For better or worse, the HIPAA Security Rule (HSR) applies to all covered entities and business associates regardless of their size, location or resources. Fortunately, the federal government recognized there is no ‘one-size-fits-all’ approach to securing sensitive information by writing many, if not most, of the standards and implementation specifications at the objective-level, rather than at the level of prescription necessary for organizations to implement a comprehensive and robust information security program. The HSR also provides organizations a certain latitude or “flexibility of approach” (45 CFR § 164.306(b)) with respect to the determination of the “security measures that allow the [organization] to reasonably and appropriately implement the standards and implementation specifications” based on:
- The size, complexity and capabilities of the [organization]
- The [organization’s] technical infrastructure, hardware and software security capabilities
- The costs of security measures
- The probability and criticality of potential risks to [ePHI]. (45 CFR § 164.306(b)(2))
Subsequently, the HSR helps ensure organizations develop this necessary level of prescription by requiring a risk evaluation to support the selection of these reasonable and appropriate safeguards that provide for the adequate protection of ePHI.
“Covered entities and business associates must “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (45 CFR § 164.308(a)(1)) … [created, received, maintained or transmitted (45 CFR § 164.306(a)(1)) to] … ”protect against any reasonably anticipated threats or hazards to the security or integrity of such information” (45 CFR § 164.306(a)(2)).”
Unfortunately, risk analysis is not something with which the healthcare industry was intimately familiar. The textbook approach to risk analysis includes threat and vulnerability assessments, information asset valuation and the selection of specific risk treatments for the enumerated threat-vulnerability pairs (a process sometimes referred to as threat modeling). This is all designed to support the selection of cost-effective controls that will manage risk at a level determined acceptable by the organization. From a quantitative viewpoint, this process is virtually impossible for most organizations due to the general lack of actuarial-type data for security-related threats. One could take a semi- or quasi-quantitative approach or even a purely qualitative approach; however, it would still be difficult for an organization—especially one in healthcare—to perform the analysis for a comprehensive set of risk responses.
This level of difficulty is borne out by Department of Health and Human Services (HHS) Office of Civil Rights (OCR) HIPAA security and privacy audits, which have shown that many healthcare organizations have not conducted a valid risk analysis, assuming one was even performed.
An alternative approach is to rely on a control framework developed by an organization that does have the resources needed to conduct such a risk analysis. From this, an organization may establish one or more sets of security safeguards, also referred to as control baselines, which are intended to address similar threats to common classes of information using similar technologies. This happens to also be the approach used by the federal government for its own information system security certification and authorization process. Organizations can then easily select an appropriate control baseline to help “protect against any reasonably anticipated threats or hazards to the security or integrity of [protected health] information” (45 CFR § 164.306(a)(2).
For more information on risk analysis and tailoring, refer to the Risk Analysis Guide for HITRUST Organizations and Assessors and the ISSA Journal article entitled, Leveraging a Control-Based Framework to Simplify the Risk Analysis Process.