HIPAA Security Risk Assessment for Small Practices

Cyber Health

/

November 20, 2018

Karen Walsh

“Get your flu shot.”

As a healthcare professional, you advise your patients to protect themselves and their families by getting an annual flu shot, despite the momentary unpleasantness. Additionally,, researchers work to create an effective flu vaccine to combat the most recent virus evolution. In the same way that vaccines proactively protect your patients physical health, HIPAA compliance controls protect your patients’ data health.

Online information about the Health Insurance Portability and Accountability Act (HIPAA) Security Risk Assessment requirements overwhelm you the same way vaccine information on the internet overwhelms your patients. However, thinking about cybercrime as an organic virus and data controls as the vaccination can make understanding it easier.

How much information do you collect?

As part of your HIPAA compliance, you need to assess your information security. To do this, you need to think about all the different ways you collect information, places you store it, and ways it travels. At first glance, you might think, “I only collect the minimum information necessary and store it on my secure systems.”

However, let’s take a quick look at the amount of information a single intake form collects:

  • Name
  • Birthdate
  • Address
  • Social Security Number
  • Health Insurance ID Number
  • Occupation
  • Life Partner Information
  • Primary Cardholder Name
  • Primary Cardholder Birthdate
  • Primary Cardholder Address
  • Billing Information

Before a patient even meets you for the first time, you have an entire record of all the personally identifiable information right there on a clipboard. Just like multiple strains of a virus, you collect multiple streams of information.

What is a Security Risk Assessment?

The Office of the National Coordinator for Health Information Technology (ONC) website offers a downloadable Security Risk Assessment tool (SRA). For practices with financial constrictions, the free HIPAA toolkit offers a potential solution. Unfortunately, monetarily free doesn’t always mean really free.

In 2016, two information systems researchers engaged in a case study using a small healthcare clinic. The small clinic, with no dedicated IT personnel, processed approximately 1,600 patient records. The researchers, in conjunction with the owner, needed six hours to answer 101 of the 156 questions in the SRA tool. As they noted, for many small clinics the time spent makes sense but often the questions felt repetitive for the owner.

If you think about it like a vaccine, you tell your patients that the few days of “flu-like” symptoms are their body adjusting to the virus, so the protection is worth it. In the same way, the few days of engaging in healthcare risk assessment template is worth the protection it provides.

Why using a Security Risk Assessment template doesn’t always work


If you’re a sole practitioner or small practice, you might be tempted to use an online HIPAA risk assessment checklist. These checklists help you get started, but they don’t meet the ongoing monitoring requirements embedded in HIPAA. Often, a HIPAA risk assessment template starts with creating a security plan and creating audit procedures. These act as moment-in-time reviews.

Unfortunately, additional checklist items include continuous monitoring to determine the necessity of sanctions for employee non-compliance and periodically reviewing documentation to ensure continued control effectiveness.

Thinking about it medically, you know that the flu virus evolves from season to season. Hackers evolve their methodologies to evade protections. Therefore, the same way this season’s vaccine won’t protect against next year’s flu strain, today’s data controls may not protect against next year’s malicious actor methodologies.

Does adopting a cloud-based Electronic Health Record (EHR) provider satisfy HIPAA?


A few years ago, the Centers for Medicare and Medicaid Services EHR Incentive Programs set out objectives under the Merit-Based Incentive Payment System (MIPS)  and Promoting Interoperability (PI) functions for engaging patients. As more practices incorporate these EHR services, it’s easy to think that by incorporating a HIPAA compliant vendor that you are also compliant.

As part of the security risk assessment, meaningful use doesn’t change your requirements. It just means that you need to ensure that your EHR provider protects data they access. However, you collect information that may not be part of that system. You’re still in charge of the information you collect or that your patient sends you outside of that EHR.

Putting this in terms of a flu vaccination, it’s similar to a parent and child both getting vaccinated. If the child gets vaccinated but the parent doesn’t, the parent is still at risk for getting sick. If your EHR provider is protected but you aren’t, your patients’ data is still at risk of contamination.

