HHS Seeking Feedback on Improving Security Risk Analysis Tool
Governance and risk management, Health, HIPAA / HITECH
Critics say the tool is too difficult to use
Marianne Kolbasuk McGee (InfoSantéSec) •
July 23, 2021
The Department of Health and Human Services is seeking feedback on how it can improve its security risk assessment tool, which is designed to help small organizations complete the assessments required by HIPAA. Some reviewers have said that the tool is too difficult to use.
The HHS Civil Rights Office, which oversees the application of the HIPAA law, and the Office of the National Coordinator for Information Technology in Health, which coordinates national efforts to implement and utilize HIPAA technologies. advanced health information and electronic health information exchange, solicit user feedback.
HHS is soliciting comments by July 31 through an online survey.
Major struggle for many
Security risk assessments have long been a struggle for many covered entities and business associates.
Numerous OCR violation investigations and compliance reviews have determined that organizations have never performed a thorough risk assessment (see: Why Clinical Lab’s HIPAA Policy Matters).
A report published in December 2020 on the findings of an HHS OCR HIPAA compliance audit also highlighted the frequent lack of security risk analysis (see: Finally, the results of the HIPAA compliance audit program revealed).
HHS OCR’s advice on risk analysis in the HIPAA security rule “outlines nine very specific elements that are needed for a risk analysis to meet the standard,” notes Steve Cagle, CEO of the privacy consultancy and Clearwater security.
“This includes identifying and documenting all reasonably anticipated threats and vulnerabilities associated with all information systems – and their components – that create, receive, transmit or maintain secure electronic health information and documentation. controls in place to mitigate those risks, ”he said.
“In today’s complex security and technology environment, performing a risk analysis requires in-depth knowledge of all security vulnerabilities, threats and controls, as well as experience in determining risks.” , he says. The risk analysis should be updated as the environment changes, he adds.
“Most organizations, and especially small and medium-sized businesses, do not have the resources and expertise to perform a comprehensive risk analysis in line with OCR guidelines,” says Cagle. “Some organizations just choose not to invest to do it the right way. Some don’t do it for all systems or don’t do it on an ongoing basis. Others just don’t understand – or want to take the time to understand – what is a risk analysis and what are the best practices. “
Kate Borten, president of privacy and security consultancy The Marblehead Group offers a similar assessment.
“Simply performing a security risk assessment continues to be a challenge for most small and some mid-sized businesses, both covered entities and business associates,” she notes. “First, these organizations probably don’t have in-house information security expertise. Therefore, they do not know the language. For example, security professionals know that vulnerability and threat come with risk, and we know what threats and vulnerabilities are and how to identify them in the environment, ”she says.
Likewise, security professionals read security risk assessment questions and understand the intent behind them. Typically, a question reveals a possible vulnerability in an organization’s security program. Another challenge is to ensure that the scope of the risk assessment is broad enough. Too often, organizations look only at their technology and neglect essential processes.
Less is more
HHS updated the Security Risk Assessment Tool at the end of 2019, when it improved the functionality of asset and vendor risk management, and again in late 2020, when it improved the functionality of tool navigation.
But some security experts say the current version of the tool is still complicated and time-consuming to use, especially by small healthcare provider organizations.
The current version of the tool is “better than before, but far too difficult to use for a small provider organization like a doctor’s office,” says Tom Walsh, president of privacy and security consultancy tw-Security.
“Most small doctor’s offices would only go a third of the way before they throw in the towel and give up.”
Following all of the required steps in the tool is taking too long, Walsh says. “There are many questions that assess HIPAA compliance. If an organization’s only risk was an OCR audit for HIPAA compliance, then the SRA tool is suitable. he says.
“Less is more. The tool should focus on the few critics versus the insignificant majority. The emphasis is on written policies as if a written policy somehow thwarts a hacker. The emphasis – or the weighted value for risk scoring – should be more on engineering controls. “
A struggle for all
While the tool is aimed at small organizations, Walsh notes that healthcare entities of all sizes often struggle with their security risk analyzes.
“Large organizations have a significant number of applications and systems – each configured differently with regard to access controls, authentication, account lockout after failed login attempts, time settings for automatic disconnection after a period of inactivity, etc. », He notes. .
“There is no ‘one size fits all’ approach to assessing security controls on a variety of systems. Risk assessments require dedicated resources to get it right the first time. “