Nefarious characters see healthcare organizations as high value yet relatively easy targets. These are referred to as target rich, cyber poor. Given that healthcare organizations have a combination of personally identifiable information, financial information, health records, and countless medical devices, they are essentially a one-stop shop for a bad actor.
There has been a significant rise in the number and severity of cyber-attacks against hospitals and medical practices in the last few years. These attacks expose vulnerabilities and endanger patient safety. The more they happen, the more expensive, and dangerous they become.
Although the Security Rule does not specify how often a risk analysis must be conducted, it is recommended to review your systems at least once a year. Keep in mind if you introduce new equipment, software, or suffer a security incident, you may need to evaluate your risks more often. This is a gentle reminder to start this process as soon as you can. We need the opportunity to review and add our recommendations and notes to your Risk Management Plan.
The OCR conducted a webinar regarding Risk Analysis Requirements and discussed the areas that are deficient. I understand most of you would prefer a shorter analysis. After listening to what the OCR had to say, I am proud we have covered the areas of concern (plus the less common issues). However, it is up to you to make sure you complete the 7-Steps in the HIPAA Keeper and implement what is needed!
The OCR mentioned the following:
1. 1. The lack of a system wide accurate and thorough analysis. (Step 1 Questionnaire)
2. 2. Performing only the MIPS risk analysis does not encompass the system wide requirements.
3. 3. PCI/DSS is more than likely not a complete risk assessment since it does not include ePHI.
4. 4. Instead of a system wide accurate and thorough risk assessment, a summary or heat map is provided without the backup documentation.
5. 5. Lack of inventory list to track which devices access, transmit, or store ePHI. (Located in your Profile)
6. 6. No method to track operating systems that become out of date. (Documented in the inventory list)
7. 7. Lack of mitigation documentation after the risk analysis was completed. (Step 1 Risk Management Plan)
8. 8. Lack of sanctions against staff who violate HIPAA. (Step 3 Policies and Procedures)
9. 9. Lack of security software / equipment updates. (Documented in reports from your IT company and stored in your Profile under Uploads)
Keep up the good work and keep your patient data safe. Let us know if you need any guidance. As always, we are here to help!
Wednesday, November 1, 2023