Michael  L.  Brody,  DPM  

Understanding  the  Risk  Analysis  

Legal  Disclaimer  •  This information does not constitute legal advice and is for

educational purposes only. •  This information is based on current federal law and subject to

change based on changes in federal law or subsequent interpretative guidance.

•  Since this information is based on federal law, it must be modified to reflect state law where that state law is more stringent than the federal law or other state law exceptions apply.

•  This information is intended to be a general information resource regarding the matters covered, and may not be tailored to your specific circumstance.

•  YOU SHOULD EVALUATE ALL INFORMATION, OPINIONS AND ADVICE PROVIDED HEREIN IN CONSULTATION WITH YOUR LEGAL OR OTHER ADVISOR, AS APPROPRIATE.

Disclosure  

• Dr. Michael Brody is President and CEO of TLD Systems.

• TLD Systems provides consulting and support to hundreds of practices on implementing a HIPAA Security Risk Analysis and Risk Mitigation Plan

About  Dr.  Brody  • HIMSS Physician Committee • HL7 Workgroup Member •  Committed Member Standards and Inter

Operabity Framework •  Technical Editor Podiatry Management Magazine • Health Information Technology Consultant to

PICA •  Chief Compliance Officer Sammy / ICS Software •  Consultant to BAKO Pathology

First  Step  IdenBfy  Risks  

• To have a risk you must have three elements – An asset – A vulnerability – A threat

What  is  an  Asset  

• From the perspective of the HIPAA Rule, an asset is Patient Information. – Patient Information can be:

• Electronic • Written • Spoken

IdenBfy  your  Assets  (Electronic)  

• A complete inventory of –  All Computers –  All Backup and Storage Media –  All Offsite Backup Providers

• Don’t forget that patient data may be on hard drives in –  Copiers –  Printers –  Fax Machines

What  if  the  computer  does  not  have  paBent  data?  

•  This is a Frequently Asked Question –  Many offices are set up in a client server or ASP

configuration such that the workstations SHOULD NOT contain patient data.

–  Each time I have visited an office and examined workstations that SHOULD NOT have patient data, I have found patient data stored on the hard drive of those computers in the form of •  Text Documents •  Spread Sheets • Old EHR / Practice Management Systems that have been ‘retired’

and are no longer in use –  Better safe than sorry. Include ALL workstations in your

inventory of assets.

While  we  are  on  the  topic  of  FAQ’s  

• Why do I have to encrypt my computers? – Meaningful Use Stage 2 requires encryption of all

of your patient data. – Encryption is relatively cheap insurance.

• If your computers (hard drives, backup devices etc.) are encrypted with a method that is FIPS 140-2 compliant and • Your device is lost or stolen • YOU DO NOT have a HIPAA breach.

Do  I  have  to  encrypt  all  computers  or  just  my  server?  

• Thinking back to the first FAQ, it is better to be safe than sorry. Make sure that ALL computers are encrypted. That way if a computer is lost or stolen you will not lose any sleep thinking did somebody make a mistake and accidentally save patient info to the workstation.

What  is  a  Vulnerability?  

• Portable Devices are a vulnerability. • Devices that are not in secure areas are a

vulnerability. • Poorly configured firewalls are a vulnerability. • Lack of Antivirus Software is a vulnerability. • Paper sitting on a printer of fax machine for an

extended period of time is a vulnerability.

An  Asset  plus  a  Vulnerability  

•  Is not enough for a Risk. •  If there is no way to exploit the vulnerability

then there is no risk. • The process of exploiting a vulnerability is the

Threat.

Examples  of  Threats  

• Computer Viruses • Hackers • Thieves • Power Outages • Hardware Failures • Human Error

An  Asset  /Vulnerability  /Threat  triplet  =  a  Risk  

• A computer connected to the internet, that has patient information and does not have antivirus software is a big risk.

•  The same computer with antivirus software is a much smaller risk (Antivirus software mitigates risk of a virus but does NOT eliminate the risk.)

•  The same computer that is not connected to the internet does not have a risk due to computer viruses (other risks still exist to the computer.)

•  The same computer with no patient data has no risk – no asset.

Yes,  it  can  get  confusing.  •  Under the HIPAA rules you must do the best job you

can. •  Even the government understands that you will not be

perfect. •  Demonstration and DOCUMENTATION of a best

effort will go a long way to protecting you WHEN you have a HIPAA event. –  Yes, I said when. I have been in lectures presented by Leon

Rodriguiz, the head of the Office for Civil Rights at the Office for the National Coordinator for Health Information Technology (OCR at ONC - yes, the government loves acronyms). He has said it is not a matter of if you will have a HIPAA breach it is a matter of when.

What  does  that  mean?  • Do your best job at cataloging each and every

device and media that may contain patient info (identify all of your assets.)

•  Look at each Asset and determine what vulnerabilities the asset has –  Unencrypted Hard Drive –  Lack of Anti Virus Software –  Portable / easily lost of stolen –  Lack of Firewall –  Lack of Backup –  Lack of Security (Passwords etc.)

Look  at  the  threats  

• Theft of loss of the devices • Cyber criminal breaking into your network • Physical criminal breaking into your office • Fire / Other disaster • Temporary loss of power • Computer failure (disk crash or other failure)

Remember  HIPAA  is  more  than  confidenBality  

• There are three important aspects to HIPAA: – Confidentiality – only people who should see the

information can see the information. –  Integrity – the information is correct and intact. – Availability – the information is available to you

when you need it.

