Understanding What Constitutes OCR-Quality Risk Analysis®
In the first half of 2019, there were 223 reported breaches affecting 10.2 million individuals, an increase of 167% over the same period in 2018. These figures do not include the widely publicized American Medical Collections Agency breach, which is estimated to have affected at least 22 million individuals on its own.
In the wake of so many largescale data breaches, the Office for Civil rights (OCR) has stepped up HIPAA enforcement, levying a record $28.7M in fines in 2018, representing an increase of almost 50% over 2017. Risk analysis and risk management are among the highest areas of their focus as OCR official Nick Heesters recently commented:
“Some of the risk analysis we get back just doesn’t really reflect what the rule requires. The rule requires that it be done in an accurate and thorough manner. To accurately and thoroughly assess the risks to an organization’s ePHI. Frankly, that’s not what we get.”
In fact, research has shown that 90% of the organizations that have incurred monetary settlements or civil money penalties related to disclosure of ePHI were found to have failed to conduct a sufficient risk analysis (Source: Clearwater Statistical Analysis. July 2019).
An OCR Breach Investigation/Risk Analysis Case Study
So what constitutes OCR-Quality Risk Analysis®? To provide insight into this question, we will review the case study of an organization that engaged Clearwater to help meet OCR’s requirement for a risk analysis after breach investigation was initiated. Because Clearwater’s work is conducted under attorney/client privilege in breach investigation cases, the name of the organization must remain confidential. For this case study, we will refer to our client as Unnamed Healthcare Organization (UHCO).
Three years ago, UHCO’s IT staff discovered they were unable to communicate with one of their servers. They quickly determined an account on the server was compromised by a hacker. Further analysis determined that ePHI was exposed as a result of the hack. UHCO’s Privacy Officer reported the breach on the OCR website and UHCO retained an outside contractor to investigate.
Two months later, UHCO’s Privacy Officer received formal notice from OCR of an investigation of the breach. The notice cited eight potential HIPAA violations and asked UHCO to provide:
- A description of any investigation and actions taken following the breach
- Relevant policies and procedures
- A copy of the breach notification sent to affected individuals
- Every risk analysis conducted over the last three years
- Documentation of security measures in place and any post-breach changes.
OCR also provided notice of the potential penalties for violations and asked that UHCO respond within 14 days.
UHCO’s Privacy Officer responded by providing an account of actions taken post-breach, copies of policies and procedures, a copy of the notice sent to affected individuals, and the executive summaries of security assessments conducted by a third-party contractor in 2013, 2014, and 2015. The executive summaries described findings and deficiencies discovered during technical testing.
Technical Testing Does Not Qualify as Risk Analysis
Eight months later, OCR sent a follow-up notice to UHCO’s Privacy Officer notifying her that the security assessment executive summaries she had provided did not depict an enterprise-wide evaluation of all potential threats and vulnerabilities and therefore did not meet the requirements for risk analysis set forth in the HIPAA Security Rule. OCR again requested that UHCO provide risk analysis performed before and after the breach and documentation that UHCO implemented security measures to sufficiently address risks identified in the requested risk analysis. UHCO was given 20 days to respond.
UHCO’s Privacy Officer responded by providing a 2014 Security Assessment (the full technical testing assessment which formed the basis of the executive summary previously provided). The assessment detailed the results of external and internal penetration testing, web application assessments, wireless network testing, and social engineering.
She also provided OCR with the results of a 2016 HIPAA Risk Assessment conducted by a second third-party contractor. This assessment was in fact a compliance gap assessment conducted relative to ISO/IEC 27000 information technology security standards.
Compliance Gap Assessment Does Not Qualify as Risk Analysis
One month later, OCR responded stating that the risk assessments UHCO provided did not:
- Include an enterprise-wide risk analysis
- Cover all devices and systems that contained ePHI in transit or at rest
- Identify all threats and vulnerabilities to these devices and systems
- Include probabilities or impacts for those threats and vulnerabilities
OCR again requested that UHCO’s Privacy Officer provide a risk analysis and documentation that UHCO had implemented security measures to address the risks identified in the risk analysis. UHCO was given another 20 days to respond.
