The National Institute of Standards and Technology (NIST) has finalized and published its latest comprehensive guidance, Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule: A Cybersecurity Resource Guide (Resource Guide). The updated Resource Guide follows the U.S. Department of Health and Human Services (HHS) recommendations for voluntary performance goals that optimize cybersecurity efforts across the healthcare sector. This update is meant to help HIPAA-regulated entities seeking practical help in understanding, implementing, and strengthening compliance with the HIPAA Security Rule.

The HIPAA Security Rule recognizes the wide range of size and complexity of regulated entities,  delivering a scalable approach to flexibly protecting electronic protected health information (ePHI). Because of the vast diversity, a compliance strategy cannot be “one size fits all”; therefore, the Resource Guide offers a comprehensive set of guidelines that entities may adopt in part or in full to enhance their security position and obtain compliance with the HIPAA Security Rule.

The Resource Guide focuses on the reality that risk assessment and risk management processes are vital to compliance with the HIPAA Security Rule and the protection of ePHI.

6 Risk Assessment Guidelines

The Risk Assessment Guidelines offer a strategic methodology for performing a risk assessment. The HIPAA Security Rule requires that all regulated entities “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate” and then “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.”

The results of the security risk analysis should give regulated entities the ability to determine the proper security controls for minimizing risk to ePHI. These include:

  1. Assessment Preparation: Entities must document and understand where ePHI is created, received, kept, processed, or transmitted. This step must include all systems and parties to which ePHI is transmitted, including remote employees, outside service providers, and medical devices that process ePHI.
  2. Realistic Threat Identification: Regulated entities must identify possible threat events and sources, including ransomware, phishing, insider and environmental threats, and natural threats.
  3. Identification of Potential Vulnerabilities: Entities must identify potential vulnerabilities or existing conditions that may be exploited.
  4. Likelihood and Impact of Vulnerabilities Being Exploited: For each named potential threat, regulated parties must determine the likelihood of a threat exploiting a known vulnerability. The regulated entity should then identify an impact rating for each identified threat/vulnerability as to how an event will impact the loss or erosion of the confidentiality, integrity, and/or availability of ePHI.
  5. Risk Level Determination: The risk level is determined by assessing the overall likelihood of threat occurrence and the resulting impact. A risk-level matrix may help to identify risk levels for each threat event and its associated vulnerability.
  6. Results Documentation: The NIST report reinforces that risk assessment is an ongoing process, not a one-time activity. The assessment must be “updated on a periodic basis in order for risks to be properly identified, documented, and subsequently managed.” The dynamic landscape of cybersecurity involves emerging new vulnerabilities even as current threats are still being dealt with. Not only that, but changes in an organization’s day-to-day operations, such as the introduction of new technologies, can shift the likelihood and impact of potential threat events. This ever-changing reality shines a spotlight on the need for risk assessments to be routinely assessed and updated.

Alliance IT Provides the IT Guidance You Need

NIST’s Resource Guide should be essential reading for HIPAA-regulated entities, providing important guidance on risk assessment, management, and compliance with the HIPAA Security Rule. Those looking for help in preventing, preparing for, mitigating, and recovering from cyberattacks need only call Alliance IT. We are here to help SMBs to navigate a complex and evolving cybersecurity landscape, while protecting your company and keeping you in compliance.