Come  up  with  a  Plan  Part  1  

•  Backups of data protect you from many Asset / Vulnerability / Threat triplets.

•  This protects you from issues related to integrity / availability, but not confidentiality.

•  Being able to restore from a backup can save you in case of data loss or data corruption due to: –  Computer Failure –  Computer Loss –  Natural Disaster –  Human Error

Human  Error?  

• Human Error is a major cause of HIPAA events.

• People can accidentally delete patient information or put the wrong information in the wrong chart.

• Backups not only protect you from data loss due to things such as computer failures but also allow you to recover from human error such as accidentally deleting vital information.

Other  ways  to  protect  from  Human  Error  

• Staff Training –  If your staff knows how to properly handle your

assets, the chance of error decreases exponentially. – Most HIPAA events are due to Human Error.

So,  in  the  previous  example  

• The possibility of somebody accidentally deleting information can be mitigated by, – Administrative Methods - Staff Training – Technical Methods – Having Backups – Physical Methods – none that I can think of

• ( so why include that in this slide??)

Your  Risk  MiBgaBon  Plan  

• The Administrative Measures you put in place to minimize the chance of a HIPAA event.

• The Technical Measures you put in place to minimize the chance of a HIPAA event.

• The Physical Measures you put in place to minimize the chance of a HIPAA event.

Once  you  have  idenBfied  your  Assets,  VulnerabiliBes,  and  Threats  

•  Think of what you can to do mitigate those triplets.

•  The steps you take can by physical, technical or administrative: –  Back up your data (technical) –  Test your Backup Data (technical) –  Make sure your staff does daily backups

(administrative) –  Lock down the computers (physical) –  Store your media in fireproof safe (physical)

• Have that safe offsite (administrative)

And  then  document  your  plan  •  The documentation of steps you intend to take to

improve your ability to either prevent a HIPAA event or mitigate the impact of a HIPAA event is your RISK MITIGATION PLAN.

•  Simply documenting all of your Risks is NOT a Risk Analysis. It is a Risk Inventory.

•  In order for you to have a proper Risk Analysis, you must document all of your assets.

•  Look at those assets with respect to the existing vulnerabilities and threats (The Analysis.)

•  Document the results of that Analysis which is your Risk Mitigation Plan.

Check  Boxes  are  Not  Enough  

• Simply checking off what you have and what you have done is an inventory not an analysis.

• When submitted for Meaningful Use Audit, a sheet of check boxes has FAILED AUDIT.

Pre  Fab  Manuals  are  not  enough  

• A pre fab manual that has been downloaded off the internet has policies and procedures but does not include an inventory of your assets.

• People who have submitted pre fab Manuals have FAILED Meaningful Use Audits.

You  Must  Have  

• A document that demonstrates your inventory of Assets.

• A document that details your process of determining Vulnerability and Threats.

• A documents that has your mitigation plan. • You now have a HIPAA Security Risk

Analysis.

AND...  

• You must implement the changes that you identify that are within your resources. – HUH???

• If you identify a method of mitigating a risk that is beyond your resources you only need to discuss the mitigation and then document how it is beyond your resources if the standard in the rule says that the standard is addressable.

Stop...  Put  that  Gun  down  don’t  shoot  yourself  

•  Addressable? Standards? –  Yes, some HIPAA Standards are addressable and some are

required. –  This means that there are some things in the rule that you

MUST do and others that you need to do if they are within your resources.

–  The entire HIPAA Rule that shows every standard is available for you to download at http://www.hhs.gov/ocr/privacy/hipaa/administrative/omnibus/

–  The Federal Government provides guidance for meeting the rule at http://www.hhs.gov/ocr/privacy/hipaa/understanding/index.html

With  some  research  and  educaBon  •  You can do a Risk Analysis the right way.

–  Warning NO HIPAA Risk Analysis is perfect. –  The more you know the better your Risk Analysis will be.

•  Without the education and research, it is even easier to get it wrong.

•  But getting it wrong is MUCH better than not doing it at all. –  If you don’t do it at all, you are in Willful Compliance and if you

have a HIPAA event you are guaranteed fines. –  If you get it wrong, you are more likely to have a HIPAA event

but as long as you can demonstrate you put in a good faith effort you will still have the ability to avoid fines.

–  The better your Risk Analysis AND FOLLOW UP BY IMPLEMENTING YOUR RISK MITIGATION PLAN the less the chance you will have a HIPAA event.

And    

•  The Federal Government has published that starting in October of this year: –  They will be sending out auditors to do random audits of

Hospitals, Health Insurance Plans and Medical Providers. •  What are the chances you will be audited – probably

very low. –  Do you want to take that risk?

•  Now is the time to complete a PROPER RISK ANALYSIS. –  If you can not do it yourself call in a consultant to help you.

Thank  You  

For Attending today’s presentation.

QuesBons?  

• We will now open the session to your questions. –  Please click on the orange arrow that is at the top right

of your computer. –  You will see a control panel open up. –  There is an area for questions. –  Please type in your questions. –  We will get to as many questions as time allows. –  If you think of any questions after this session is over

you can send me an email at mbrody@tldsystems.com.