UHCO’s Privacy Officer responded by providing additional information including:
- Results of penetration, web application, and vulnerability testing by a third contractor
- A hardware and software inventory
- Lists of threats and vulnerabilities maintained by the IT staff
- A remediation plan resulting from the penetration and vulnerability testing.
UHCO’s Privacy Officer hoped this new documentation would finally meet OCR’s requirements. However, once again, she was disappointed. Despite submitting “risk analysis” documentation from three different third-party contractors, UHCO was still not in compliance.
Meeting OCR’s Expectations
Within a month, OCR let UHCO know the had still not met the risk analysis requirement. OCR gave UHCO additional time to respond. It was at this point the UHCO engaged Clearwater.
As UHCO review OCR’s correspondence and better understood the comprehensive nature of a bona fide risk analysis, they realized they had neither the software tools nor the in-house expertise they needed to meet OCR’s expectations. One of the reasons they chose Clearwater was because we have developed a proprietary software suite that simplifies and supports the risk analysis process.
Per the HIPAA Security Rule, risk analysis documentation must include an inventory of all information assets used to create, maintain, retrieve, or transmit ePHI and the threats, vulnerabilities, likelihood, impacts, and controls associated with each. Many organizations end up spending weeks developing endless iterations of Excel spreadsheets in an attempt to capture the level of detail required for a bona fide risk analysis. Clearwater’s IRM|Analysis software has been specifically designed to meet the HIPAA Security Rule risk analysis requirements and is pre-populated with device, threat, vulnerability, and controls information.
In this particular case, UHCO already had a comprehensive hardware and software inventory that could be loaded in the software. All that was necessary to complete the risk analysis was the identification of security controls, probabilities, and impacts. UHCO quickly completed the work over a few days in a workshop setting facilitated by the Clearwater team, with minimal impact on UHCO’s day-to-day operations.
Acknowledging the confusion around what is required for proper risk analysis, UHCO’s General Counsel commented, “When we submitted a risk analysis and risk management plan from Clearwater, OCR approved them and closed the case.”
Key Takeaways: OCR’s Patience, UHCO’s Persistence
UHCO did many things right in this case. They took prompt action to investigate and implement corrective actions once the breach was discovered. They had appropriate policies and procedures in place before the breach. They regularly conducted penetration and vulnerability testing and corrected issues when identified. Perhaps most importantly, they were responsive to OCR’s ongoing requests and tried to get it right. And to their credit, OCR was patient as UHCO made continuing good-faith efforts to meet the risk analysis requirement.
UHCO’s main issue was that they failed to perform risk analysis as required under the HIPAA Security Rule and described in OCR Guidance. Performing enterprise-wide risk analysis is not the same as performing technical testing or gap analysis. It is also not a trivial undertaking since OCR-Quality Risk Analysis® requires:
- Identification of all systems or devices used to create, retrieve, maintain, and/or transmit ePHI
- Identification and documentation of all potential threats and vulnerabilities to the organization’s systems and devices
- Determination of the likelihood of threat occurrences
- Determination of the level of risk
- Detailed documentation, ongoing review and documented updating of the risk analysis
As UHCO experienced, anything less than this is not—in OCR’s opinion—a true risk analysis.
Portions of this article first appeared in Health Management Technology. Reprinted with permission.
OCR-Quality Risk Analysis®
Clearwater delivers solutions to hundreds of health systems, health partner organizations, medical device manufacturers, and federal institutions nation-wide. Our complete enterprise cyber risk management solution begins with the most comprehensive, industry-proven risk analysis available, as demonstrated by a 100% OCR acceptance rate. Learn more