HIPAA Regulator OCR Calls for ‘Enterprise-Wide Risk Analysis’ – Meet the Challenge with Cyber Risk Quantification

March 4, 2022  Jeff B. Copeland

Healthcare Data - Risk Assessment- Crown Jewel PHI Database Breach at a Healthcare Payer Organization - RedIn a recent blog post, Improving the Cybersecurity Posture of Healthcare in 2022, Lisa Pino, Director of the Office for Civil Rights at the U.S. Department of Health and Human Services (OCR), gave some plain-talk direction to HIPAA-regulated organizations:

“All too often, we see that risk analyses only cover the electronic health record (ePHI).  I cannot underscore enough the importance of enterprise-wide risk analysis. Risk management strategies need to be comprehensive in scope.”  

OCR has puts teeth behind the talk, fining Premera Blue Cross $6.85 million in 2020 and Excellus Health $5.1 million in 2021 for HIPAA violations, including failure to conduct comprehensive risk analyses, after data breaches were uncovered.

RiskLens offers a Cybersecurity Prioritization & Justification for Healthcare Payers and Providers solution that combines risk scenarios and curated data specific to the healthcare sector for quick access to risk analysis of ransomware, ePHI data breach and other top-of-mind cyber threats and loss events.

How to Conduct “Comprehensive Risk Analysis” for HIPAA 

The HIPAA Security Rule on protection of ePHI leaves it to HIPAA-covered entities to set their own risk assessment procedures. Increasingly healthcare payer and provider organizations are turning to a risk-based, quantitative approach to HIPAA compliance using FAIR™, the international standard for cyber risk quantification created by RiskLens. 

FAIR analysis enables enterprise-wide risk assessment by communicating cyber risk in financial terms understandable across the enterprise from the SOC to the boardroom. FAIR exactly meets the Security Rule dictate for a risk analysis to “evaluate the likelihood and impact of potential risks to e-PHI” – the RiskLens platform provides users with likelihood and impact data curated for the health industry to run analyses.

The HIPAA Security Rule also mandates implementing “security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.” Determining the reduction in loss exposure from a control – or failure to reduce risk – is a typical use case for analysis the RiskLens platform. 

For a detailed look at cyber risk quantification for health industry compliance, read this case study: RiskLens and FAIR Satisfy HIPAA Risk Analysis Requirements.