Every business needs a periodic security risk assessment (SRA). By performing a thorough SRA, you identify security risks, and can then come up with a plan to mitigate those risks. But performing a HIPAA risk assessment is not the same as performing an SRA for a company that is not in the healthcare field.
Sure, there is a lot of overlap, but with a HIPAA security assessment you need to make sure you’re complying with the HIPAA Security Rule, and all that that entails. Specifically, you need to know everything about your Protected Health Information (PHI) – where it’s stored, where it flows, and more. This covers paper records as well as electronic PHI (ePHI).
Some of the main considerations in a HIPAA risk assessment include:
- Ensuring encrypted ePHI in transit (email and voicemail)
- Physical audits of PHI exposure
- Higher criticality of findings based on industry
- Validated back ups
- Disposal of equipment/data
Your average IT provider, or “the IT guy” you bring in when something stops working, does not have the expertise to perform your HIPAA SRA. They don’t know where to look for issues, how to identify healthcare-specific issues, or how to implement security solutions that will mitigate the identified risks.
You need a healthcare IT company that specializes in helping healthcare practices. They will know all of the healthcare regulations and compliances issues inside and out. They know where to look to identify risks, and develop a plan to reduce your risk.
With the escalation of healthcare data breaches, you need to work with the experts to protect your practice. Think of it this way: As a medical professional, would you rather have a specialist like a trained and Board-Certified cardiologist treat you after a heart attack, or would you be OK with an osteopath treating you? You’d likely go with the specialist.
It’s the same idea when it comes to a healthcare IT SRA. You want a company that is highly trained and specializes in the healthcare field. The average “IT guy” knows information technology, but is not an expert in healthcare IT or HIPAA compliance. They could easily miss the diagnosis and come up with the wrong treatment, leaving your practice at risk.
HIPAA Security Risk Assessment Tool
You may have heard of the HIPAA Security Risk Assessment Tool developed by the Office of the National Coordinator for Health Information Technology (ONC) and the Health and Human Services Office for Civil Rights (OCR). We think the Healthcare SRA tool is comprehensive and very detailed. It’s also very complicated.
The reality is, many practices don’t have the time or the expertise to have an internal person conduct a thorough/accurate assessment because it is quite detailed and goes into many in-depth areas you may not understand. Healthcare IT is after all, a specialized field.
You also want to avoid a “checklist” SRA, because it will give you a false sense of security, and may not give you actionable intelligence.
What an Outsourced HIPPA Security Risk Assessment Entails
By now, we hope we’ve convinced you to work with healthcare IT specialists when it’s time to perform a HIPAA SRA. Your HIPAA risk assessment will cover several areas, including:
- Physical security
- Network Perimeter security
- Internal vulnerabilities
- Endpoint security
- Network policies
- File share permissions
- Active directory group membership
- End user training and security awareness
The SRA evaluates and assesses all of the potential risks and vulnerabilities related to the confidentiality and integrity of all ePHI that your practice creates, receives, maintains, or transmits.
Once we identify any risks and vulnerabilities, we will develop an action plan that you can use to mitigate risks and eliminate certain vulnerabilities. For example, as part of our healthcare security risk assessment, we may send a “phishing” email to everyone at your practice, and see if anyone bites. This is usually by clicking on a link or opening an attachment.
If they do, we notify you immediately, and those employees can undergo more training. Or if we find your password policy is weak, we can help you implement new password policy that requires unique user IDs and strong passwords requirements (at least 8 characters, multi-case, include a number and a special character, etc.). We would also recommend that all users be required to change their passwords on a regular basis, for example, every 90 days.
Common HIPAA Security Violations
HIPAA violation fines can reach up to $50,000 per occurrence, with a maximum annual penalty of $1.5 million per violation. These penalties are part of why it is crucial that your medical practice ensures that you are HIPAA compliant at all times. Whatever you do, you don’t want to get hit with a “willful neglect” violation where you know of an issue and do nothing to correct it.
So here are the most common violations, many of which can be avoided with a thorough HIPAA security risk assessment and robust security measures.
- Keeping Unsecured Records
- Not Encrypting ePHI Data
- Falling Prey to a Phishing Scam
- Hacking
- Loss or Theft of Devices
- Not Providing Adequate and Ongoing Employee Training
- Improper Disposal of Records
- Unauthorized Release of Information
All of these violations can result in the release of protected ePHI, whether for a single patient or every patient record on your system.
Are you ready to lower your risk? Scheduling an SRA is a great first step.
Work with Trusted Healthcare IT Experts for Your HIPAA SRA
How can your practice get a meaningful SRA that you can make actionable changes from? By working with a trusted healthcare IT company such as PEAKE Technology Partners. We are a full-service healthcare IT Managed Service Provider (MSP). If you have a current IT provider but need an expert HIPAA security risk assessment, we can perform that for you, covering all aspects of your practice security. Schedule a conversation today to get started.
We work with medical practices throughout the Mid-Atlantic region, including Maryland, Washington DC, Virginia, North Carolina, and southern Pennsylvania. Call 866-357-3253 or fill out the contact form to schedule a conversation to see how we can help you.