How to Play – Commentary on the HIPAA Security Standards: Guidance on Risk Analysis
By Jan D. Gibson, JD, CPCU, ARe, Baudino Law Group, PLC , Des Moines, IA
The Office for Civil Rights (OCR) is responsible for issuing annual guidance to organizations under the HIPAA Security Rule, including, most recently, the administrative, physical and technical safeguarding of electronic protected health information (e-PHI). On May 7, 2010, the OCR released its draft guidance on risk analysis (Guidance) which will be updated following implementation of the final HITECH regulations. If you have played the strategic board game Risk®, then you will appreciate the OCR’s Guidance. If you have not played the game of Risk®, then this article is for you.
Risk® is a game played on a board that divides the Earth into territories captured by players through the rolling of dice. Each player opts whether to roll the dice on each turn. Rather than roll the dice, each player may use his or her turn to simply relocate his or her territories to protect strategic locations. However if the dice is rolled, the higher the die numbers rolled, the higher the players’ chances of capturing the opposing players’ territories. The decision whether to roll the dice is left to each player each time it is his or her turn. Therefore, the “risk” involved is whether to roll the dice, making a risk analysis necessary before the player makes that decision – should the player use his or her turn to relocate its current territorial positions to safeguard the territories he/she has or roll the dice hoping to acquire the other players’ territories.
Similarly, the OCR’s Guidance explains the Security Rule’s requirement that all “players” or organizations complete a risk analysis before taking their turn in safeguarding ePHI. Specifically, Section 164.308(a)(1)(ii)(A) provides
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. (Emphasis added)
The OCR’s Guidance expressly does not provide a specific “one-size-fits-all blueprint, but instead provides definitions of risk and questions to consider” which are not detailed in the statute. The purpose of this article is to reduce the OCR’s Guidance and cited sources to the basics involved -- similar to the basic strategic risk assessment involved in a board game -- a “game” that identifies and documents risks peculiar to each “player” or organization so that he or she can safeguard his or her respective “territories.” Using the basic risk analysis involved in a board game, it is hoped that the reader can identify and assess the threats and vulnerabilities involved with the ePHI his or her organization creates, receives, maintains or transmits, and thereby document the organization’s compliance with the Security Management Process Standard in the Security Rule to identify and implement the most effective and appropriate administrative, physical and technical safeguards to secure electronic protected health information.
Step One - Identification
First, it is important to note that, just as there are no single best strategies in Risk®, there are no single “best practices” that guarantee compliance with the Security Rule. Thus the importance of knowing your player or organization cannot be underestimated. Or in game talk, what continents or territories do you have? In the healthcare arena, what ePHI does your organization create, receive, maintain or transmit? Does the organization consist of a single workstation or complex network?
Step Two – Threats and Vulnerabilities
Second, just as a Risk® game player must identify the potential threats to its territories, the organization must identify potential threats and vulnerabilities. In the game, each player must review which borders it shares with opposing players’ territories. With regard to safeguarding ePHI, the threats to an organization could be natural, human or environmental. The Guidance identifies natural threats as “floods, earthquakes, tornadoes, and landslides;” examples of a human threat include both intentional and unintentional attacks on computers; and a power failure would constitute an environmental threat. The vulnerabilities to an organization include both technical and non-technical weaknesses. According to the Guidance, the technical vulnerabilities include incorrectly configured or implemented computer systems whereas a non-technical vulnerability would include the absence of any computer security policies.
Step Three – Security Measures
Last, what security measures are in place? It’s likely that smaller organizations will have fewer security measures, and larger organizations will require more sophisticated security tools. In game talk, the player with the most territory to protect will need to have the greatest buffer regions, giving it additional security.
It is now your organization’s turn. Do you roll the dice or adjust the “player’s territories” to protect the organization? If your organization has not “adjusted its territories” to meet the requirements of the Security Rule, you will have to do so before rolling the dice.To assist the player or “organization” in making this determination, the likelihood of the threats occurring, the potential impact of the threat occurrence and the level of that risk must all be determined. The following example uses a risk matrix to help with this analysis.
Dr. Smith has a solo practice in Smalltown, Iowa, where the crime rate is virtually nonexistent and he still records his notes on paper. His office is located next to a restaurant/grille. The office only uses its only stand-alone computer for emails and billing claims. The doctor’s wife is office manager and she has limited computer knowledge. There are no other employees.
How should the organization adjust itself to ensure the confidentiality, integrity, and availability of ePHI it holds? The following risk matrix till help assess the potential risks and vulnerabilities of this organization’s ePHI.
Hacker (human threat)
Lack of computer policies (Non-technical vulnerability)
Power failure (environmental threat)
Claim errors (technical vulnerability)
Fire (natural threat)
Based upon the facts presented, the most likely and most severe threat to this organization is the natural threat of a fire caused by the neighboring restaurant/grille. Since most records are paper, a fire would severely impact the doctor’s ability to practice , as well as most likely destroy the single source of the office’s electronic records, since he has a stand-alone system. A stand-alone system would make it difficult, if not impossible, to retrieve any ePHI contained on the computer system unless there are back-up records stored off site.
In the other corner of the risk matrix, the least likely and least severe threat to this organization is the human threat of a computer theft. Assuming the doctor’s marriage to the office manager is a happy one, the likelihood of office employees stealing the computer is remote. And since the small town has a very low crime rate, the likelihood of an outsider stealing the office computer is small. The office manager has limited computer knowledge, so claim errors (technical vulnerability) would probably be more likely than any intentional misappropriation or theft of the claim billing system. Continuing computer education or special claims billing training would help reduce the technical vulnerability of the doctor’s office.
Therefore using the risk analysis matrix, the organization can visually document its conclusion that the ePHI in this example is most likely safeguarded administratively and technically. The most obvious threat to this organization is the physical location of the office which should be further protected through “real” firewalls, i.e., extra fire-resistant insulation, especially between the office and the grille. Moreover, the data should be further protected by backing it up daily and storing it off-site. That would implement the most appropriate and effective physical safeguard to secure the ePHI this organization creates, receives, maintains or transmits under the Security Rule.
The game board is spread before you and the others are ready to play, but the players’ territorial borders are changing rapidly as more and more organizations adopt and implement EHR. If your organization has adopted the electronic way of playing the healthcare game, whether it be in the form of electronic prescribing, electronic health records or electronic protected health records, it must document its risk assessment outlined in the Guidance and summarized here. In other words, has your organization already adjusted its territories by performing the required risk assessment and is therefore ready to roll the dice? Or, like many other organizations, do you need to create a risk matrix to find the threats and vulnerabilities facing your organization to protect the electronic data you are playing with? Either way, are you ready?
The ABA Health eSource is distributed automatically to members of the ABA Health Law Section . Please feel free to forward it! Non-members may also sign up to receive the ABA Health eSource.