Best Practices For Security Risk Analysis

Key Takeaway:

Security risk analysis offers scope for many kinds of confusion with regard to its understanding and implementation. Demystifying popular security risk analysis myths is the way. The Office of the National Coordinator for Health IT has sought to help professionals do this.

Many misunderstandings and misconceptions abound on the aspect of HIPAA’s security risk analysis. Complexity of the regulations is the main reason for this. Consider one example: security risk analysis is required both under the Security Rule and also under both Stage 1 and Stage 2 of the EHR meaningful use incentive program, in which satisfactory and meaningful use of electronic health records has to be demonstrated by hospitals and healthcare professionals. There is enormous scope for professionals and practitioners to cultivate security risk analysis myths.


In view of the potential that descriptions of some of the requirements have for causing confusions and misunderstandings, the Office of the National Coordinator for Health IT (ONIT) has issued a list of the most popular security risk analysis myths.

Myth 1: The security risk analysis is optional for small providers

It is not. The Security Rule states that all HIPAA-covered entities and all providers who need electronic health record incentive payments need to mandatorily perform.

Myth 2:Fulfilling the security risk analysis meaningful use requirement is all about installing a certified EHR

No. Information stored in EHRs Security risk analysis is only a part of security risk analysis meaningful use requirement. Just installing a certified EHR does not fulfill these.

Myth 3: : There is no need to worry about privacy and security, since everything has been entrusted to the EHR vendor

Doesn’t have to be so. It is the responsibility of providers, not EHR vendors, to fully take care of all privacy and security requirements.


Myth 4:Security risk analysis needs to be outsourced

Not necessarily. A healthcare organization may take the help of an external consultant or any other professional to carry out security risk analysis, but doesn’t have to outsource it.

Myth 5:A checklist is enough for fulfilling security risk analysis

It is not. While they are not without their uses; security risk analysis or documentation of one that has already been performed requires much more than a checklist.

Myth 6:A specific risk analysis method must be followed

No. There are multiple ways by which a proper and thorough security risk analysis can be performed.

Myth 7:The EHR is all that is required for a security risk analysis

One of the many security risk analysis myths is that an EHR system is comprehensive and sufficient for reviewing a risk analysis. It is not. The EHR system is only one of the components of a security risk analysis, which becomes complete only by reviewing all electronic devices used for storing, capturing or modifying ePHI.

Myth 8:A risk analysis need to be done only once

No way. To stay compliant with HIPAA guidelines, a healthcare organization has to keep carrying out its security risk analysis continually.

Myth 9:Mitigating all risks is necessary before attesting for an EHR incentive program

It is not. Identification and correction of deficiencies while carrying out the risk analysis during the reporting period, rather than mitigation of all risks before applying, is part of the EHR incentive program’s risk management requirements.

Myth 10:Redoing risk analysis from scratch every year is necessary

This is one of the strong security risk analysis myths. It is not necessary to completely redo a risk security analysis every year. It is enough for organizations to update changes relating to the organization or its electronic systems as they occur, in every EHR reporting period.

Read More :

Get more updates about Risk Analysis


Is Your Medical Website HIPAA Compliant?

Every physician and medical administrator that we know is intimately—often, intensely—aware of HIPAA’s privacy and security rules. There isn’t a policy, procedure or process that isn’t carefully scrutinized as HIPAA compliant.

This isn’t legal advice, but healthcare professionals know that protected health information (PHI) and electronic protected health information (ePHI) need to be on the safe side of the Health Insurance Portability and Accountability Act and the Department of Health and Human Services.

But, physicians and medical administrators also realize that, in an Internet-driven world, confidentiality, privacy, and data security are vastly larger, dangerous and more complex issues. What’s more, hospital data and medical records are attractive targets for cyber theft and ransomware attacks.

If regulations, compliance and digital security issues aren’t compelling enough to keep you awake at night, consider this: What if your website and digital presence are not HIPAA compliant? Many ordinary, and innocent appearing, healthcare websites are not secure, or inadvertently fail to safeguard all “individually identifiable health information.”

Healthcare Org2

Being HIPAA compliant is vital to every medical website

Check with your own legal advisor, but here are some of the ways that medical websites, and HIPAA compliance, can be at risk:

Are files, storage, and transmissions secure? Data that is “in the open” (without encryption or SSL/Secure Socket Layer) is at risk. An important compliance checkpoint is having all sensitive material encrypted and secure, particularly when transmitted over the Internet.

