Prepping for OCR audits? Start with risk assessments

An epidemic is sweeping the nation, putting intense pressure on the healthcare system. This time, it's not a disease of the human body — it's cyber systems that are under attack.

Recent research based on the Office for Civil Rights (OCR) and Department of Health and Human Services (HHS) records indicates that in 2016, healthcare cybersecurity attacks increased 320 percent and the total number of patient records breached in provider hacking attacks increased 181 percent (9.5 million records).

Under constant threat of patient data breaches, ransomware, and medical device tampering, healthcare providers of all sizes find themselves in a tough spot. Currently, the OCR is in Phase II of its HIPAA audit program, which includes covered entities and business associates selected by the agency. The OCR will also investigate providers and associates after a data breach and upon receipt of legitimate consumer complaints. Media reports alleging HIPAA violations may trigger a compliance review.

All of these agency actions, as well as enforcement-related follow-up, will require providers and associates to demonstrate that they have thoroughly assessed the risks posed to protected health information (PHI) across the organization. Such assessments help covered entities ensure that HIPAA-mandated physical, technical, and administrative safeguards are in place and functioning as intended.

Risk assessments and related risk monitoring should be an ongoing process. When providers implement any new technologies, cloud services, or processes that touch PHI, they should review and update their overall risk profile. The same goes for any third party, or Business Associate (BA), who has access to PHI. The OCR will examine assessments for completion, accuracy, and currency. Failing to provide evidence of regular risk assessments, follow through on remediation plans, or documentation of these activities, could cause the covered entity to incur larger fines in the event of a data breach. The HIPAA Newsroom is not a place you want to see your organization publicized.

To help guide providers through the risk assessment process, the Office of the National Coordinator for Health Information Technology (ONC) has provided a Security Risk Assessment Tool in collaboration with OCR and HHS. Providers should begin by assessing where and how their PHI is stored and transferred. Databases, cloud storage and services, mobile devices and laptops should be inventoried and evaluated for vulnerabilities, access management, strong passwords, and proper encryption protocols.

Executing the processes required to meet all these obligations is a true challenge for organizations of all sizes. Conducting security risk assessments using a governance, risk management and compliance (GRC) solution can provide a more efficient and effective way to tackle the entwined and complex nature of the healthcare industry's regulatory requirements, risks, audits and cyber security. By automating and systematizing interdependent efforts across the enterprise, GRC solutions ease the manual and labor-intensive process of managing risk assessments using office management tools such as spreadsheets.

GRC solutions can bring disparate data sources and documentation into a centralized and accessible location, manage the risk assessment process, and map assessment results to policies, authoritative sources (laws, regulations and standards), controls and more. This interconnectivity provides valuable context to the risks and helps to strengthen the protective connections between cyber security, data governance, and risk management.

Using a purpose-built GRC solution to integrate security and compliance programs fosters greater collaboration and accountability throughout the organization. The enhanced efficiency and visibility enabled by these platforms makes it easier to identify gaps in protection, policies that aren't being followed, and processes that need to be fixed. These interventions not only help to ensure compliance and audit-readiness, they also reinforce security measures and streamline routine operations.

The stakes in healthcare technology and data security are incredibly high. In addition to the integrity and sustainability of the healthcare industry, sensitive personal information, individual safety, and public health outcomes are all on the line. Not all cyber-attacks are preventable, but strong risk management and data security programs help organizations respond more expeditiously to incidents, mitigating damage to their patients and bottom lines. In an era of political uncertainty and heightened scrutiny, resilient organizations with comprehensive, mature risk management programs will be best positioned to overcome challenges and capitalize on opportunity.

Manolito Jones is the Healthcare Solutions Team Leader for LockPath's healthcare team. With 15 years in the healthcare and pharmaceutical industries, Jones' focus is on helping healthcare organizations realize value through technology.

The views, opinions and positions expressed within these guest posts are those of the author alone and do not represent those of Becker's Hospital Review/Becker's Healthcare. The accuracy, completeness and validity of any statements made within this article are not guaranteed. We accept no liability for any errors, omissions or representations. The copyright of this content belongs to the author and any liability with regards to infringement of intellectual property rights remains with them.

© Copyright ASC COMMUNICATIONS 2019. Interested in LINKING to or REPRINTING this content? View our policies by clicking here.


Top 40 Articles from the Past 6 Months