HIPAA Security – The Risk Analysis

Cornerstone of Effective Computer Security

By Gary Pritts, Eagle Consulting Partners, Inc.
 

VARs who are tired of HIPAA should grab a Gatorade, because HIPAA is a marathon, not a sprint. With a compliance deadline of 4/20/2005, VARs need to prepare for the HIPAA Security rule. In fact, VARs have always provided security-related products and services – system backup tools, firewalls, virus protection, and more. While few will ever be able to devote the time needed to become security specialists, by investing some time, VARs can expand their repertoire of revenue generating products and services to both protect clients and help them comply. Security experts implore doctors to begin the HIPAA compliance process with a Security Risk Analysis. Since many VARs are unfamiliar with the formal process we will explore risk analysis theory, current practice, revenue potential, where to get help, and the relevant text from the Security rule itself.

The Security Rule Text

Conducting a Risk Analysis is one of the 20 mandatory “implementation specifications” in the HIPAA Security rule. Note that the terms “risk analysis” and “risk assessment” are used interchangeably. Here is the exact requirement:

(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Scope includes more than confidentiality. It is important to note at the beginning that the security rule is about “confidentiality, integrity, and availability”. This is a crucial difference of scope between the security rule and the privacy rule. Particularly with the growth of EMR, the integrity and availability of information is specifically mandated. Losing vital medical records, or experiencing system downtime during a medical emergency, can literally be a life or death matter for patients. VARs who expect to grow their EMR business, and offer customers paperless solutions, will need to push system security measures which promote availability to the highest level.

Security Theory

Security professionals tell us that risk is not a bad thing – it is just one of the realities of life. The medical practice is NOT required to eliminate all risk and turn the office into Fort Knox. Rather, a security process will identify risks and vulnerabilities – and take steps to either transfer the risk, reduce it, or accept it. A specific example will illuminate this.

Example – malpractice risk. Doctors have always lived with the potential to make medical mistakes. This leads to big financial risks – a single malpractice award can exceed $20 Million, which would bankrupt even the wealthiest doctor. Setting aside any strong emotions associated with the issue of rising malpractice rates, let us explore the issue of dealing with risk. The doctor’s first step is to quantify their risk – which depends on what state they live in, their specialty, the procedures they perform, their case mix, the statistical likelihood of claims, the potential dollar awards, and the doctor’s personal financial position. The doctor then decides on one or more of the following:

• Transfer risk. The traditional method for dealing with malpractice risk is to transfer it – that is, buy malpractice insurance. Doctors are usually willing to pay a known amount to eliminate the possibility of a devastating financial outcome.

• Reduce risk. Doctors may take a number of steps to reduce risks. For example, they may attend carefully to their documentation; they may refuse to perform certain high risk procedures; they may practice “defensive” medicine – conducting extensive testing to rule out even highly unlikely conditions. These are all examples of techniques to reduce the likelihood of a malpractice award.

• Accept risk. Until recently, it was unheard of for a doctor to accept the risk of malpractice claims. However, the huge sums required for malpractice insurance – even for doctors who have never had a claim – are causing a change. Doctors are sometimes choosing to “go naked”, that is, practice without insurance. These doctors decide to accept the risk of an unlikely event.

In practice, many doctors choose a combination or all three of the above. For example, they may purchase a policy with a limited payout (say, $1 or $2 million) while accepting the risk of huge but very unlikely award. In addition, they can carefully document and follow other risk management guidelines to reduce the likelihood of claims. Of course, the doctors rely on specialists (insurance company risk managers and financial advisors) to help them with their analysis, choices, and risk management procedures.

The Physician’s Advisor for Computer Security Risk

While the doctor relies on a financial advisor or insurance specialist to help with the understanding and managing malpractice risk, the VAR – the doctor’s “computer department” -- is the logical specialist to help with computer security risks. By virtue of your relationship with the practice and your in-depth understanding of their computing environment, this opportunity to serve is yours to lose. VARs should to educate their clients (a revenue opportunity) about the HIPAA requirements, and offer compliance services to those who wish to comply. After some awareness training, a risk analysis is the appropriate starting point.

Conducting a Risk Analysis

There are well-established methodologies for risk analysis. While it is not the only approach which can be used, the preamble of HIPAA security rule cites National Institute for Standards and Technology (NIST) and specifically the NIST Risk Management Guide for Information Technology Systems.

