So You’ve Been Told To Do an SRA – What’s Next?
Conducting a security risk assessment (SRA) is required to comply with the HIPAA Security Rule, but you may also need to provide the results of the SRA to an insurance company in order to obtain liability insurance for your medical practice. The insurer wants to know how much of a risk they are taking on so that they can effectively set their rates.
Completing the SRA can be a complex task, especially for small to medium healthcare providers. The Security Rule mandates security standards providers need to meet to safeguard electronic Protected Health Information (ePHI) contained in electronic health records (EHR) or electronic medical records (EMR). The mandate requires detailed attention to how a provider stores, accesses, transmits, and audits ePHI.
A common ask from an insurer is have an organization perform an assessment of the organizations IT security risk – a Security Risk Assessment (SRA).
First, reach out to your Managed Service Provider (MSP). While not all offer a specific SRA service, they will need to be aware and will be involved in any SRA conducted by a 3rd party.
What Should Be Included
Opinions on what should be included in an SRA will vary and the debate can get quite heated. At the minimum the SRA should look into these areas:
- Physical security
- Network perimeter security
- Internal vulnerabilities
- Endpoint security
- Network policies
In addition to those basic areas, you may want to have these additional areas reviewed:
- File share permissions
- Active Directory group membership
- End-user training and security awareness
Physical Security
Access to network closets and server rooms. Does the organization require contractors and visitors to sign in and out when coming onsite? Are there cameras in or with views to entryways to these areas? Where are the network ports located? Is server and networking equipment located in a dedicated-purpose locked room?
Network Perimeter Security
Examine firewall rules and settings. Often this will involve a port scan looking for open ports and services that could be exploited by a malicious attacker.
Internal Vulnerability
In this area the SRA is looking at server infrastructure – are they patched regularly, are there any missing patches for running services that could be exploited. You would also be looking at password length/complexity enforcement policy, user rights and anything that could be exploited once an attacker had breached the network perimeter and was attempting to move laterally across the network.
Endpoint Security
Here the SRA is looking at anti-virus, firewall settings, malware protection, and other features/tools designed to protect the workstations that the end users are using. In addition to endpoint protection software this will often include written workstation security and use policies and security hardening policies that are pushed out to the workstations.
Network Policies
This overlaps with a lot of the previous categories, but also includes procedures for disaster recovery, business continuity, determining backup and restore procedures, new hire/termination procedures for human resources and information technology to follow. It is these policies that provide that guidance on the whole security infrastructure – from firewall to server to end point and user.
On the whole, assessment of these areas provides a good picture of an organization’s security posture, showing where there are weaknesses that a malicious actor could exploit.
Recommendations
All this information provides the organization with a good assessment of risk. In addition to the assessment, make sure that you also get recommendations on addressing areas where improvements need to be made. You should be able to take the SRA report and create a clear plan to turn off unused services, patch vulnerabilities, replace unsupported hardware, upgrade vulnerable software, and plan for training of end users.
The end goal is to create an environment where security is automatic and your normal everyday processes and procedures reinforce and maintain high levels of data security.
A Regular Security Risk Assessment Protects Your Practice
In addition to protecting your patients and clients, a regular SRA protects your practice. That’s because by identifying security issues and correcting them, you are protecting yourself against a data breach. A data breach of patient information could mean the end of your practice, because of the resulting bad press and potential lawsuits.
By conducting a regular SRA, you not only satisfy HIPAA requirements, but you’re able to maintain medical business insurance that will help you weather the storm in the event of a data breach.
Work with PEAKE Technology Partners for a Thorough Security Risk Assessment
If your current MSP doesn’t do security risk assessments, or you tried to do it yourself and got in over your head, PEAKE Technology Partners can help. Partnering with PEAKE ensures that your organization complies with the latest HIPAA. Meaningful Use and MACRA/MIPS requirements, and gives you the documentation you need to provide to insurance underwriters.
Call 866-357-3253 or fill out the contact form to schedule a conversation.