HIPAA Risk Analysis Tip – Part 3 - Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez
We received almost 100 questions in our May 3rd web event entitled "WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez". We are breaking up the questions and providing the answers in this blog post series "HIPAA Risk Analysis Tips". Enjoy Part 3 as we work our way through them all!
- Is the risk register essentially the items that are identified as action items on your risk management plan?
Answer: The risk register a.k.a. risk rating report precedes development of the risk management plan. That is, the risk register marks the completion of the Assess step in the overall four-step process (Frame, Assess, Respond and Monitor) as called for in NIST SP800-39-final_Managing Information Security Risk. It is an enumeration of all the asset-threat-vulnerability combinations with each rated in terms of the likelihood of the “bad thing” happening and the impact were the “bad thing” to actually happen. Likelihood and impact are then used to determine an overall risk rating. We treat the Respond step (a.k.a. risk management step) separately and ultimately produce a risk action plan. One of our Clearwater colleagues recently completed a live web event on this subject: How to Conduct a NIST-based Risk Response to Comply with HIPAA & Other Regulations.
- I can't get clear guidance (or a template) that encompasses an "acceptable" risk assessment and am wondering if you are able to provide clear questions I should be addressing and format that is effective in the eyes of the government?
Answer: The best source of the documentation that OCR is looking for in risk assessment can be found in the “Final Guidance on Risk Analysis Requirements under HIPAA Security Rule” and in NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments.
- If you provide the Risk Analysis and the Risk Assessment Plan to the OCR will it remain confidential and not be made available as public information?
Answer: It will typically remain confidential but may be discoverable in the event of a law suit. We’ve never seen such documents in the public domain. We are aware that the National Freedom of Information Coalition has published information that they obtained, under FOIA (Freedom of Information Act), settlement agreements and the related investigation, but may not have included exact copies of documents that were submitted to OCR. Propublica’s HIPAA Helper has obtained breach and complaint details, also through FOIA, but does not publish submitted documents. We have seen documents that are marked with this kind of disclaimer, but we don’t know if it can be enforced.
- Is there an industry standard list, or specific list, of threats and vulnerabilities that you recommend?
Answer: NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments contains a table (D-2) of a Taxonomy of Threat Sources, Representative Examples of Adversarial Threat Events (table E-2) and Representative Examples of Non-Adversarial Threat Events (table E-2). Similarly, in Appendix F, one can review vulnerabilities and predisposing conditions. NIST has developed a Guide to Cyber Threat Information Sharing (SP 800-150) which provides guidelines for establishing and participating in cyber threat information sharing relationships. Re: Vulnerabilities: NIST has a website called the Computer Security Resource Center – National Vulnerability Database (NCP) which includes a vulnerability search engine and metadata and links to various formats including checklists that conform to the Security Content Automation Protocol (SCAP). SCAP enables validated security products to automatically perform configuration checking using NCP checklists.
- Under scope and asset inventory, I believe that your inventory should include network devices (as ePHI can pass through these devices), however I'm not seeing these on your slides. How are network devices handled? (To expand on my question, network devices include items such as routers, switches, firewalls, load balancers, etc....)
Answer: That’s a great point and great question. Yes, to the extent these devices “create, receive, maintain or transmit” ePHI in more than a very temporary and transient manner, they should be included as media types or collections of media that should be risk-analyzed. We often encounter a scenario where a device such as an intrusion detection system / intrusion prevention system (IDS/IPS) is simultaneousy a control and an information asset that must be risk-analyzed. Another example would be a spam / malware filtering device at the edge of your network.
- Must cellphones that have access to ePHI stored on servers be included in the Security RA inventory?
Answer: All “media” that creates, receives, transmits or maintains ePHI (the asset). The United States Computer Emergency Readiness Team (US-CERT) issued an article on Cyber Threats to Mobile Phones which provides information on typical attacks, the impact of an attack and steps to protect mobile phones. By the way, in a resolution agreement related to conducting a risk analysis, documentation requested by OCR included “a complete inventory of all electronic equipment including portable media devices…”
- For an OCR Desk Audit, what all needs to be sent to show you have the Risk Analysis was completed? Bob showed alot of screenshot that go over the process you went through how do you package ALL of that to send to OCR for review?
Answer: We typically include specific screen shots / documents / examples precisely along the lines of the nine (9) essential elements documented in the “Final Guidance on Risk Analysis Requirements under HIPAA Security Rule” and in process outlined in NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments. And, of course, the quintessential output of the risk analysis, the risk register or risk rating report must be included.
- If covered entities or business associates have NOT conducted a formal risk analysis, should they proactively report that to the OCR and conduct one asap?
Answer: No, such disclosures are not required under HIPAA. We would recommend conducting a formal risk analysis immediately. A CE or BA will likely still be cited for not having conducted multiple risk analyses over previous years, but will receive credit for having completed one recently.
- Please send the link to the webinar or let me know when available.
Answer: Please feel free to share with colleagues and friends: http://bit.ly/ClearwaterRodriguezOnDemand
- What was that Draft Executive Order about the NIST Cybersecurity Framework that you mentioned?
Answer: In the meantime, the Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure was issued on May 11, 2017, subsequent to our May 3rd live web event. It will require heads of all executive branch departments of the federal government to be accountable for cybersecurity and to implement the NIST CSF. Many experts agree that this Federal NIST CSF requirement will trickle down (e.g., government contractors) and out (e.g., healthcare organizations reimbursed by HHS) into commercial organizations. The order calls for the heads of appropriate sector-specific agencies (think: HHS) use their “authorities and capabilities to support the cybersecurity risk management efforts of the owners and operators of the Nation's critical infrastructure.”
Stay tuned for Part 3 of the Questions and Answers from the May 3rd web event entitled "WHAT OCR EXPECTS IN YOUR HIPAA RISK ANALYSIS: A Conversation with Former OCR Director, Leon Rodriguez"
- Download the OCR-issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule".
- Learn the definition of an information asset.
- View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
- Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
- Read the OCR Resolution Agreements / Corrective Action Plans, especially the 39 involving ePHI where 35 organizations had adverse findings for incomplete and/or inaccurate HIPAA Risk Analysis and HIPAA Risk Management work.