While following this methodology, a number of medical practice differences must be considered. Clearly, the risks vary tremendously depending on the size, complexity, and sophistication of the practice. More specifically, here are a few of the variables which must be considered:

• Software used – practice management, EMR, or both? Practices using EMRs experience higher risks, both because a security breach could expose more information and system downtime can have an adverse effect on patient care.

• Internet connectivity – an always-on broadband connection involves more risk than either dial-up or no connectivity

• Size of practice – the larger and more complex the organization, the more risks are involved due to number of staff, the volume of activity in the office, and possibly the greater value of the computer assets (a large database with thousands of names and social security numbers has black-market value to identity thieves)

• Networking technology – the use of wireless and/or portable computing involves an entire set of security issues

• Security practices – how timely is the application of security patches for Windows, and updates of virus protection software?

• E-mail use – is the doctor or staff using e-mail to communicate with patients or insurance companies? If so, how often? Is patient information included in the e-mail?

• Patient Mix – physicians with celebrity or VIP patients may have greater risks of confidentiality breaches because of higher “market value” of the information

• Medical specialty – Mental health or plastic surgery specialists are likely to be concerned about confidentiality, while specialists such as cardiologists might be very concerned with availability of EMRs

• Human resource practices – are pre-employment background checks conducted, and is system access immediately blocked when employees terminate?

Other important inputs are best answered with help from by security experts. For example:

• What are likely threats? Who would want to breach the computer security – disgruntled insiders, “script kiddies”, motivated outsiders?

• What system vulnerabilities exist? How likely is it that these vulnerabilities will be exploited?

• What would the impact of various security breaches be?

The NIST process is a multi-step process which culminates in a document that identifies threats and vulnerabilities, includes an assessment of safeguards currently in place, quantifies the likelihood and impact of security failures, and concludes with recommended safeguards. Those interested in a sample format for the risk analysis report can download the NIST guideline and refer to Appendix B.

Help for the VAR

For VARs who don’t have time to become security experts and learn the NIST methodology, help is available. Eagle Consulting Partners, Inc. and Interhack Corporation offer VARs a product called RiskAssess -- an on-line risk analysis tool which is specifically tailored to aid the VAR in conducting a professional risk analysis for their small to medium sized medical practices. This tool combines in its knowledge base an understanding of medical office practices, deep understanding of computer security, and the NIST methodology – which allows a VAR to easily create a professional quality Computer Security Risk Analysis. VAR Training is also available on not only the Risk Analysis, but the entire gamut of HIPAA issues. [Shameless plug]

Revenue Potential

Your client support agreement most likely does not specify that you will conduct periodic risk analyses. To offer a credible risk analysis some investment in training is necessary, and each client will require individual time and attention. While some VARs may opt to offer this service for no additional cost, it is reasonable to charge a professional services fee based on the time required, which for a small to medium sized physician would be on the order of $500 to $1000.

Using the Risk Analysis Report

This report is important documentation for the practice’s compliance file which demonstrates that they conducted a “thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information”. More importantly, it is the cornerstone of the security process which helps the practice allocate their limited funds wisely. When it is cost-effective, practices can spend on technologies and services that reduce their risks. On the other hand, they may accept risks when it is reasonable and prudent. Finally, they can outsource or transfer risk – a variety of insurance products are available, and outsourced services – such as an outside billing service or ASP style service can effectively transfer risk to a 3^rd party.

VAR Products and Services to reduce risk

In its conclusion, the NIST Risk Analysis report will recommend appropriate security-related services. Once again, these recommendations will vary based on the answers to the questions posed above, plus a number of other factors. Potential VAR products and services for reducing computer security risk include both familiar and new items:

• Improved backup technologies

• Firewalls

• Virus protection

• VPNs for remote access

• System configuration adjustments for wireless networks

• Training on system security features

• Encryption software for laptops and other portable computing

• Secure E-mail services

• Anti-spam products and services

• Monitoring software

• Security awareness training

• Remote Monitoring Services

• Written security policies and procedures

• Outsourced security management services

Most VARs who succeed over the long run do so by recommending and delivering appropriate products and services to their clients, especially those which can provide an on-going revenue stream. The HIPAA Security rule provides VARs an opportunity to do exactly that.

Next month, we will explore some of these security-related products which are currently offered by leading VARs.