- Listen to our monthly AppSec Stats Flash podcast
- LEARN MORE
HIPAA (Health Insurance Portability and Accountability Act) security risk assessment requirements can be an intimidating thing to face for any organization. Let’s face it: rules and laws can be very complicated, and when you bring cyber security into the fold they become even more complex.
Here’s a list of the 5 fundamental things you need to know about HIPAA security risk assessment requirements.
Healthcare providers have been using the Internet to significantly enhance patient communication, which has led to a significant increase in medical-based web applications and sites, which has led to a slew of new cyber vulnerabilities for healthcare organization of all sizes.
Healthcare organizations are among the top targets of cybercriminals, with 81 percent of healthcare organizations being breached in the past two years.
HIPAA, via its Security Rule, requires healthcare providers -- including doctors, clinics, hospitals, nursing homes, and pharmacies -- to assess their administrative, physical, and technical safeguards to reveal areas where the organization’s information could be at risk.
The Department of Health and Human Services also requires all organizations handling protected health information to conduct a risk analysis as the first step toward implementing safeguards specified in the HIPAA Security Rule and ultimately achieving HIPAA compliance.
While all electronic personal health information created, received, maintained, or transmitted by an organization is subject to the HIPAA Security Rule, HIPAA does not mandate how you should comply with this rule and, with the exception of the “Safe Harbor” encryption method (see #4), lets you figure out on your own how to assess your risk and how to deal with HIPAA security risk assessment requirements.
The Office for Civil Rights does provide some guidance in this arena, but it’s important to know that there are numerous methods for analyzing and managing risk. However, there is a general framework we recommend you follow.
Also, given that web applications, and especially, now, mobile applications, account for the lion’s share of cyber security vulnerabilities, conducting a solid web application risk assessment is a key first step to meeting HIPAA security risk assessment requirements.
Google “HIPAA fines” and it’s almost a given that a news story less than a week old will come up trumpeting the latest breach and ensuing gigantic fine. Just last week, a cloud storage mishap and a stolen laptop led to the leak of protected health information from Oregon Health and Science University, which led to fines totaling more than $2.7 million.
The best way to protect yourself from these mishaps is to follow the guidelines we recommend in number 2 and attack your risk assessment from all angles, including the cloud.
To increase chances of being compliant with HIPAA security risk assessment requirements, it would be extremely wise to familiarize yourself with HIPAA’s “Safe Harbor” method, which provides ways to “de-identify” protected health information, primarily through encryption.
The reason it’s important for you to read and try to follow this method is that it could protect you from major fines. In the case of a breach, if it is found that your personal health information was encrypted per the Safe Harbor method, you will likely avoid serious fines and also will likely avoid the hard labor of reporting the breach to every single affected patient.
HIPAA security risk assessment requirements may seem intimidating at first, but, as with almost anything, you will find that the better you understand both your own cyber vulnerabilities and the laws surrounding them, the more you will see that these requirements are here to protect both you and your patients.
As long as you stay up to date on HIPAA regulations and maintain a good security posture, you and your information will be fine.