Blog

What a Security Risk Analysis (SRA) Reveals

Carl Kunkleman

Author: Carl Kunkleman
Senior Vice President and Co-Founder
ClearDATA


Since the HIPAA Security Rule requires a security risk analysis (SRA) following stages 1, 2 and 3 of Meaningful Use, everyone should be very familiar with the administrative, physical and technical safeguards. Why then, after five years, is MACRA requiring a SRA in 2017 (the base year) for 2019 reimbursements? The answer lies in what that SRA reveals.

After completing SRAs in almost every type of organization from one-physician practices in North Dakota (yes, in the winter) to some of the largest healthcare systems in the country, healthcare social media sites, software providers and Business Associates, we’ve seen three recurring themes:

About 40% of the time we uncover that their data-at-rest is NOT encrypted.”

1) Lack of PHI inventory. In most SRA engagements we find that the organization doesn’t have a PHI inventory. We point out to clients that if they don’t have a PHI inventory, then they don’t know where their PHI lives. Ask yourself this: “How do you know you’re protecting PHI if you don’t know where it exists in your environment?” The “aha” moment comes when we present the SRA final report and our clients see the laundry list of PHI. Most are stunned and say, “I had no idea we had this much PHI.” At ClearDATA we focus on guiding the organization to create a comprehensive PHI inventory as the first step of the SRA. Why? Because knowing where PHI exists is a foundational step to securing that PHI.

The professional bad guys – the really bad guys – the “Guccifers” of the world – want to steal big buckets of PHI data.”

2) Missing or outdated Policies and Procedures. As we review the HIPAA Safeguards with our clients, we ask to review their P&Ps. It’s important because, in the event of a data breach, they’re going to need to provide to the OCR evidence as to how they’re protecting PHI. Almost everyone says they have all the P&P required…after all, they’ve been in business for 20+ years. We then show them our HIPAA scorecard and walk them through the list of P&Ps needed to protect PHI. At that point, the client’s face scrunches…eyes squint and note-taking begins. The reason why this review is important is to make sure that, a) their Policies are sufficient to be effective, b) their Procedures are currently operational and, c) the P&Ps are reasonable for their organizational size. We then compare their P&Ps to the updated PHI inventory. In other words, we verify that their P&Ps protect all of their PHI. In most cases, we find missing or outdated P&P.

3) Data encryption. There are three areas to consider: data at rest, data in motion and data in transit. Almost everyone encrypts their data in use and in transit. About 40% of the time we uncover that their data-at-rest is NOT encrypted. If data-at-rest is not encrypted, we verify that they have sufficient safeguards in place to protect that PHI. Here’s my opinion: the professional bad guys – the really bad guys – the “Guccifers” of the world – want to steal big buckets of PHI data. Another name for that big bucket is data storage, back-ups, etc. When compared to losing all of your patient’s PHI and having to notify the Office of Civil Rights (OCR), encryption software is relatively inexpensive…in fact it’s cheap!

So what’s a Covered Entity or Business Associate to do? First remember that the PHI data you control belongs to someone’s mother, father, grand parent or child – maybe YOUR mother. A loss of that patient data means lost trust in YOU – their Provider. Second, at least once have a professional organization perform your SRA. In other words, get a baseline SRA. I receive calls weekly from Providers saying, “I downloaded this spreadsheet (or bought some software), answered “Yes” to 200 questions and know we aren’t this good.” The real issue is that they don’t understand the context behind the question. Finally, review the SRA’s final report with your C-suite executives and decide which risks you are going to remediate. We write our SRA Final Report both technically and non-technically. We know that giving the C-suite a technical SRA results in their eyes glazing over. However, if you give them a non-technical SRA with a paragraph explaining the identified risk – the business case, they will take action.

All of this boils down to four reasons why you should perform an SRA:

1) The HIPAA Security Rule, 45 C.F.R 164.308(a)(1), is a Federal requirement –that’s why it’s called a C.F.R. (Code of Federal Regulation).

2) Losing PHI and reporting that loss of data to the OCR (Office of Civil Rights) is costly (fines and buying Identity Theft Insurance for patients) and brutally time consuming – especially if you haven’t completed your SRA and therefore can’t prove that you have a “Culture of Compliance”.

3) It is the right thing to do to protect the patients who put their trust in you. And, if you don’t, plan on spending a summer’s worth of weekends preparing your OCR data breach response and begging forgiveness from your patients.

4) 2019 MACRA / ACI reimbursements require an SRA. 2017 is the BASE year for 2019. Forgetting to complete your SRA by the end of the year will hurt your 2019 reimbursements.

Continue Learning: