The FAIR standard is purposefully built to measure cyber risk. But it can be used to measure compliance-based risk scenarios as well--for instance, covering HIPAA-compliant telehealth.
The federal Health and Human Services Department (HHS) rolled back compliance requirements on telehealth video conferencing systems in 2020 so that patients consult a doctor during the COVID-19 pandemic on any public platform like Zoom or FaceTime without violating HIPAA privacy rules.
HHS recently renewed the COVID-19 state of emergency with relaxed privacy enforcement, but eventually the emergency period will end, as many states have already declared. Healthcare providers should be prepared for a change in policy on telehealth platforms with a cost/benefit analysis. In fact, cybersecurity teams at health organizations would be smart to add to their risk management toolkit a template for analysis of HIPAA risk – in other words, the likelihood and impact of fines from the federal agency.
Ben Storm is a Risk Consultant for RiskLens
The RiskLens platform, implements FAIR™ quantitative risk analysis in its Cybersecurity Prioritization and Justification solution, to address the challenges CISOs face to ensure their teams and investments are making the maximum impact and have the strongest return on investment (ROI) for reducing risk. Cybersecurity teams can look across their various initiatives to determine which are the most critical in a given month or quarter to invest in and execute against. They can also make project-level decisions such as looking at HIPAA fines structure, and running comparative analyses to determine the best treatment options.
HIPAA Violation Fines Example
HIPAA has a published tiered structure for compliance-based fines:
>>Tier 1: Minimum fine of $100 per violation up to $50,000 - A violation that the covered entity was unaware of and could not have realistically avoided, had a reasonable amount of care had been taken to abide by HIPAA Rules
>>Tier 2: Minimum fine of $1,000 per violation up to $50,000 - A violation that the covered entity should have been aware of but could not have avoided even with a reasonable amount of care. (but falling short of willful neglect of HIPAA Rules)
>>Tier 3: Minimum fine of $10,000 per violation up to $50,000 - A violation suffered as a direct result of “willful neglect” of HIPAA Rules, in cases where an attempt has been made to correct the violation within 30 days
>>Tier 4: Minimum fine of $50,000 per violation up to $1.5M - A violation of HIPAA Rules constituting willful neglect, where no attempt has been made to correct the violation
Comparing Risk Treatments for ROI
This structured fine system is perfect for comparison reporting with each tier being a different comparison iteration in the RiskLens platform.
In the screenshot above you will notice the option for including a risk treatment plan. In this case, the purpose of the mitigation initiative is to become compliant with the HIPAA requirements on telehealth. This was estimated by forecasting how many hours are allocated internally to meet the compliance objective, including estimating the costs of:
Notifying the organization of the video conferencing platform change
Restricting access to the platforms
Other costs that might be entered under Loss Magnitude on the RiskLens platform could be the price of licensing a new, compliant telehealth video system, or lost revenue from decreased patient appointments.
Results of a Quantitative HIPAA Risk Assessment
The results of this analysis tell a compelling story. Tier 4 is the most severe HIPAA penalty ($50K-$1.5M) and qualified as “willful neglect”. The qualifier for the tier 3 fine ($10k - $50K) is that the organization has to provide evidence of an attempt to mitigate within 30 days of HHS levying a tier 4 fine ($50K - $1.5M).
The results show a risk reduction of 91.93% between the tier 4 baseline and the tiers 1-3 iteration and also a 95% risk reduction to a compliant state. It is also worth noting that the argument made in this analysis is that there is loss exposure even if compliant. HHS still would need to perform an audit to determine HIPAA compliance. There are costs associated with the audit itself, which are accounted for under Loss Magnitude.
When it comes to comparison reporting, the RiskLens platform has the functionality to not only compare iterative “what if” analyses, but also calculate the ROI for each iteration based on the risk treatment plan selected.
Whether it is cyber compliance or cyber attacks, when it comes time to make a risk-informed decision, the decision maker has visibility into what the ROI is for each mitigation initiative, providing defensible results in a way that allows an organization to make the best risk informed decision possible.
RiskLens enables quantitative cyber risk assessments designed specifically for healthcare. See our Cybersecurity Prioritization and Justification solution.