Cyber-security incident prevention has been at the top of the list of Health IT agendas in recent years, and pressure will only grow more intense as we turn the corner into 2020.  An explosion of systems exploitation in recent months has caused Health IT professionals to be more vigilant than ever to implement procedures to monitor, track and test their systems for vulnerabilities and threats on a regular basis.  The Office of Civil Rights (OCR) issued a Spring 2019 OCR Cybersecurity Newsletter which provided information relevant to the recent zero-day exploit[1] (“Zero Day”) or and advanced persistent threat[2] (“APT”) recently occurring across the globe. Both pose serious and dangerous threats to our information and operations, so it is not enough to simply know the difference between a zero-day and an APT, but to prevent the exploits behind these threats from launching more assaults.

Under the Health Insurance Portability and Accountability Act (HIPAA) Security Rule (the “security rule”), covered entities and business associates are required to conduct on going risk assessments (45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii) to ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards.   The purpose of the security risk assessment (SRA) is to identify areas where an organization’s protected health information (PHI) could be at risk.  Examples of circumstances that could lead to vulnerabilities or threats include, but are not limited to planned or actual changes in ownership, operations, workflows, technology, turn-over of key staff or following a known or suspected security incident.

The SRA and timely response to SRA results will allow an organization to mitigate damage and reduce the associated risks to reasonable and appropriate levels.  Some vendors offer tools that assist in this process that can be very effective.  The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a free SRA tool which assists organizations with evaluation of their SRA practices.  This tool should be used as a supplement to the SRA documentation that each organization collects during its SRA process.   It allows the user to answer questions and rate its current state, while offering guidance on the most effective protections.  The tool also allows the user to input assets which is highly useful in maintaining an inventory of technical assets[3], along with current disposal, encryption, data and activity status of assets.   

The security rule is not prescriptive in specifying an exact frequency in which an SRA should be conducted because each organization’s frequency will vary depending upon their specific circumstances.   However, AMS recommends as a rule of thumb, that an SRA should occur at least annually with ongoing reevaluation, and whenever the organization has an event or circumstance that could lead to a security vulnerability or threat.

[1] The “zero day” exploit or attack takes advantage of a previously unknown hardware, firmware, or software vulnerability.

[2] The APT is a long-term cybersecurity attack that continuously attempts to find and exploit vulnerabilities in a target’s information systems to steal information or disrupt the target’s operations.

[3] Examples of asset types include laptops, desktops, PDAs, printers, copiers, facsimile, and other clinical devices such as EKG/EEG/ECG, ultrasonography and radiological equipment.