A managed service provider (MSP) is an entity that remotely manages a covered entity’s IT infrastructure, and/or end-user systems. Managed service providers who work with clients in the healthcare sector must comply with the HIPAA Security Rule. Under the HIPAA Security Rule, MSPs must perform a security risk analysis.
What Does MSP Security Rule Compliance Consist of?
MSP Security Rule compliance has several components. One central component is performing a security rule risk analysis.
What is a MSP Security Risk Analysis?
The HIPAA Security Rule requires that covered entities and business associates implement certain security safeguards.
These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is protected health information that is created, stored, transmitted, or received in any electronic format.
To identify what safeguards are needed, and to implement these safeguards, a Security Rule Risk Analysis (sometimes referred to as a “Security Rule Risk Assessment” or “Security Risk Assessment” or “Security Risk Analysis”) must be performed. The security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
-
- “Confidentiality,” as the term relates to ePHI, means that ePHI is not available or disclosed to unauthorized persons or processes
- “Integrity,” as the term relates to ePHI, refers to ePHI that is not altered or destroyed in an unauthorized manner
- “Availability,” as that term relates to ePHI, refers to ePHI that is accessible and usable on demand by authorized persons
What is the Scope of an MSP Security Risk Analysis?
According to guidance issued by the Department of Health and Human Services (HHS), the scope of an MSP security risk analysis encompasses potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an MSP conceivably:
- Accesses;
- Views (even accidentally);
- Creates;
- Receives;
- Maintains; and
- Transmits.
This includes ePHI in all forms of electronic media. Types of electronic media include (but are not limited to):
- Hard drives;
- Cloud applications and storage;
- CDs and DVDs;
- Smart cards;
- Personal digital assistants; and
- Portable electronic storage devices.
The term “electronic media” is defined broadly, to include something as small as a single computer workstation, all the way up to something as large as complex networks connected among multiple locations. An MSP security risk analysis must take into account all ePHI, regardless of the medium in which it was created, received, maintained, or transmitted, and regardless of its source or location.
MSP Security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Each of these elements is discussed in turn.
Element 1: An MSP Must Collect Data
An MSP must identify where ePHI is stored, received, maintained, or transmitted. An MSP can gather relevant data about ePHI locations and transmission methods by: reviewing past and/or existing projects; performing interviews; reviewing documentation; or using other data gathering techniques. The MSP must document the data on ePHI gathered using these methods.
Element 2: An MSP Must Identify and Document Potential Threats and Vulnerabilities
MSPs must identify and document reasonably anticipated threats to ePHI, uncovering specific threats that are unique to the circumstances of the client’s environment. MSPs must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of ePHI. Most MSPs use network and device scanning and discovery utilities to identify these vulnerabilities.
Element 3: An MSP Must Assess Current Security Measures
MSPs should assess and document the security measures an entity uses to safeguard ePHI, whether security measures required by the Security Rule are already in place, and if current security measures are configured and used properly.
Element 4: An MSP Must Determine the Likelihood of Threat Occurrence
The Security Rule requires MSPs to take into account the probability of potential risks to ePHI. The results of this assessment, combined with the initial list of threats, will influence the determination of which threats the Rule requires protection against because they are “reasonably anticipated.”
The output of this part should be documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of ePHI of an MSP.
Element 5: Determining the Potential Impact of Threat Occurrence
The Security Rule requires MSPs take into consideration the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of ePHI. An MSP must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An MSP may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.
The output of this process should be documentation of all potential impacts associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability, and integrity of ePHI within an MSP.
Element 6: Determining the Level of Risk
MSPs should assign risk levels for all threat and vulnerability combinations identified during the risk analysis. When performing MSP risk management, the level of risk could be determined, for example, by analyzing the values assigned to the likelihood of threat occurrence and resulting impact of threat occurrence. The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.
The output should be documentation of the assigned risk levels and a list of corrective actions to be performed to mitigate each risk.
Following the six steps above satisfies the requirement to complete an MSP Security Risk Analysis.