HIPAA RISK ASSESSMENT

“HIPAA compliance is not a goal, but rather a perpetual aspiration”

The ArcLight HIPAA Risk Assessment is a collection of data gathering tools, procedures, and highly detailed process that touch on every aspect of HIPAA compliance and in order to paint a detailed picture of organizational compliance and non-compliance. Once the initial assessment is completed a roadmap  for current and continuous improvement is presented.

What are we looking for?

ADMINISTRATIVE
SAFEGUARD

  • Security Management Process
  • Assigned Security Personnel
  • information Access Management
  • Workforce Training and Management

“Administrative safeguards are administrative actions, policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect ePHI and to manage the conduct of the Covered Entity’s workforce in relation to the protection of that information.”

PHYSICAL
SAFEGUARD

  • Facility Access and Control
  • Workstation and Device Security

“Physical safeguards are physical measures, policies, and procedures to protect a Covered Entity’s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”

TECHNICAL
SAFEGUARD

  • Access Control
  • Audit Control
  • Integrity Controls
  • Transmission Security
  • Encryption

“Technical safeguards mean technology and the policy and procedures for its use that protect electronic health information and control access to it.”

How do we get there?

AUTOMATED DISCOVERY– A detailed on-site HIPAA network discovery is performed to gather raw data about systems such as computer age, security patch compliance, enforced security policies, anti-virus status, locations of electronic protected health information (ePHI), and more.

MANUAL DISCOVERY – Checklists and questionnaires are used to gather information that can not be obtained automatically through network scans. This includes review of previous risk assessments, compliance handbook review, and organizational questions such as security policies. This step involves considerable communication with employees and the on-site HIPAA Compliance Officer. Don’t have a compliance officer? We can help!

REPORT GENERATION & REVIEW – When we have all the necessary information, we generate the necessary reports and review them for completeness. There may be additional questions or items we need to add to the discovery.

DISCOVERY PRESENTATION – We will sit with your staff to discuss findings and any possible remediation options. This will get us our marching orders to finalize the remediation outline.

CREATE REMEDIATION OUTLINE – Once we have presented and discussed all open compliance issues, we will put together a detailed list of issues that require remediation to meet compliance. Some issues may be simple and quick changes and others may require a full project scope.

REMEDIATION OUTLINE PRESENTATION – ArcLight will meet with your internal or third-party IT staff to assist in project scope creation based on our findings.

PROJECT SCOPE – If your organization would like ArcLight to perform compliance issue remediation we will build out a scope of work and project plan to accomplish these goals.

How do we keep you moving forward?

Once the full discovery, presentation, and remediation has been completed ArcLight recommends ongoing system monitoring as well as recurring HIPAA risk assessments to ensure that your organizational changes are not jeopardizing security or compliance.  Annual (or more frequent) risk assessments are a very important part of HIPAA compliance as your organization is constantly undergoing change such as hiring new employees, termination, and adding/removing computers and other systems from the network.  Regularly performing HIPAA assessments also provide excellent documentation that reflects your organization’s commitment to improvement.  

Always remember that any organization that claims to be HIPAA compliant is only compliant until their first contact with change and change is a constant!

Let’s be honest and agree that nobody likes HIPAA. It has been often rightly viewed as a heavy-handed government encroachment into your private practice, rural hospital, or other healthcare provider organization. HIPAA compliance has added additional expense to an industry regularly being squeezed by government regulation. We at ArcLight do not disagree. We have found many of the requirements and recommendations to be vague and confusing. This being said, we do understand the purpose of HIPAA which is to make information portable and secure. The part that many people misunderstand about HIPAA is the “and secure.” The mandate to install medical records systems has created numerous problems with security. Much of which was not well thought out when the HIPAA HITECH Act became law in 2009. Since then, we have seen numerous practices, hospitals, and other healthcare organizations fall victim to ransomware and ePHI breaches. In almost every case the breach or ransomware attack was caused by a lack of common security best practices. Practices that could have and should have been regularly reviewed and confirmed as compliant with organizational review such as a technical and physical Risk Inventory Profile (RIP) along with review of current administrative safeguards.

RIP HIPAA is our answer to the HIPAA compliance headache. Let’s be honest, your HIPAA Compliance Officer wears too many hats. Often, they are the Practice Manager overseeing staffing, finance, HR, and any other need the organization may have. Other times the HIPAA Compliance Officer is a low-level employee who was given the title and responsibility with little training or oversight. And occasionally the HIPAA Compliance Officer is dedicated to the role. Some employees take the role and responsibilities very seriously, while others just want to check a box and move on. No matter the situation in your organization it is clear to anyone that has performed a HIPAA risk assessment that gathering information about administrative policies and procedures as well as current physical and technical safeguards is a large and arduous undertaking. Many organizations simply purchase or download a free checklist and cookie cutter compliance handbook. Organizations that take this tact often make many dangerous assumptions about the organization’s compliance such as, “I have an antivirus on my computer, so I assume that we have them on all the other computers” or “I know my Windows computer occasionally performs Windows updates so I assume that all computers and servers are being updated with critical patches automatically.” These are dangerous assumptions that are often proven inaccurate especially after a breach occurs.

The ArcLight “Risk Inventory Profile” or “RIP” for short is a time saving and highly accurate method for gathering critical information about the current security posture of your systems allowing you to rest in peace… Ok, not as in “die” but as in actually get some peace of mind that your systems are properly secured and that your administrative policies and procedures match the application of security. The key ingredient in the RIP toolset is the ability to scan your systems from a central location using a tool that sniffs out WMI and SNMP information. In short WMI stands for Windows Management Interface which is defined as “WMI consists of a set of extensions to the Windows Driver Model that provides an operating system interface through which instrumented components provide information and notification.”

Simply put, this means that our software can reach out to every Windows device on your network and pull back information such as anti-virus status, Windows patch level, computer age, operating system version, unauthorized security access attempts, and more.

RIP also allows us to scan every system for locally stored electronic protected health information (ePHI). Our clients are often surprised at how much ePHI is stored on local computers, not to mention financial information (PCI) and personal identifiable information (PII). Regrettably WMI is a Microsoft only solution, but there is an open standard called SNMP that allows us to scan most other devices such as firewalls, network switches, wireless access points, fax appliances, IP phone handsets, printers, and much more. SNMP stands for Simple Network Management Protocol which is defined as “Simple Network Management Protocol (SNMP) is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior. Devices that typically support SNMP include cable modems, routers, switches, servers, workstations, printers, and more.”

In short SNMP is a way for us to pull information from non-Windows based devices and accurately populate information about your current security posture. The discovered security posture is then used to determine security and compliance discrepancies which can be remediated.

RIP HIPAA is the only accurate and verifiable process for ensuring your organization’s security and compliance are properly aligned with your policies and procedures. RIP HIPAA takes much of the tedium and guesswork out of compliance and lets you focus on what is most important to your organization!