Why Security Risk Assessments Matter Now More Than Ever
JOHN O’KEEFE  | March 14, 2018


Why Security Risk Assessments Matter Now More Than Ever


When was the last time your practice conducted a full security risk assessment (SRA)? If you can’t answer this question, your facility is probably out of compliance. You could be at risk for audits and fines, and cyberattackers are more likely to successfully target your practice and steal valuable electronic protected health information(ePHI).

Security risk assessments aren’t new to healthcare. But as breaches continue to escalate, requirements and penalties for noncompliance continue to grow. The assessments are required under the HIPAA Security Rule, as part of Meaningful Use (MU), and now for MACRA and MIPS eligibility. If you ignore them, you risk significant fines and reimbursement implications.


Be Ready for an Audit

CMS audits are enforcing the SRA requirement more than ever before. Previously these audits occurred only in response to a whistleblower. Now they can happen randomly, covering any prior reporting period. And stringent rules are in place to ensure that a practice’s business associates are compliant.

CMS is filing civil actions that carry hefty fines, reimbursement clawbacks and negative publicity for violators. Practices face further embarrassment if they appear on HHS’ “Wall of Shame,” which lists reported breaches of unsecured PHI affecting 500 or more individuals over the past 24 months.

Despite the risk of audits and fines, noncompliance remains an issue, often for 2 reasons:

  • Cutting Corners – many practices try to get through the process as quickly and as cheaply as possible. They download a free “do it yourself” tool off the internet that asks general questions they can check off without much thought, and then assume the job is done. If your practice is audited and found to have an incomplete assessment of its risks, threats and vulnerabilities, penalties are likely.
  • Misinformation – many smaller practices believe they don’t need to adhere to the same requirements as larger practices. This is not true – HIPAA and SRA requirements are not based on practice size. They pertain to every facility that maintains an electronic record with ePHI.


Choose Your Security Partner Carefully

A common theme among noncompliant practices is a lack of understanding about SRA requirements and processes. This is serious business with significant negative implications for noncompliance. This is why I recommend partnering  with a proven healthcare data security expert like ITelagen to remain compliant and protect against cyberattackers.

Like the broad array of downloadable SRA tools, there are also a lot of inexpensive – yet low value – companies peddling data security services. Again, this is not something you should take lightly. Find a partner that has deep expertise in healthcare data security requirements and understands what the HIPAA/HITECH law means. A simple litmus test here is whether the partner can spell the HIPAA acronym correctly – if you see ‘HIPPA’ anywhere in their materials, consider it a red flag.

Also look for a partner who understands the complete healthcare IT realm, the various ways that a breach can occur within the broader health system, and the serious implications of an attack. The partner should be able to provide you with their own Security Risk Assessment documentation plus references. Here at ITelagen, we provide our customers with a combined report for ITelagen’s internal SRA and our Security HIPAA/HITECH compliance document for our hosted environment.


Tips for Success

The toughest part about an SRA is getting started. Once you select a partner and develop a baseline set of information, it will be easier to complete ongoing updates.  Here are some tips:

  • Identify and document all security policies and procedures (even ones in the beginning stages) plus anything you consider to be an ePHI system.
  • Give your security partner the access they need to conduct a thorough analysis to identify every risk, threat and vulnerability – plus their likelihood and impact
  • Work with your partner to ensure all policies and procedures are realistic and attainable at your practice. This is not a ‘one size fits all’ exercise – every practice has unique needs.
  • Make sure your Security Risk Assessment and policies/procedures are always up-to-date and reflect any changes at your practice (workflows, systems, etc.).
  • Use the SRA to educate staff and build a culture of data security. Protecting health information is not just an IT responsibility – it involves everyone who touches ePHI from your front desk to billing and clinical staff.

If CMS audits your practice while it is early in the process of completing a Security Risk Assessment, be honest with them. Tell CMS you are aware of the requirement and are diligently working with a partner to ensure that your SRA is fully compliant for the current and future reporting periods. You won’t be able to fix prior reporting periods, but you can set things right for the future.


ITelagen and HIPAA One

Here at ITelagen, we have knowledgeable healthcare information security consultants to help your practice succeed with Security Risk Assessments. Through our partnership with HIPAA One, we offer a tool for automated risk analysis, documentation and reporting. Our expert consultants use this information to provide guided remediation plans, perform onsite workflow reviews, and conduct regular updates to ensure ongoing compliance with regulatory changes and system updates. And every HIPAA One license includes $100,000 Breach Assurance .

Contact us today to learn how our services and expertise can protect your practice and your data.