Some forms can put you at risk. Generally, when a patient or prospective patient completes an online form—even elementary info such as name, phone number, email—it may be advisable to provide the data with the same level of protection as ePHI. More specifically, “individually identifiable” and “protected health information” is likely to meet the definition of electronic protected health information.

Social media can be a danger zone. Social media is a useful tool to talk about many things under the broad medical umbrella. That said, anything that is specific to an individual patient or identifiable info—even photographs—can violate personal privacy.

Checking computer security system

Use caution responding to online comments and review sites. It can be tempting to use specific, “he-said-she-said” replies to Internet-posted comments—especially negative mentions. It’s OK to be responsive, but a provider’s reply must avoid reference to a specific, identifiable or individual patient. Even acknowledging that someone is a patient would be inappropriate.

Your favorite iPhone or Blackberry is a target for theft. Mobile devices—a favorite among doctors—are compact and easily “snatch-able,” and that opens the door to cyber theft of stored or accessible information. What’s more, mobile devices themselves that are used to exchange doctor-patient communications may not be secure or HIPAA compliant.

Look for additional articles in this series…

There’s no question that compliance is vitally important for hospitals, group practices, and healthcare providers. In addition, medical websites are an important connection between the professional and the public. HIPAA’s privacy and security rules are a critical consideration. Check with your legal advisor and avoid compliance issues online.

Read More :

How To Learn HIPAA’s Contingency Planning guidelines

Key Takeaway:

HIPAA has guidelines for meeting what should perhaps be the most important business requirement for healthcare organizations -contingency planning. These are aimed at helping healthcare organizations meet the core HIPAA requirement of ensuring integrity, security and privacy of Protected Healthcare Information (PHI).

HIPAA has a few important requirements and guidelines for contingency planning. These HIPAA contingency planning guidelines are a valuable guide to the healthcare industry. While formulating these requirements, HIPAA has based its thinking on the core aspects of risk management that most organizations in any sector would apply.

Hipaa security3

First, an understanding of contingency planning

Contingency planning is a crucial element of risk assessment. Contingency planning, as the term denotes, is the act of preparing the organization for emergencies, which can be of any kind. In management circles, contingency planning is often referred to as “Plan B”.

When organizations develop a contingency plan, they have to take several important factors into consideration. The most important points they need to keep involves thinking about

  • What could likely happen?
  • How do we plan to tackle these emergencies?
  • How do we prevent these?


Applying the principles of risk management to HIPAA contingency planning guidelines

HIPAA contingency planning guidelines tailor these parameters to the healthcare industry. This is done keeping in mind its core intention of ensuring security and integrity of protected health information (PHI) and electronic protected health information (ePHI).

HIPAA contingency planning is the pioneer of standards relating to PHI, since before these, none of their kind existed. HIPAA contingency planning requires electronic health information security to define, document, and demonstrate ability, reason, and objectivity. This is the bedrock of HIPAA contingency planning.

HIPAA contingency planning has come out with these guidelines/requirements, which consist of these six fundamental components, which healthcare organizations are required to implement in the following sequence:

While these constitute Parts 1 to 5 of the Contingency Planning Process; further to these, Part 6 has more elaborate standards for meeting HIPAA contingency planning guidelines. Broadly, these are explained under:

  • Assessment of the business impact analysis and risk
  • A plan for disaster recovery
  • Implementing the disaster recovery plan
  • Testing of the disaster recovery plan
  • Execution of the disaster recovery plan

Read More :


Passing HIPAA audit is daunting task and to be compliant of hosting solutions to pass HIPAA audit several basic fundamentals need to be covered. Just to avoid the heavy fines and getting federal incentives were the major drive for the health care industry to accept the electronic medical record systems, as per the guidelines of the Health Information Technology for Economic and Clinical Health (HITECH) Act.

For each Administrative, Physical and Technical safeguard that are few rules or standards that any covered entity needs to comply with. HIPAA audit signifies that a certified, independent auditor, audits the process, policies, hosting solutions and facilities. To pass an HIPAA audit you need to follow the following tips:

hipaa audit


1] Document the data management- Documenting the data management, security, training and notification plans. This will give a clear access to the facts that have been collected and avoid its being leaked to outsiders.

2] Password policy to access- There should be a password access to any information that as been stored. All the information collected from the clients are confidential and only authorized personnel who know the password should be allowed to see the information.

