Security Risk Analysis and Risk Management for Small Healthcare Providers Micheal Goodwin February 20, 2018

Security Risk Analysis and Risk Management for Small Healthcare Providers


For years, your patients have needed to guard against paper cuts when going to your office as they scribbled their names on your official “Patient Privacy” forms. These documents state that you, the medical provider, will protect the patients personally identifiable information (PII) and will guard the information they share with you. And while you hear about the occasional breach from larger hospitals and insurance providers, you feel comfortable knowing you are a small target and the Internet doesn’t really care about “Jane Smith’s General Practice”. But the facts are that over three million patients records were compromised in 2017 across the healthcare spectrum and small and independent practices were breached, hacked, and ransomed just like the larger healthcare organizations.

A small healthcare provider must provide the same HIPAA protections as larger organizations, but with a much smaller budget and with fewer staff for oversight. Often the compliance person in the medical office is the office manager; who is already overworked and trying to get out of the office after 50 hours of hard week and no time to read up on the latest phishing attack targeting small medical practices.

An often overlooked provision the HIPAA Security Rule is 45 CFR § 164.308(a)(1) which says that covered entities must perform a regular Risk Analysis and have a Risk Management plan. This specific rule applies to all organizations covered by HIPAA. While many small practices have discussions on how to handle risk, they are seldom formalized, documented, or updated. These loosely formed ideas would not pass the scrutiny a practice would face in the event of an audit, or worse, during the aftermath of an investigation following a data loss. While taking the time, effort, and expense to perform a Risk Analysis and Risk Management plan may seem a hardship, the end result will be actionable information designed to protect practices and patient information from the harm of a security breach.

In 164.308(a)(1)(ii)(A) it is REQUIRED that practices perform a Risk Analysis:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

The Risk Analysis is a detailed look at current security policies, procedures, and practices to ensure they are meeting the requirements to protect PII. This review is often performed by qualified auditors who understand healthcare organizations, HIPAA guidelines, and have a technical expertise to make judgement on the current environment. The Risk Analysis is a combination of staff interviews, physical inspection, documentation review, and electronic inspection to develop a picture of the practices’ current security posture. The findings of the Risk Analysis are documented in an audit report and relates the findings to HIPAA and NIST audit guidelines.

The Risk Analysis feeds the Risk Management plan. The Risk Management plan is used to address the threats identified during the Risk Analysis. This management plan takes into account the size of the practice and its place in the healthcare community it serves. It will offer suggestions and changes to the current security environment of the practice for better patient data protection. While some changes may seem difficult, a well developed Risk Management plan should include steps to attain security goals and will take into consideration the overall risk likelihood and practice budgetary considerations. The overall goals of Risk Management are to protect patient information as well as the reputation of the practice.

The Office for Civil Rights (OCR) is responsible for posting updates and information regarding the HIPAA Security Rules but it does not provide specific methods or guidelines on how to perform the Risk Analysis. With every practice being a “snowflake”, the risks each faces is unique to its size, network, computer hardware, software, Business Associates used, and many other factors. While the openness of the Risk Analysis audit process is accommodating to differences within smaller medical practices, it also makes it difficult for practices to self-assess due to the lack of a cookie-cutter template to follow. This prompts many small practices to use a third party to perform their Risk Analysis and create their Risk Management plan which they are then able to bring to their IT staff or IT provider for technical changes and implementation.

Server@Work performs remote and on-site HIPAA Risk Analysis and delivers Risk Management plans for HIPAA compliance. We also perform in-depth Security Risk Analysis for Meaningful Use reporting for small and medium-sized healthcare providers. For assistance with your Security Risk Assessment, call (855) WORK247.