ZenGRC

Simply Powerful GRC

A HIPAA Security Rule Risk Assessment Checklist For 2018

· ·

ECG monitor display

The HIPAA Security Rule focuses on storing electronic Protected Health Information (ePHI). Healthcare providers, covered entities, and business associates must undergo audits to prove regulatory compliance so that they can assure new customers of their security posture. Beginning the road to HIPAA compliance requires assessing security risk and mitigation controls.

A HIPAA Risk Assessment Checklist

What is HIPAA?

HIPAA was enacted in 1996 to protect information as people moved from one job to another. The US Department of Health and Human Services (HHS) additionally passed the Privacy Rule in 2003, defining Protected Health Information (PHI) as “any information held by a covered entity which concerns health status, the provision of healthcare, or payment for healthcare that can be linked to an individual.”

In 2005, the HIPAA Security Rule focused on electronically stored PHI (ePHI). This update created three types of compliance safeguards. “Administrative safeguards” refers to policies and procedures that show compliance. Physical safeguards include controlling access to data storage areas. Technical safeguards incorporate communications transmitting PHI electronically over open networks.

Who is a Healthcare Provider?

According to HIPAA, healthcare providers include doctors of medicine or osteopathy who are authorized to practice medicine or surgery (as appropriate) by the State in which they practice or any other person determined by the Secretary to be capable of providing health care services.

If a person or organization engages in practicing medicine or helping treat sick people, HIPAA applies to them.

What is a Covered Entity?

HIPAA defines covered entities as health plans, healthcare clearinghouses, and healthcare providers who transmit any health information electronically.

What is a Business Associate?

This term broadened HIPAA’s reach. The law defines a business associate as any person or entity that involves use of or disclosure of protected health information on behalf of or while providing a service to a covered entity.

This broad definition incorporates everyone from third-party administrators assisting in the healthcare claims processing area or certified public accountants whose advisory services involve accessing protected health information. Functionally, if a person or company may at any time see any information that identifies a patient, the healthcare provider or covered entity should make sure the business associate is HIPAA compliant.

What Can I Do to Get Compliant?

Risk assessments are the first step to HIPAA compliance. The risk assessment helps determine the locations of greatest vulnerability. The Office of the National Coordinator for Health Information Technology created the Security Risk Assessment Tool to help organizations identify their most significant risks by establishing 156 questions.

Within those 156 questions, the Security Assessment Tool breaks them up into three categories: administrative safeguards, technical safeguards, and physical safeguards.

What is the Administrative Safeguards Requirement?

The administrative safeguards requirement focuses on developing, documenting, and implementing policies and procedures to assess and manage ePHI risk.
As an initial review, organizations should consider the following questions to developing appropriate safeguards:

