This entry is part 57 of 58 in the series HIPAA Security Risk Analysis Tips

HIPAA Risk Analysis Tip – Part 2 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez

We received almost 100 questions in our May 3rd web event entitled “WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez”.  We are breaking up the questions and providing the answers in this blog post series “HIPAA Risk Analysis Tips”.  Enjoy Part 2 as we work our way through them all!

11.  Can you comment briefly on the difference between a Risk Analysis and Risk Assessment or are these terms interchangeable?

Answer: For all intent and purpose, we can regard the terms as interchangeable. The HIPAA Security Rule uses the former; NIST uses the latter.  At the end of the day, it’s about standing up a program that includes four critical process steps: Frame, Assess, Respond and Monitor as called for in NIST SP800-39-final_Managing Information Security Risk, which includes of course a detailed risk analysis/risk assessment process as found in NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments.

12. Is there a list of “every reasonable threat” available publicly?

Answer: There is, of course, thought that needs to be given you one’s own organization’s reasonably anticipated threats (and vulnerabilities). A great place to start is APPENDIX D THREAT SOURCES, APPENDIX E THREAT EVENTS and APPENDIX F VULNERABILITIES AND PREDISPOSING CONDITIONS of NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments.

13. Second question – If Clearwater addresses all the issues that organizations are struggling with, what assurances can you provide that you have a comprehensive list of “every reasonable threat”?  

Answer: It is perhaps best to take this discussion offline. In brief though, our methodology and software, IRM|Analysis™ is true to and automates the workflows spelled out in OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” and NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments. In this database-driven, expert system, we facilitate organizations building their tables of information assets and underlying media while we maintain tables of threat sources, threat events, vulnerabilities and NIST SP800-53 controls.  We operate an agile development shop and update our software, on average 2-3x each month to stay current. You may view a demo of the software here.

14. What’s the risk application you are using and is it available to us?                         

Answer: It is IRM|Analysis™. You may view a demo of the software here.

15. I thought according to Meaningful Use there was a reference to doing a Risk Assessment during the attestation period.

Answer: Yes AND on an ongoing, regular basis. The Meaningful Use attestation requirements intersect with the HIPAA Security Rule Risk Analysis requirement at 45 CFR §164.308(a)(1)(ii)(A).  If one reads the MU requirements (e.g., Stage 1 vs. Stage 2 Comparison Table for Eligible Hospitals and CAHs), the MU risk analysis requirements are a “pointer” to the HIPAA Security Rule requirement.

16. Are there off the shelf tools for managing these risk findings, etc.? Looking for something comprehensive or products, etc.

Answer: Our solution, IRM|Analysis™ facilitates completion of risk analysis work and risk response work. You may view a demo of the software here, including a specific session focused on risk response.

17. Leon, there have been a number of class action suits that grew out of data breaches. Have covered entities been successful protecting risk analyses from discovery?  Do covered entities typically try to conduct risk analyses under attorney-client privilege? 

Answer: Bob responding: we see about 50% of our customers performing risk analyses under privilege.

18. Is the SRA tool that HHS developed adequate if used by small Covered Entities to perform their risk analysis?

Answer: We have reviewed and commented on the NIST/ONC tools in the past. Our bottom line: not suitable for an organization of any size and not consistent with OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  The first blog post is: HIPAA Risk Analysis Tip – New HHS Risk Assessment Tool – Much Ado About Nothing.  The second post is: Putting it to the Test: A Detailed Performance Review of the New HHS Security Risk Assessment (SRA) Tool

19. I wonder if Leon would opine on HITRUST certification and how that impacts due diligence for risk analysis and risk assessment?

Answer: Bob responding: I wished we had a chance to have Leon comment.  My source of information is our experience helping organizations move to the OCR and NIST methodology and this HHS FAQ: “Are we required to “certify” our organization’s compliance with the standards of the Security Rule?”  Answer: No, there is no standard or implementation specification that requires a covered entity to “certify” compliance. The evaluation standard § 164.308(a)(8) requires covered entities to perform a periodic technical and non-technical evaluation that establishes the extent to which an entity’s security policies and procedures meet the security requirements. The evaluation can be performed internally by the covered entity or by an external organization that provides evaluations or “certification” services. A covered entity may make the business decision to have an external organization perform these types of services.  It is important to note that HHS does not endorse or otherwise recognize private organizations’ “certifications” regarding the Security Rule, and such certifications do not absolve covered entities of their legal obligations under the Security Rule. Moreover, performance of a “certification” by an external organization does not preclude HHS from subsequently finding a security violation.

20. “Identify as a risk the transfer of ePHI to personal media devices of employees” — why “personal”? Does that mean “owned” by the employee? Issued to? The word “media” is also somewhat problematic.

Answer: Yes; owned by the employee (workforce member). We have first-hand experience with this case.  The organization has a BYOD policy.  A risk analysis had not been conducted at this level of asset-threat-vulnerability detail.  That was corrected promptly.

Stay tuned for Part 3 of the Questions and Answers from the May 3rd web event entitled “WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez”

Now what?

  1. Download the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.
  2. Learn the definition of an information asset.
  3. View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
  4. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
  5. Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.
Series Navigation<< HIPAA Risk Analysis Tip – Part 1 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon RodriguezHIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.