OutsideCTO - HIPAA From Scratch - Getting Started with Analyzing Security Risks

Getting Started with Analyzing Security Risks for HIPAA

Are you ready to engage with a client who requires HIPAA compliance? Nope. But you're getting there.

If you've followed the earlier steps in this pamphlet, your environment is now pretty safe. But you don't have enough paperwork in place to sign a BAA, because you haven't evaluated your risk, documented your risk, and written HIPAA Policies and Procedures. HIPAA's conception of a risk analysis is defined at HIPAA 45 CFR § 164.308(a)(1)(ii).

According to HIPAA, you must

Ensure the confidentiality, integrity, and availability of all electronic protected health information (PHI) that you create, receive, maintain, or transmit.
Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required.
Ensure your workforce complies. (HIPAA 45 CFR § 164.306; emphases added)

Let me pick out some details in these requirements.

"Confidentiality, integrity, and availability" (C.I.A.) is the conceptual triad that defines security. Confidentiality means that you must be able to keep secrets. Integrity means that data can't be inappropriately changed. Availability means that information should not be blocked. If you are running servers, it means that the software needs to be up-and-running according to any agreements you've established.
A key word in the second and third items is reasonably. Do you have to protect against all hazards? No. Must you prevent all unpermitted and/or unrequired uses or disclosures? No. You must protect against reasonably anticipated threats and must protect against reasonably anticipated unpermitted and/or unrequired uses or disclosures. WHat is reasonable? HIPAA has some guidance. You must consider the size, complexity, and capabilities of your business. When you are picking controls, you should look at your infrastructure, hardware, and software security capabilities. Costs should be considered. If the costs are very high to protect a low-cost resource, you might simply accept the risk. For example, if you have your laptop controlled in such a way that no one can extract PHI from it, and you have insurance to replace it, and it can be replaced in a few hours, does it really matter if it gets stolen? Maybe not. This means that you might be able to write policy that does not require tethering your laptop to prevent theft. Can your afford to lose 4 hours of business? Maybe not. But that's your decision. This does not mean that HIPAA is giving you enough rope to hang yourself. It simply means that your controls must fit your risk and you must explain your patterns so that an auditor can understand them.
The fourth item here asks for workforce compliance that you ensure. This means that you are going to have to introduce an adminstrative control that establishes a training procedure for new employees. As well, you will need to re-train your existing staff periodically, typically every year. That word ensure means a couple of things: You are going to want to test/quiz your staff to verify that they have absorbed the training -- the fact of training must be saved somewhere so that if you are audited you can present a list of training dates and quiz results. And you likely will need to build some monitoring. For example, you may train your workforce that documents with PHI should not be stored in Google Workspace. You may want to conduct spot checks on a random set of files. Perhaps you introduce a rule that files must not be shared outside of the company -- but the software allows it. In that case, you may wanted to be alerted when a file is shared outside of the company, so that you can inspect it. The point is to have an armature of adminstrative, technical, and possibly physical controls that ensurce compliance with training.

The whole philosophy of this pamphlet is to get your house in order when it's small. Since reasonableness depends on size, complexity, and capabilities, starting early on really helps because your size is small, your complexity is low, and your capabilities are few. As you add capabilities, you can incrementally re-assess your risk and introduce or modify controls. Risk analysis is required periodically, so if you get the right habits in place, you can provide for a smooth expansion of scope as your company grows, becomes more complex, and develops more sophisticated capabilities.

How do you do make these determinations around risk? You figure out what is reasonable in your environment via a risk analysis.

HIPAA defines what you have to do to satisfy the Security Rule via its Implemntation Specifications.

These specifications come in two flavors:

Required. You must do it, document it, and be able to show your documentation and prove that you do it.
Addressable. For an "addressable" specification, you use your risk analysis to guide you. You have to decide how exposed you are, and write up what you intend to you. In other words, "addressable" does not mean that you can skip the specification: You must tune it to your own situation.

The fact that many specifications are addressable provides a pathway to do the appropriate thing for your business. You may decide or discover that the risk of a laptop disk being stolen is very low. You must describe your risk analysis, and then write appropriate policy and procedure to match your assessment of the risk.

The fact that many specification are addressable also means that as your business changes, you must change your policies and procedures to match. This means that when you make a change, you will have to re-analyze the risk.

TODO: