Conducting Your HIPAA Risk Analysis Top Ten Steps

Transcription

1 Conducting Your HIPAA Risk Analysis Top Ten Steps You will just hear silence on the line until the Webinar begins and the WEDI moderator opens up all phone lines. Lesley Berkeyheiser & Mark Cone, Principals, N-Tegrity Solutions Group, LLC WEDI Privacy & Security Co-Chairs

2 Agenda Webinar Presentation Housekeeping Review Top-10 Steps Q & A

3 1. Prepare Your Project Define Your Scope & Identify Your Team Know Organizational Status Determine Type of Data In Scope Set Expectations for Your Team As with any significant project it is important to define your scope, deliverables, period of time and accountable resources.

4 2. Identify Data & Location Choose a method to record your findings Gather Tools Think About All Places Data Resides Building Blocks Choose documentation tools that support the uniqueness of your organization. If Users are good with Excel then use Excel

5 3. Conduct PHI Flow Scale the PHI Flow to Your Specific Organization Spreadsheets; Checklists Visual Representation Benefit of Exercise The process of completing a PHI Flow serves to enlighten workforce about global data handling and facilitates an appreciation for how the data moves through your organization.

6 4. Drill Down on PHI Follow the requirements of the Regulation Determine When Your Organization Creates, Receives, Maintains, and Transmits PHI Safe Harbor? Be Prepared to Report a Breach If Necessary This process emphasizes the importance of knowing HIPAA/HITECH Privacy/Breach/Security and sets the organization up to analyze in support of these regulations.

7 5. Measure Against the Rule Follow the requirements of the Regulation Compare the way you handle PHI against the requirements of the HIPAA Security Rule Compare each Implementation Specification List Current Safeguards & Gaps Standard IT types of Risk Assessments are core components to the overall Risk Analysis but don t forget the reason this is being conducted is to satisfy the Regulation.

8 6. Assess Threats / Vulnerabilities Threat Categories Human, Natural or Environmental How Likely? How Bad? Prioritize Consider Types of Threats Conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of ephi. - Excerpt HIPAA Security Rule.

9 7. Conduct External Pen Testing Allow the IT Experts to Attempt to Break In Who Needs to Do This? How Often? What to Do With the Results? How easy it is for the outside world to get into your system and access PHI?

10 8. Put It All Together Figure Out What Needs To Be Done DO IT! Prioritize Apply the Reasonableness Test Assign Resources; Categories; Order and Time Frames for closure DO THE WORK Once all the hard work is done, don t forget to implement controls to conduct this on an ongoing basis. Learn from previous Risk Analysis reviews.

11 9. Communicate by Training Train using your custom policies and procedures Train Early Reinforce Retrain Remember People Learn Differently Train early; train often; TRAIN TRAIN TRAIN

12 10. Maintain Compliance The Risk Analysis Provides the Measuring Stick; But Once Attained- It Must Be Maintained Monitor Technology Monitor Workforce Behavior Policies and Procedures Annual Review??? Monitor, remember and learn from the OCR Corrective Action Plans

13 Review Ten Steps 1. Prepare Your Project 2. Identify Your Data and its Location 3. Conduct PHI Flow 4. Drill Down on PHI 5. Compare Data Handling Safeguards to the Rule 6. Assess Threats & Vulnerabilities 7. Conduct External Penetration Testing 8. Assemble Findings & Close the Gaps 9. Train, Train, Train 10. Monitor / Maintain Compliance

14 Questions? Thank you for your attention! Lesley Berkeyheiser WEDI Privacy & Security Co-Chair Mark Cone WEDI Privacy & Security Co-Chair