Aside from the last two steps, we conducted an example security risk analysis our last blog. This time, we will seek to show you how to successfully complete your assessment.
In our example practice we already determined that the most-likely potential threat to PHI was from current employees accessing records unauthorized to them, out of curiosity. The other threats were those posed by hackers, tornadoes, and fires. The next remaining step is to determine the order of likelihood of these. According to government statistics, there are an average of 50 tornadoes per year in Iowa and the state ranks 6th overall for tornado frequency. In one Iowa city alone there were 89 fires in 2006, so this type of disaster is by far the next most likely.
Even with little research, we would be pretty safe to say there were not over 50 hacker-related security breaches in Iowa every year. Nevertheless, to check the statistics on significant breaches we can look at the HHS wall of shame and get a rough idea of the number. According to them, there have been 0 PHI breaches in Iowa affecting over 500 people. That means we can make the tornado threat number 3 and lower the hacker-related threat to our fourth most likely. As you can see, although HIPAA makes this step seem very technical and frightening, estimating the likelihood of disaster events is not rocket science. There is also a wealth of government information on the web regarding disaster-occurrence statistics. Just make absolutely sure to DOCUMENT ALL STEPS IN YOUR ANALYSIS (including research).
Now that Dr. B.A. Ware’s security officer has ‘calculated’ the likelihood of “reasonably anticipated” disasters we must evaluate the possibility of their effects. We all know that both fire and tornadoes will both physically destroy data. A hacker attack could result in unauthorized disclosure of PHI, as could employee confidentiality breaches. Thus, in this case, the focus of the security plan should be relatively balanced between preventing water and fire damage and unauthorized access, (physically and electronically).
When implementing safeguards, it is helpful when there are solutions that prevent multiple damage scenarios. For instance, having an offsite backup reduces the chance of physical data damage in the case that any type of natural disaster were to strike your practice. Similarly, encrypting handheld devices, email, and messaging can help prevent PHI breaches from inside and outside your practice. Using the Direct Protocol will be an excellent way to implement this defense in the near future. Dr. Ware’s practice also needs to make sure that their firewalls are set up and working properly, and that passwords are not weak or default vendor passwords. The clerical side of the office where most PHI resides would benefit from a lock with keypad. Employees should have HIPPA training and background checks, while Dr. Ware’s EMR needs to employ an audit trail in order to track unauthorized data access. When making changes to the security plan, again remember to include the reason and evidence for doing so.