Risk Assessment
  • Create an inventory of all information systems, electronic devices, and mobile media
  • Identify threats, vulnerabilities in technology, processes, workforce, and vendors to determine the likelihood of a data breach and estimate potential harm.
    Develop and implement a risk assessment policy that identifies essential activities addressing purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures that outlines procedures and risk assessment controls.
  • Share documented risk assessment policy with workforce members responsible for mitigating threats and vulnerabilities.
  • Review unauthorized or inappropriate access to ePHI that can compromise data confidentiality, integrity, and availability as well as potential unauthorized disclosure, loss, or theft.
Security Plan and Policy
  • Create a security plan that includes a continuity plan, emergency access plan, disaster recovery plan, and vendor management plan.
  • Develop, document, and share with workforce members a security planning policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and procedures that outlines procedures to implement security and controls associated with it.
  • Determine appropriate sanctions for individuals who do not comply with information security policies and determine documentation of execution for these sanctions.
  • Create audit procedures and system monitoring procedures to ensure no inappropriate access to information.
  • Periodically review documentation and update if it is affected by operational or environmental changes.
  • Establish a senior-level executive security official to develop and implement policies and procedures to protect against business associate and covered entity risk and authorizes access to information systems
  • Ensure the individual responsible for security has adequate education and experience to review system capabilities, vulnerabilities, and mitigation practices to support management security purchases.
User Authorization/Segregation of Duties
  • Segregate workforce member duties and service provider roles in a way that defines access to ePHI
  • Establish and share with workforce members an access control policy that defines the purpose, scope, roles, responsibilities, management commitment, coordination expectations, and compliance requirements.
  • Employ least privilege/minimum necessary access principles to ePHI.
  • Create and enforce role-based access control (RBAC) policies that provide access based on job description and responsibilities.
  • Develop processes that restrict access to digital or non-digital media containing ePHI and enforce them.
  • Establish authorization and supervision of locations of ePHI and workforce members who can access ePHI.
  • Develop procedures allow the IT department to create, enable, modify, disable, and remove accounts based on users’ group and role membership as well as account privileges for each account.
  • Establish and maintain a list of authorized organizations or personnel that identifies their access level to facilities, information systems, and ePHI.
  • Establish and enforce processes that monitor security roles and responsibilities of third-party providers with access to facilities, information systems, and ePHI.
  • Implement procedures that define appropriate role-based access to ePHI.
  • Assign risk designations and screening criteria for each position defined within role-based authorization document.
  • Establish policies and procedures for screening individuals before granting access authorizations.
  • Establish and implement policies and procedures that terminate access when workforce member access needs change.
  • Develop policies and procedures to retrieve all security-related organizational information system related property upon workforce member role change.
  • Periodically review current and on-going logical and physical access authorizations.
  • Modify access based on workforce member role changes and operational needs.
Security Awareness Policy
  • Develop, document, and share with workforce members a security awareness policy and training that addresses purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and procedures to ensure workforce members understand security awareness.
  • Review and update security awareness training and policy to ensure that it aligns with current systems and threats.
  • Ensure workforce members engage in updated training when role-based authorizations change or in response to system changes.
  • Ensure security awareness training simulates cyber-attack, unauthorized access, or opening malicious email attachments that teach workforce members about spear phishing attacks.
  • Retain training records for all workforce members and business associates.
  • Establish procedures and oversight for patching systems, installing software, enforcing software installation policies, and compliance monitoring.
  • Monitor information systems to detect attacks, indicators of potential attacks, and unauthorized local/network/remote connections.
  • Monitor information system facility physical access to detect and respond to physical security incidents, periodically review physical access log, and coordinate review/investigation result with the incident response team.
  • Share information about security alerts, advisories, and directives with workforce members.
  • Establish procedures for guarding against, detecting, and reporting malicious software.
  • Employ automated mechanisms and tools that help track security incidents to collect and analyze information.
  • Establish authorization policies and procedures that outline password requirements, including length, changes, the suggested frequency of changes, privacy requirements, and importance of safeguarding passwords.
Incident Response Plan
  • Establish incident response training that aligns with workforce member roles and responsibilities.
  • Establish mechanisms to identify and respond to suspected or known security incidents, including mitigation steps and documentation requirements.
  • Establish and share incident response policy with workforce members that outline the purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures for security incidents.
  • Provide incident response training to information system users consistent with incident response policy.
  • Test incident response capability and document effectiveness of results.
  • Implement preparation detection, analysis, containment, eradication, and recovery responses as part of incident response policy.
  • Establish incident handling activities with contingency planning activities that incorporate lessons learned from ongoing incident handling activities into incident response procedures.
Contingency Plan
  • Develop and implement a contingency planning policy that identifies essential activities addressing purpose, scope, roles, responsibilities, management commitment, organizational coordination, compliance, and facilitation procedures that identify critical information systems and ability to access ePHI.
  • Ensure contingency plan incorporates a variety of emergencies such as fire, vanadalism, system failure, or natural disaster.
  • Establish procedures that identify essential activities, roles, and systems required for full information system restoration, including but not limited to establishing emergency access and restoring standard access controls.
  • Review and update contingency policy regularly.
  • Establish and implement procedures to create, maintain, and retrieve exact copies of ePHI including an alternative storage site whose security safeguards align with established procedures.
  • Conduct backups of information system documentation at the user-level, system-level, and security-related level.
  • Employ audited and automated overrides of role-based access control policies for emergency situations.
  • Test continuity and emergency operations.
Third-Party Monitoring
  • Implement policies and procedures that establish, document, review, and modify a third-party’s access to workstations, transactions, or programs and processes.
  • Ensure that covered-entities have obtained appropriate assurances that business associates safeguard information.
  • Document third-party and fourth party assurances through written contracts or other arrangements.
  • Review contracts to ensure they contain requirements discussing legal issues regarding ePHI disclosure safeguards used when not listed in the original agreement,and reporting requirements for security incidents.
  • Develop processes to create and maintain a list of authorized maintenance organizations or personnel and that access to facilities, information systems, and ePHI matches roles.
  • Establish third-party monitoring process that reviews security roles and responsibilities.

Information Retention Policy

  • Retain information as required by federal laws, Executive Orders, directives, policies, regulations, standards, and operational requirements.
  • Ensure retention includes full life-cycle, including but not limited to disposal of information systems.
  • Document record retention lasts 6 years from creation date or when it was last in effect.
  • Provide an audit reduction and report generation capability that allows on-demand audit review, analysis, and reporting without changing information or ordering of records.
  • Ensure role-based authorization to records retained.

For information on how ZenGRC can help your organization get compliant more quickly, schedule a demo.