– The Office of the National Coordinator is reminding healthcare organizations to leverage its Security Risk Assessment Tool, in closing out National Cyber Security Awareness Month.
Developed in collaboration with the Department of Health and Human Services and the Office for Civil Rights, the tool was updated in October 2018. The updates included an enhanced user interface, modular workflows, custom assessment logic, progress tracker, threats and vulnerabilities rating, and detailed reports.
ONC also added business associate and asset tracking, an area that many providers have struggled to keep pace of in the current expansive digital health environment.
The free resource is designed to help organizations conduct effective risk assessments, as required by HIPAA. As noted in several recent OCR civil monetary penalties, healthcare organizations are still failing to perform annual risk assessments.
Most recently, Jackson Health paid the agency $2.15 million for multiple HIPAA violations, including failing to conduct an enterprise-wide risk analysis.
ONC officials stressed that security risk assessments are crucial to ensuring an organization has the appropriate safeguards in place and can also reveal areas that may be placing electronic patient health information at risk. With that information, organizations can then take action to close those security gaps.
The SRA tool addresses four key areas. To start, it can help small- and medium-sized organizations identify potential threats and vulnerabilities to ePHI, from potential cyberattacks to vulnerabilities, such as weak login points. The assessment can inform the development of mitigation plans.
Further, the tool provides a way to review all electronic devices that interact with ePHI, by providing the functionality to add detailed documentation of risk identification and analysis process, such as vulnerability scans or site walk-throughs.
Organizations should ensure they include electronic health record systems and devices that can access EHR data in its risk assessment process, ONC officials explained. EHR developers should also be involved in the process.
ONC also reminded organizations that overall security risks must be routinely assessed, at least annually or as needed, such as when new technology is introduced onto the network.
“You must continue to review, correct, modify, and update security protections to provide for continued protection of ePHI in the face of new and emerging threats and vulnerabilities,” ONC wrote. “The security risk management process is iterative and ongoing.”
What’s more, the tool is designed to help organizations meet HIPAA requirements by revealing potential weaknesses in an organization’s policies, processes, and technology. ONC reminded organizations that HIPAA applies to all ePHI, and the tool is not required. It also doesn’t guarantee HIPAA compliance.
“Assessing risk is an important step in your security management process and helps your organization recognize where safeguards are needed to protect ePHI, including guarding against ransomware and other types of cyber-attacks,” ONC wrote.
During FAIRCON19 in September, Fair Institute Chair Chairman Jack Jones outlined key elements for building an effective risk assessment program, which includes focusing on measuring risk in real terms and performing a cost benefit analysis. But in the end, organizations should identify the pain points they can solve first.
“Every organization will have different starting point with contrasting needs, and a different road map,” Jones said, at the time. “Look at it as a journey. We have this responsibility, and if we live up to this responsibility, and help our organizations, it’s an opportunity to set ourselves apart and be part of this wave.”