HIPAA definition of risk
“Risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization,” says the definition, not far from the FAIR definition, “the probable frequency and probable magnitude of future loss.” With FAIR, analysts gather data to fill out the factors to quantify frequency and magnitude (or impact), then produce results in a range of probable loss outcomes in dollars.
2. Make risk assessments “accurate and thorough”
“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information,” says the guidance but does not say how to justify assessments as accurate and thorough. As the internationally recognized standard for cyber risk quantification, FAIR gives that assurance. Getting to specifics on confidentiality, integrity, and availability, every FAIR analysis begins with defining a risk scenario to be analyzed and that includes defining a type of loss.
3. Assess whether a HIPAA technical safeguard is “reasonable and appropriate.”
The HIPAA Security Rule mandates implementing “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” Health industry organizations can conduct risk treatment analysis on the RiskLens platform to model the effects of competing controls on risk reduction, a solid answer to the Security Rule’s vague language. The rule also states that if implementing a “specification” of the rule is not appropriate, the organization must document why it is not appropriate; determining the risk reduction from a control – or failure to reduce risk – is a typical use case for the RiskLens platform.
4. Decide whether and how to use encryption.
Quantitative analysis can get you to the answer to this common decision for HIPAA compliance. You can see RiskLens analysis in action on a parallel issue, protection of personal data to meet the standards of the GDPR, in this case study of a financial institution using RiskLens to understand whether compliance with file encryption vs. drive encryption would yield the best ROI (spoiler: drive encryption reduced the current state of loss exposure only slightly; file encryption would save the financial institution $20 million in probable losses).
5. Document the analysis
The HIPAA Security Rule calls for documentation of the entire risk analysis process but does not specify a format. The RiskLens platform generates reporting that would satisfy any auditor, with multiple, quantified views on aggregate risk to the organization, risks ranked by impact and drill-downs to which threat communities or asset types pose the greatest probable loss exposure, all clear indicators for a “direct input to the risk management process,” as the guidance recommends.
Read this Next: