If one lesson is clear from the constant stream of recent settlements announced by the Office for Civil Rights, it is that covered entities are not implementing risk management plans to reduce risks to protected health information (PHI) to an acceptable and appropriate level. The frequency of seeing the same finding is a strong indicator of a more systemic issue – that organizations could use more detailed guidance on how to manage risks.
Conduct a “Risk Analysis”
Managing risk to PHI is really two separate steps. First involves identification and prioritization of risk. This control is referred to as a risk analysis and the HIPAA Security Rule requires under 164.308(a)(1)(ii)(A) to Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
While the HIPAA Security Rule took effect in 2005, it was not until 2010 that HHS released formal guidance on how to conduct a risk assessment. That guidance was based on the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-30, Risk Management Guide for Information Technology Systems. This guidance defined an acceptable risk assessment process that would meet the minimum requirement to meet the HIPAA Implementation Specifications.
NIST subsequently updated SP 800-30 with Revision 1 in September 2012. The newer version acknowledges that there are other risks besides information technology, including strategic and business process.
Implement a “Risk Management” Plan
Many covered entities and business associates agreeing to resolution agreements and corrective action plans with OCR are the result of their struggle with how to take a risk analysis and then Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a). The risk management plan is needed to, “Implement policies and procedures to prevent, detect, contain, and correct security violations” as required under the Security Rule’s Security Management Process Standard (164.308(a)(1)(i)).
There are six key characteristics of developing an effective risk management plan. Some of the guidance is derived from NIST SP 800-39, Managing Information Security Risk Organization, Mission, and Information System View, but other characteristics come from high performing organizations and international standards.
Define the Paths
First, organizations need to first define and communicate acceptable risk response options. This step helps focus the discussion and ultimately, it reduces the time needed to agree on a course of action. Typically, response options should be limited to following the four defined in the NIST SP 800-39:
- Risk Mitigation – reducing the likelihood or impact of an adverse event
- Risk Sharing or Transfer – shifting risk liability and responsibility to another organization, such as an insurance carrier
- Risk Avoidance – making a strategic decision to stop a process or activity that has an unacceptably high residual risk
- Risk Acceptance – a conscience decision by an individual empowered with both the responsibility and authority to not act because changing the adverse impact of an event is not cost effective or not possible given current resources
Define Who Can Decide
Simply stated, why do organizations grant an individual authority to ‘bet the farm’ when the decision should be well above their pay grade? Practically speaking, it is also important for covered entities and business associates to clearly define and communicate the levels of authority needed to make course of action decisions.
A root cause analysis of a number of recent breaches suggest that a poor risk option was chosen by individuals who were 1) either not trained in the overall risk management process, or 2) were not granted the authority to decide how to respond. The solution is to set up a decision matrix that is aligned with the Board of Director’s “risk appetite”. When critical or very high risks are identified during the risk analysis process, these must be escalated to the executive team and even the Board.
Align Responsibility with the Risk
Some organizations may elect to assign security risks to the CISO or CSO rather than to appropriate risk owners. This approach may not be the most effective way to reduce organizational risk. Rather, risk owners should be assigned based on the risk option chosen. For example, if the appropriate action is to transfer risk, then the individual who has both the budget and authority to purchase insurance should accept the action. Similarly, if a risk mitigation approach of implementing end-point protections are approved, then the desktop and biomedical engineering leaders should be tasked with implementing the new controls.
Hold People Accountable
Once the appropriate individuals have been assigned responsibility for executing the risk response option, then performance goals need to be modified to clearly define a measure of success. Annual performance bonuses should also be tied to these measurable objectives, and in turn, will drive appropriate behaviors to reduce the overall risks.
Review All Risks Annually
There are certain truths that CISOs and CSOs should clearly understand about risk management:
- Risk change.
- Risk rankings change over time.
Just as the buggy whip has given way to the automobile, which now are evolving to self-driving cars, covered entities and business associates must accept the fact that risks will change as the business environment and external forces evolve.
One of the highest risks for covered entities a decade ago was the impact of sending medical records by fax transmission to the wrong organization. With the implementation of secure email and integrated fax servers, the probability of misrouted faxes is much lower today. Alternatively, hacktivism, ransomware, and the proliferation of nation-state threat actors were barely considered five years ago.
In the first example, the risk rating has been reduced from high (or very high) down because of new controls and technology. In the second example, new threats have displaced other high risks from the list of executives’ concerns.
Timing is Everything
Finally, identifying risk and performing a risk analysis to rank the actions should be closely linked to the annual budget cycle. CISOs and CSOs should align their schedules to complete a risk assessment the quarter prior to the start of a budget cycle. Timing of the risk assessment allows for leveraging the risks to be mitigated as evidence to support budget submissions. Conversely, identifying a new set of risks after the budget process has completed will likely result in the risk being accepted for at least the remainder of a year.
CISOs and CSOs of covered entities and business associates have tough jobs with a lot of responsibilities. There is help available to manage the process, but it requires careful forethought and a solid plan. A well-documented risk management policy that defines the steps above is a strong first step in aligning the executive team with the objectives of meeting the HIPAA risk management requirements.