3] Encrypted information- All the public health information (PHI) should be stored in encrypted form so that confidentiality is maintained. This includes all the information either in database or in server. Especially if the information is to be transmitted to third parties or other business associates it should be encrypted. The encryption technique and mechanism for the sensitive information should be known to  few people as it will be a step towards safeguarding it. Any information leading to identification of patients like images or scans should be encrypted so that they cannot be identified.

4] Avoid usage of FTP- Using public mode like FTP to transfer information should be avoided. Transformation of information should be done with private mode to maintain the security of public health information.

Hipaa Data

5] Login retry protection- There should be login retry protection in your application.

6] Save time resources by hosting with company that has Business Associate Agreement (BAA) in place- The files should be in place to help the auditor in audit task as then it can audited on your document rather than conducting a fresh audit. This will save a great deal of time and resources.

7] Mode to access- To get access to any sensitive data there should be SSL web based access. This will help in complying with the HIPAA standards.

8] Remote access- There should be VPN access for the remote access.

9] Plan a disaster recovery plan- This is dreadful situation yet to face it there should be proper documented plan for disaster recovery.As health care organization dealing with public health information you are liable to maintain the secrecy of information. Your IT department will help with the technology that helps to store and transmit patient’s information but for the successful compliance of HIPAA standards only you are accountable.

Get more information about Hipaa Audit

Ten Digital Trends For Healthcare In 2018

Healthcare Gets Moving


1. Mobile Healthcare and Telehealth on the Rise

With a majority of consumers connected throughout the day (and night) on a mobile device like their phone or tablet, it’s not surprising that people want efficient healthcare they can access via these devices. Whether looking for a doctor on-demand, talking with a physician via an app instead of going into an urgent care, or being able to check benefits coverage on a healthcare payer app… mobility and telehealth are what patients and members want. To respond to this demand, mobile digital access will be an increasingly high priority for healthcare organizations in 2018.

2. Provider Network Directories Go Real-time

Speaking of benefits coverage being available on a member mobile device, it’s not only important that it’s there, but that it’s always accurate. One of the critical objectives every healthcare payer will focus on, if they haven’t already, is having an up-to-date directory of in-network providers in 2018. Before a recent procedure, I tried to ensure that the anesthesiologist my physician would be using would indeed be in my network. With an always up-to-date directory of which hospitals and clinicians are in-network, my process could have been much simpler, and would have resulted in my looking upon both my doctor, and my insurance company, in a much more favorable light.

Actionable Data Drives Performance

3. Data Quality Remains a Medical Necessity

On the same page as real-time, accurate data, clinicians need the same afforded to their patients so providers can give the highest quality of care and avoid potential mistakes. This may not necessarily be a new trend for 2018, but it’s one that remain a top priority. Healthcare systems need to get on top of eliminating batch processing and have the most current electronic medical records (EMRs) always available for patient care.

Medical nes

4. Wearable Devices Help Take Control

More and more, people are taking control of their own healthcare with wearable fitness trackers, such as FitBits and Apple Watches. These devices prove to be great incentives for tracking activity, water intake, even sleep habits. In fact, hospitals are beginning to use Fitbit devices to help motivate patients to get out of bed after surgery and go home sooner after knee replacements, hip replacements, and other surgeries. I know I love my FitBit buzzing at me to get moving when I haven’t taken a step in over 60 minutes. Much like the discounted gym memberships that many healthcare payers have provided for years, wearable devices will be capitalized on for members to take control of their own health, and thus, cut down on premium costs. Not to mention, physicians can then use this data to help patients put together a healthcare plan that can prevents future issues and ensures healthy behaviors.

5. Maintaining Security for Device Management

With healthcare systems supporting an ever wider range of devices, whether it be desktop computers, tablets, laptops, or mobile phones, organizations will focus on keeping all these devices on the same page. This means, making sure system-wide security updates maintain device availability, especially since hospitals need access to data 24 hours a day. On that same note, however, it also means keeping these devices secure from potential security risks should they be misplaced and fall into the wrong hands, or ensuring users are only handling data on a secured wireless network.

Customer Satisfaction Remains a Top Priority

6. Employee Satisfaction Supports Customer Satisfaction

If you want to be a top performing healthcare business, you have to recruit and retain the best employees. Employee satisfaction goes hand-in-hand with having systems that make serving patients and working collaboratively with all employees vital. Whether it’s having the latest patient EMR’s available, or the janitorial staff having a clear view of which rooms need cleaning, and when in order to not repeat their work so they can be efficient, employee satisfaction through digital transformationmatters.

