Security Risk Assessment – Balancing Data Protection & Efficient Workflows

A Security Risk Assessment (SRA) is the process of ensuring that the electronic Patient Health Information (ePHI) at your organization and that of your business associates is protected from improper use, improper viewing, and data breaches. This is an ongoing process that must be completed annually at a minimum and should be updated as your organization makes changes to the information systems network and workflows. The SRA process is not difficult, but can be a time consuming endeavor the first time it’s completed. It’s usually performed by contracted third parties or sometimes by the organization itself, but it’s not the responsibility of your EHR vendor.

What to Expect?

The cost and duration of your SRA depends on the size of your organization, how many systems and locations use ePHI, and the number of resources available to conduct the analysis. A medium sized practice with 40 physicians and limited IT resources may take up to a calendar quarter to complete an initial assessment, but the SRA is an ongoing process. The Department of Health and Human Services and the National Institute of Standards and Technology both offer free SRA tools that organizations can use themselves, but these require internal resources and knowledge that many organizations do not have. Third party organizations can often provide a more detailed analysis, experienced resources, and guidance on establishing a working process that can be managed internally on an ongoing basis.

Now that you understand the SRA process and goals, your organization needs to determine your strategic goals, risk aversion, and how this required process can be leveraged to provide your organization with further benefits.  Determining your organizations risk aversion level is critical in deciding how much of the SRA recommendation is implemented and what your goals are for the SRA.  There are three common strategic goals that the SRA can help you achieve: finding the security sweet spot, meeting the Health Insurance Portability and Accountability Act (HIPPA) Security Rule and Meaningful Use (MU) requirements, and avoiding a data breach and audit.

3  Goals a Security Risk Assessment will Help you Achieve

1. Finding the Security Sweet Spot

When we think of increasing security in an electronic healthcare world we think about added frustration for the patient and clinical teams. A proper Security Management Process and SRA seek to optimize the balance between data security and workflow interference in an effort to increase clinical adoption of the EHR and other systems or processes. For example, company policies that require us to log in and log out at set intervals or every time we use a workstation or software is an example of security interfering with the ease of use of the system and workflow of the end user. Allowing end users to never log out is an example of failing to protect sensitive data at the demand of end users. Finding the balance between protecting sensitive data and efficient end user workflows is often a result of modifying policies and settings as part of an ongoing Security Management Process or SRA. This balance is achieved when you have done everything possible to protect your data without interfering with the efficient workflow of end users. It is possible to protect ePHI and not impede your clinical workflows, while increasing the organizational Return on Investment (ROI).

2. Meeting HIPAA Security Rule & Meaningful Use Requirements

Some organizations choose to simply meet the requirements of the HIPAA Security Rule and MU. Financial, human, and intellectual resources that are limited are often the driver behind this decision, but an organization’s risk aversion level also plays a significant role. It’s important to note that business associates are now required to be included in your SRA, as well as encryption for data both at-rest and in-transit. Completing the requirements of the SRA and implementing at least one recommendation prevents your organization from having to give back your hard earned incentive monies, but does not add much value to your organization nor does it mean that your ePHI is secure.

3. Avoiding a Data Breach & Audit

The cost of implementing new and increasingly robust security to protect ePHI can be scary; therefore, many organizations choose to only implement the easiest recommendations identified through the SRA, such as revised password policies. This may meet the HIPAA Security Rule and MU regulations, but it does not ensure that your ePHI is safe. Organizations with a high aversion to risk will incur greater cost due to more in depth analysis and increased implementation spend. The cost involved in properly protecting ePHI is greater than that of conducting a simple SRA, but pales in comparison to the cost of an audit or data breach. The cost of a data breach or MU audit can be overwhelmingly expensive, and 89% of those organizations audited during the pilot audit program were found to have some type of HIPAA violation. The Office of the Inspector General (OIG) and the Office of Civil Rights (OCR) have both increased their budgets to ramp up audits and investigations in 2015. They have also increased the penalty cap for HIPAA violations from $25,000/year to $1,500,000/year per violation. Each patient record that is lost or improperly used is considered a single violation.

 What Now?

You’ve invested a lot of time, money, and resources in meeting the requirements of Meaningful Use, so don’t let the SRA be the reason that you don’t receive or must return your incentive money. Whether you decide to simply meet the minimum requirements or do everything you can to prevent data breaches, you should try to leverage the SRA to increase the ROI. You can make the system easier to use while increasing your security, and your end users are more likely to adopt it in a meaningful way.