By Alvin Fong, CISSP, and Katherine Keefe
For Health Insurance Portability and Accountability Act (HIPAA) covered entities and business associates starting their security journey, understanding the “lifecycle” of electronic protected health information (ePHI) is an integral piece of the HIPAA risk analysis. It is critical to know where it is “born,” where it “lives,” how it is transferred to and from third-party vendors and where it is destroyed. These entities can start by sitting down with key personnel and building an ePHI inventory through interviews and information systems assessments. For larger enterprises, various content management systems and security tools can automatically identify ePHI in the organization and systematically classify data.
Despite their importance, many risk analyses are insufficient. Some companies undergoing regulatory scrutiny by the Office of Civil Rights (OCR) discover that their previous cybersecurity/audit firm had conducted only a gap analysis which does not meet OCR’s audit protocol. To prevent this from happening to your organization, make sure to ask how the cybersecurity consulting organization’s approach addresses OCR’s requirements.
To identify threats and vulnerabilities, there are critical tasks organizations should undertake to follow the risk assessment framework provided by the National Institute of Standards and Technology (NIST). In addition, a variety of tools and techniques can help to develop a list of potential cybersecurity threats and vulnerabilities. Interviews with key IT and security personnel in the organization can elicit what types of threats/vulnerabilities have been observed in the past, from external phishing threats to insider threats such as unauthorized PHI access and high-risk physical security exposures.
Resources like OWASP; a non-profit security awareness organization provide a top 10 list of vulnerabilities impacting organizations that serves as a great reference. Information sharing and analysis centers have been established in various industries, including healthcare. The Health Information Sharing and Analysis Center (H-ISAC) is focused on “sharing timely, actionable, and relevant information” on threats and vulnerabilities in the healthcare sector that include indicators of compromise, information about threat actors, and risk mitigation strategies.
Professional consulting organizations can also conduct technical security testing like vulnerability assessments and penetration testing as part of the HIPAA risk assessment. This technical security testing emulates how modern-day adversaries gain unauthorized access to PHI. These types of tests will help build a comprehensive picture of real technical vulnerabilities in your organization, meet the evaluation requirement for the HIPAA Security Rule and serve as great input into the overall risk assessment.
Alvin Fong, CISSP, is the Proactive Security practice leader at Lodestone Security LLC. A cyber risk and security professional with over 10 years of experience across defense, healthcare, and financial services industries, he helps SMBs develop security strategy, roadmaps, and risk management programs with a focus on cyber risks and data protection.
Katherine Keefe is the global focus group leader of Beazley Breach Response (BBR) Services. With over 25 years as a practicing lawyer, Katherine has extensive experience in data privacy and security issues and the regulatory and operational challenges of data breaches. A HIPAA expert, Katherine has provided regulatory compliance and breach response guidance to clients in the health care segment.