Examples of Risk Management in Healthcare

A HIPAA risk assessment for medical offices can be over twenty pages in length making the risk assessment and analysis frustrating and overwhelming. However, starting with a security-first approach helps ease the burden. Securing the data environment starts with a cyber security risk assessment and ends with a physical security risk assessment. However, at their most basic levels, all HIPAA risk assessments focus on making sure no one obtains access to information without needing it to do their jobs or without you giving them express permission.

The following security risk assessment examples offer an overview, although not a complete set of steps, for understanding HIPAA risk assessment requirements.

Traditional Systems and Devices

Most medical practices will start with these. The desktops or laptops your staff use as well as any software or cloud storage solution should be reviewed.

Diagnosing the Problem: Asset Inventory

  • What devices store information?
  • What devices send information?
  • What networks do you use to send and store information?
  • Do you use an EHR?
  • Do you use mobile devices for patients?
  • Do you you store backups to the cloud?
  • Do you collect handwritten or print documentation?
  • Do you have a storage location for handwritten or print documentation?

Vaccinating the Data: Finding the Protections

  • Do you create a unique user identification login and password for each employee?
  • Do you have a way to make sure employees only access information they need for their jobs and nothing more?
  • Do you have anti-malware and anti-ransomware software installed on all devices?
  • Do you have a private wireless network connection with password to which all devices connect?
  • Do you encrypt information while it’s being sent?
  • Do your data storage solutions encrypt information?
  • Do you have a way to make sure that you install security updates to devices as soon as possible?
  • Do you monitor potential unauthorized access to your systems and networks?
  • How do you manage employee access to devices and networks?
  • Do you have a way to automatically log users out of databases or devices that have been idle?
  • Do you store printed information in locked cabinets?
  • What are the physical security protections for your office, devices, and copies of printed materials?

Telemedicine Cart

If your practice uses the “standing desks on wheels” to collect intake information, you need to think about a variety of ways to protect that information.

Diagnosing the Problem: Asset Inventory

  • How many carts do you have?
  • What devices are connected to it?
  • Is it just a laptop?
  • Do you use a digital blood pressure machine or thermometer that automatically record information?
  • Do you have specialized carts for other equipment?

Vaccinating the Data: Finding the Protections

  • Are all the devices encrypted?
  • Are all the devices password protected?
  • Do the screens automatically shut off when not in use?
  • Who has access to the cart?
  • How do you physically protect the carts from theft?
  • How does the information travel?
  • Is the wireless connection encrypted or just the devices?
  • How is the wireless connection protected from external threats?

Remote Patient Monitoring Devices

Many of your patients may be using medical devices that send you information. Remote patient monitoring devices often include sensors that measure vital signs and send patient information to centralized storage or cloud locations.  

Diagnosing the Problem: Asset Inventory

  • Do you have diabetic patients using connected insulin pumps?
  • Do you have dementia patients with sensors attached to canes or walkers?
  • Do you have patients with heart disease using home monitoring devices?
  • Do you have patients using remote monitoring to increase fertility?
  • Do you have sleep apnea patients monitoring their sleep cycles with a connected device?

Vaccinating the Data: Finding the Protections

  • How does your office access the information?
  • How do you secure passwords that can access information?
  • Do you encrypt information as it travels between your devices and the database?
  • Does the database encrypt the information?

Security-First Vaccinates Your Data

By protecting ePHI with a security-first approach, you’re vaccinating your client information from a data breach. When your patients complain about having to make appointments, wait in offices, or pay for flu shots, you remind them that it’s to protect herd immunity. HIPAA intends to vaccinate data from infections and breaches, even if it takes time and money to be compliant. One of our core values at Zeguro is transparency. As you explain medical concerns to your patients, we explain security concerns to you.

  • Honesty: We’re up front about how well your protections align with HIPAA Security Rule’s requirements.
  • Clarity: Our plain language policy templates make it easy for you to understand the controls so you can protect information.
  • Simplicity: We simplify HIPAA compliance with an easy-to-navigate platform and staff who can answer your questions and ease the burden of compliance.

Contact us at Zeguro.com to learn more.