7. Patient and Member Satisfaction Require Customer-Centricity

As in any line of business, when healthcare customers are happy, everyone benefits; this will push organizations toward customer-centric views. With a single, easy to use interface that allows both payers and providers to be on the same page in regards to their customers’ care, it undoubtedly results in happier patients and members who require less intervention, and are able to live happy, healthy lives.

8. Price Transparency Depends on Digital

One of the key ways for healthcare organizations to provide satisfaction to consumers is to provide price transparency, both before and after care. A few years ago, I tried to find out the cost of a routine surgery I needed at various healthcare providers in the area, and could not receive a clear answer. Even after the fact, I found the billing on my claim for the procedure to be confusing. For their part, healthcare organizations are coming to the realization that transparency in the age of choice is critical and to deliver this will require investment in digital improvements.

Heightened Focus on Serving the Care Continuum

9. Engaging Baby Boomers

With the aging of the Baby Boomer generation, organizations are focusing on having to re-engineer how they deliver healthcare to their older patients and members. Each day until the year 2030, roughly 10,000 Baby Boomers will turn 65. With more people living longer, how organizations look at geriatric healthcare needs to be re-examined. Using a low-code platform approach for integration is becoming an ideal way to track the additional resources and costs that come along with an increasingly aging population.

10. Continuous Care Management

It’s important that a patient’s journey for optimal care continues well after they walk out of their physician’s office or check out of the hospital. With connected enterprise systems, healthcare organizations are able to close the loop for patient satisfaction and lower costs that come with unnecessary follow-ups. This requires that healthcare organizations fine-tune their focus in the coming year on having all systems be inter-connected, whether it’s home healthcare, post emergency care, or acute care.

HIPAA Compliance Checklist and Employee Sanctions

A HIPAA compliance checklist is the tool to turn to when imposing sanctions on employees for HIPAA privacy breaches.  It may feel like a never-ending and thankless task, but consider the alternatives.  It can be tempting to adopt a “no harm, no foul” approach to employee sanctions.  But this is not the way the Office for Civil Rights, the government agency that investigates HIPAA breaches, looks at things.  To that end, your HIPAA Compliance Checklist must also address employee sanctions.

HIPAA is all about protecting PHI

There are numerous examples of the OCR imposing penalties on organizations for not protecting PHI.  And these penalties are imposed even though there was no evidence of anyone receiving or accessing any PHI in cases where a breach occurred.

  • The OCR considers encryption of ePHI by malicious software (e.g., ransomware) to be an unauthorized disclosure not permitted under the Privacy Rule.  Even in a ransomware attack, an organization could reasonably conclude there is a low probability that the PHI has been compromised.  But if it cannot reach that conclusion,  it is required to comply with the applicable breach notification provisions.  And this is the case even if there is no evidence that the PHI was viewed by anyone else.
  • An employee of Cancer Care Group of Indianapolis left unencrypted back-up media in a bag in a car; the car was broken into and the bag stolen.  There was no evidence that any information was ever disseminated, but the OCR imposed a penalty of $750,000 on the group.
  • In 2014, the OCR imposed a fine of $400,000 on Idaho State University for a breach of unsecured ePHI.  This was because the school had left its firewalls disabled for over 10 months!   Again, there was no indication PHI was accessed by any unauthorized persons; it was simply not protecting its PHI.

These are just a few examples of settlements, some involving employees failing to follow procedures, or where there were no procedures at all.  In these case, penalties were imposed but no information was shown to have been accessed by unauthorized parties.


HIPAA compliance requirements do not explicitly link employee sanctions to reportable HIPAA breaches

It is certainly possible to have an unauthorized disclosure that is not a reportable breach.  The definition of a breach is the acquisition, access, use or disclosure of protected health information.  This is done in a manner not permitted under the regulations.  And the disclosure compromises the security or privacy of the protected health information.

These days, employees are often the source of breaches.  They include events from lost laptops to including PHI in social media posts occurring almost daily.  It is very important to include a policy on employee sanctions in your HIPAA Compliance Checklist.  An employee sanctions policy can and should take into account the potential harm from the unauthorized disclosure.  But a “no harm, no foul” approach may leave the organization open to penalties by the OCR.


A HIPAA compliance checklist for employee sanctions policies should address several issues

  1. The policy should reference Section 164.530 of the Administrative Requirements, which requires covered entities to have and apply appropriate sanctions against members of their workforce.
  2. Section 6102(b)(4)(F) of the Affordable Care Act also requires that the standards be consistently enforced through disciplinary mechanisms.
  3. Most policies utilize a Level system, tying the action of the employee and the effect on unauthorized disclosure of PHI to the sanction recommended.  Levels could start from situations where an employee did not follow procedures, but there was no unauthorized disclosure of PHI.  Levels usually top out at situations where the actions were malicious and willful, causing harm or intending to cause harm to the patient.
  4. Mitigating factors may be enumerated, and repeated patterns of violation may result in a higher level of discipline.


