The question is asked of HIPAA subject matter experts with an almost maddening frequency: “How often do I need to conduct a HIPAA Security Risk Analysis (SRA)?” In 2010, the Department of Health and Human Services’ Office for Civil Rights issued guidance on the topic. The guidance did not spell out how often the analysis is to be performed.
Yet, the guidance pointed toward an answer by noting several Security Rule requirements. Requirement 1: Entities are obligated to continuously provide reasonable and appropriate protection of electronic protected health information (ePHI). Requirement 2: When there are changes that affect the security of ePHI, the entity must modify security measures to meet this obligation. It must also update documentation of the modified measures.
Do you need to protect ePHI by changing and documenting security measures? Left unanswered: How do you identify when security updates are necessary in the first place? Are you supposed to have some SRA Spidey Sixth Sense? Of course not. Per the guidance and common sense, an organization identifies when security updates are needed by conducting continuous risk analysis. “Continuous” does not mean a specific frequency. It does not mean “yearly,” or “every other year,” or “three times a month.” What does it mean? Recent 2022 HIPAA SRA requirements guidance goes over what is meant by “continuous.” This guidance also describes why risk analyses must be performed on a continuous basis. The HIPAA SRA requirements guidance is discussed in further detail below.
HIPAA SRA Requirements: A Continuous Need
Imagine that you are trying to convince a reluctant someone – an employer, a colleague, a healthcare practitioner – that a security risk analysis must be performed on a continuous basis.
Their opening comment might be something along the lines of, “Well, I’ve read the Security Rule. Yeah, there is a part on risk analysis. The Rule says, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” I don’t see anything about having to conduct one every year or more. Where are you getting this “continuous” nonsense? And beyond that, what does “continuous” even mean?”
Fortunately for you, the cavalry has arrived, for you are now armed with the 2010 guidance AND the 2022 HIPAA SRA requirements guidance.
The 2010 guidance instructs, “The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed.”
You inform your HIPAA inquisitor of this fact. That person then volleys, “Well, about that guidance you cited… In the next sentence, the guidance states, “The Security Rule does not specify how frequently to perform risk analysis as part of a comprehensive risk management process.” “Nice try, though.”
You remain unbowed. “Yes, but the next paragraph states, and I am paraphrasing here, “A truly integrated risk analysis and management process should be performed as new technologies and business operations are planned, thereby reducing the effort required to address risks you identify after implementation. For example, if you’ve experienced a security incident, had a change of ownership, or have had key staff turnover, you should analyze the potential risk to ensure that ePHI remains reasonably and appropriately protected. How do you do this? By performing the risk analysis. Only by performing the risk analysis can you determine whether existing security measures are sufficient to protect against the risks associated with evolving threats or vulnerabilities, a changing business environment, the introduction of new technology, or if additional security measures are needed. And you have to perform the analysis continuously, or else…”
“You talk too much.” “And besides, what’s this “evolving threats” thing?”
“Glad you asked. And while we’re at it, the SRA should be performed continuously for a couple of other reasons, too.”
HIPAA SRA Requirements: New Disruptions, New Vulnerabilities
Disruptions to business operations come from so many areas. Disruption to technology (cyberattacks), the economy, and the way business is performed all create risk. And these disruptions create threats that constantly evolve. Consider COVID-19 alone. The pandemic forced many healthcare providers to deliver care remotely. To deliver this care, providers relied on Zoom, remote monitoring devices, and other technologies that they had not previously used. With the change in work methods came the opportunity for bad actors to take advantage of the risks posed by these new technologies. Say a provider now offering telehealth services failed to secure their home network. That’s a vulnerability – and an opportunity to exploit a risk – right there. Hackers have exploited this vulnerability and continue to do so.
Conducting a “one and done” SRA is the cybersecurity equivalent of deliberately choosing to play a game of Whack-a-Mole. By letting intervals of time – e.g., yearly, every other year – dictate when to perform an SRA, an organization does not get out in front of threats. Instead, it plays catch-up, discovering risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information that have already existed – for days, weeks, months, maybe years.
If an organization is the victim of a cyberattack caused by its “Let’s Get Our SRA One and Done… At time intervals we think sound good” mentality, the Office for Civil Rights will show no sympathy. If failure to conduct a continuous, ongoing risk analysis led to a HIPAA violation, the excuses an organization could muster are just that… excuses.
Continuous, ongoing risk analysis is also called for by NIST and reflects the reality of today’s business world.
HIPAA SRA Requirements: NIST
The National Institute of Standards and Technology (NIST) outlines an overall risk management process that consists of four steps. These four steps envision a continuous, ongoing process of risk analysis:
- Frame risk by establishing the context for risk-based decisions and your overall approach to risk management.
- Assess risk through an enterprise-wide, comprehensive risk analysis.
- Respond to risk by making risk treatment decisions and executing risk treatment actions.
- Monitor risk on an ongoing, continuous basis.
When covered entities and business associates are investigated for Security Rule violations, HHS pays special attention to whether these entities have a process in place for analyzing and managing risk. The NIST methodology is just such a process. Saying, “Something bad happened, and we then figured out how to correct it,” is not.
HIPAA SRA Requirements: Reality
Businesses plan for what is ahead, not for what came before. To do this, businesses must improve existing services and solutions, or design and provide new services and solutions. This improvement can only happen if a business continuously monitors and adapts to changes in its environment and the outside world.
Since business planning is continuous, its core components must be performed continuously. Risk analysis is one of those core components. Performing continuous, ongoing risk analysis is a crucial business planning tool that allows your cybersecurity program and business to evolve instead of losing ground or standing still.