HHS Updates Security Risk Assessment ToolWhy Do So Many Entities Still Struggle with Security Risk Analysis?
Many HIPAA enforcement actions taken by federal regulators have chastised organizations for their poor security risk assessments. In light of this ongoing challenge, The Department of Health and Human Services has released an updated version of its security risk assessment tool, which includes enhancements such as improved asset and vendor risk management features.
"The risk assessment process remains the single most challenging component of HIPAA Security Rule compliance - and realistically for compliance with any security requirement," notes privacy attorney Kirk Nahra of the law firm WilmerHale. "The new HHS guidance is certainly helpful in guiding companies in this area."
Fighting Against Threats
The Security Risk Assessment Tool, Version 3.1 was jointly developed by HHS' Office for Civil Rights - which enforces HIPAA, and the Office of the National Coordinator for Health Information Technology, which promotes the adoption of health IT and secure national health information exchange.
The tool is primarily designed to aid small and midsized healthcare organizations in their efforts to assess security risks to help reduce the chance of being affected by malware, ransomware, and other cyberattacks, HHS says in a statement.
Some experts note, however, that larger institutions can also benefit from using the HHS tool.
"Large organizations can benefit from reviewing the tool to either confirm that their approach includes what is in the tool or identify opportunities for improvement in what they've established," says Keith Fricke, principal consultant at tw-Security.
Risk assessments continue to be an intimidating requirement for many organizations, notes Kate Borten, president of privacy and security consultancy The Marblehead Group.
"There's no black-and-white approach, so the inherent flexibility and broad scope can be hard to grasp and manage," she says. "Most often, that can be combated with good understanding of the basics of risk assessment. Regrettably, too many healthcare IT and security leaders have not learned those basics."
The latest version of the tool includes functionality updates based on feedback received, HHS says. New features include:
- Threat and vulnerability validation;
- Improved asset and vendor management, including multi-select and delete functions;
- Incorporation of the National Institute of Standards and Technology's Cybersecurity Framework references;
- The capability to export the assessment's "detailed report" to Excel;
- The addition of security risk assessment question-flagging and a "flagged report."
Fricke says the new threat and vulnerability management features are among the most critical for entities that are striving to improve their risk management efforts. "This is a core aspect of a security risk management program and an important part of a security risk analysis," he says.
In most of the approximately 60 HIPAA settlements issued by OCR to date, risk assessment has been noted as a top weakness of covered entities and business associates that have come under scrutiny for breaches and privacy and security complaints.
For instance, in May, OCR signed a $100,000 settlement with Fort Wayne, Indiana-based Medical Informatics Engineering, a cloud-based electronic health records vendor, after an investigation of a breach. In that settlement, the agency said its investigation revealed "that MIE did not conduct a comprehensive risk analysis prior to the breach."
"Risk analyses can sometimes focus on the technical controls in place and pay little or no attention to the risks created by a workforce not properly educated on security awareness topics."
—Keith Fricke, tw-Security
The HIPAA rules require entities to perform an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of an entity's electronic protected health information, HHS notes.
A key challenge, Fricke says, is that "smaller covered entities and business associates may not have knowledgeable IT staff properly versed in how to conduct a security risk analysis. In other cases, there is a misunderstanding that a compliance checklist is the same as a risk analysis - they are not."
Because so many organizations lack a documented inventory of all PHI systems, he says, "they can't assess what they don't know exists."
Another key reason why security risk assessments are so difficult for many organizations, according to Nahra, is that "it essentially covers everything - it looks like just one of many elements of the security rule, but you could turn most HIPAA security processes into two steps - risk assessment and risk management."
Organizations of all sizes need to pay careful attention to the risk analysis issue and manage it on an ongoing basis, Nahra says. "That means covering everything when you do a core risk assessment, and then ensuring that you stay abreast of changes, either in your business operations or in the overall security context."
So what common areas of security risk do many organizations overlook in their assessments?
"People are the weakest link in security," Fricke says. "People fall victim to phishing attacks. Risk analyses can sometimes focus on the technical controls in place and pay little or no attention to the risks created by a workforce not properly educated on security awareness topics."
Disaster recovery and business continuity preparedness can be another overlooked area, especially when considering how well prepared the organization is to deal with ransomware incidents, Fricke adds.
"Ransomware often causes downtime, shining a light on the maturity of disaster recovery and business continuity processes."
Often, covered entities and business associates focus on looking for tools to secure devices and networks, Borten notes. "While that is crucial to any security program, it is only one part. Robust security programs must encompass the physical controls, and, especially, the numerous administrative processes described in the HIPAA Security Rule and NIST Cybersecurity Framework."