Employee Sanctions should be standardized

Organizations usually strive to administer most disciplinary policies in a consistent, standardized way.  Employee sanctions for HIPAA violations are no different.  Inconsistent application can carry consequences ranging from confusing messages to erosion of public trust to vulnerability to penalties and fines.

One way to increase standardization of disciplinary actions is to develop a grid, matching the riskiness of the actions to the level of sanction.

The HIPAA regulations explicitly require organizations to have and apply appropriate sanctions against workforce members who fail to comply with the privacy policies and procedures of the organization.  While sanctions can be related to the incident and the potential harm, they also need to demonstrate that the organization is taking seriously its responsibility to protect the privacy of patient information – even when there is no evidence of unauthorized disclosure or when the breach is not reportable.

Regardless of the method you choose to develop employee sanctions, make sure your HIPAA compliance checklist addresses appropriate sanctions, and implement your policies consistently!   Healthcare Compliance requirements must be truly effective.

How do Spectre and Meltdown Impact Healthcare IT Privacy?

Spectre and Meltdown are critical security vulnerabilities caused by mistakes in the way processor hardware is designed. Spectre and Meltdown exploit the same underlying vulnerability in chip design, taking advantage of a technique called speculative execution to gain access to data that would otherwise be private.

The technical details of Spectre and Meltdown have been discussed in-depth elsewhere, so in this article, I’d like to look at the practical consequences for healthcare organizations.

Spectre and Meltdown are everywhere
All unpatched servers are vulnerable because Spectre and Meltdown affect the vast majority of processors used in servers, including those manufactured by Intel, AMD, and companies that use ARM chip designs in their processors.

Clearly, this should worry healthcare organizations that are required to store data according to the privacy and security rules of HIPAA. Is that data at risk? The one-word answer to that question is yes, but it depends on how quickly your hosting provider or server admin team react.

hipaa (1)

Operating system developers, including Microsoft and the Linux kernel project, have released patches that work around Spectre and Meltdown. Chip manufacturers have released firmware patches that also mitigate the risk.

Responsible HIPAA-compliant server hosting providers have reacted quickly to patch their servers, but there’s a worry that less responsible hosting providers or healthcare organizations that manage their own servers may be slow to update, putting their businesses and their patients at risk.

How can Spectre and Meltdown be used against healthcare organizations?
The biggest danger is for healthcare organizations that use the cloud or shared hosting. In theory, a malicious actor with an account or virtual machine on the same server could run code which gives them access to data owned by other clients on the same server. Clearly, this would be a breach of HIPAA’s security and privacy rules, which mandate technical safeguards aimed at preventing third-parties from accessing Protected Health Information.

The really pernicious aspect of Spectre and Meltdown is that they can be used to bypass many of the protections built into HIPAA-compliant hosting. For example, if a healthcare provider has encrypted their data while it is at rest, that doesn’t necessarily mean it’s safe from an attacker. To be used, data has to be decrypted, and because Spectre and Meltdown can (in theory at least) be used to access data in the kernel’s memory space or the memory space of other processors, the decrypted data is at risk of being leaked.

The risk is lower for healthcare organizations that use dedicated servers. There is no risk of a hosting client running code that would allow them to access the data of other hosting clients using the same server, because dedicated servers are “owned” by a single client.

hipaa risk2Even though the risk is lower, it doesn’t remove all potential sources of risk. Any situation in which a third party can run code on a server has the potential to be exploited. If an attacker were able to brute force a user account on the server, they might be able to access private information that would typically be inaccessible to that account. It’s also possible that remote code execution vulnerabilities in other software could be exploited by an attacker to gain local access and run Spectre and Meltdown code.

The only effective way to mitigate the risk posed by Spectre and Meltdown is to apply operating system and firmware updates to the affected servers. Healthcare organizations should ensure that any third-party hosting providers have applied the patches. Healthcare organizations that manage their own servers should update as soon as possible.

Carrie Wheeler is Chief Operations Officer and Head of Support at Liquid Web, a fully managed hosting company focused on web and cloud professionals. Liquid Web provides hosting solutions for everyone, including HIPAA Compliant Hosting.