Editor’s note: At the end of 2014, we conducted a survey of small practices and billing companies on HIPAA compliance. When we asked respondents from medical practices if they had conducted a HIPAA-required risk analysis, only 33% said they had done one. Interestingly, the risk analysis required by HIPAA is very similar to the analysis required for Meaningful Use. In this post, Robert Peterson of ACR2 Solutions discusses inner workings of a Meaningful Use risk analysis.
Under the Meaningful Use program, practices are required to conduct a security risk analysis, implement security updates, and correct security deficiencies as part of the risk management process.
The Office for Civil Rights (OCR) is tasked with setting the standards for risk analyses under the Meaningful Use program. The most recent OCR guidance on risk analysis has nine requirements, all of which are mandatory:
- Step 1: System Characterization
- Step 2: Threat Identification
- Step 3: Vulnerability Identification
- Step 4: Control Analysis
- Step 5: Likelihood Determination
- Step 6: Impact Analysis
- Step 7: Risk Determination
- Step 8: Control Recommendations
- Step 9: Results Documentation
Unfortunately, Phase I Meaningful Use audits reported in 2013 recorded that 79% of the practices audited FAILED to meet these requirements. Now let’s get into a little more detail.
Step 1: System Characterization
System characterization involves identifying the location and status of ALL of the protected information in the system. This is a good place to use a checklist, as recommended by CMS. The ONC guide to privacy and security recommends (p. 16) that practices “Have your security officer or security risk professional performing the risk analysis use a checklist to get a preliminary sense of potential shortcomings in how your practice protects patient information.” However, ONC goes on to note (p. 11) that checklists, even those as good as the 419 page Security Risk Assessment Tool, “can be useful tools, especially when starting a risk analysis, but they fall short of performing a systematic security risk analysis or documenting that one has been performed.”
Steps 2 and 3: Threat Identification and Vulnerability Identification
The federal security agencies, notably the NSA, have made great strides in identifying vulnerabilities in federal computer systems. Created after 9/11, the National Vulnerability Database (NVD) contains nearly 70,000 identified exploitable vulnerabilities that have been observed in cyberspace. These can be measured using any of about three dozen widely available vulnerability scanners validated under the Security Content Automation Program (SCAP). Some risk analysis protocols, notably those based on NIST 800-66, incorporate the NVD vulnerabilities into the risk analysis.
Steps 4 - 7: Calculating Risks
Calculating risks is at the heart of risk analysis. A place to start is to note that “risk” is a legal term of art. On page 1 of NIST Special Publication 800-30, risk is concisely defined as:
“The net negative result of the exercise of a vulnerability by a threat-source, taking into account likelihood and impact”
Selecting a risk calculation procedure
There are a variety of protocols used to calculate risks. The NIST scores risks numerically from 1 (low) to 100 (high). Other protocols often use similar scorings. Some of the most common protocols include;
- DIACAP – Department of Defense procedure, superseded in 2014 by NIST. DIACAP protocols are largely unavailable outside of the defense industry and generally not suitable for civilian medical practices. They were superseded in 2014 by NIST protocols.
- COBIT – Business oriented, includes information security risks among other business risks. COBIT can be very useful for large businesses taking information security risk along with credit risks and business planning risks.
- ISO 27001 is an international standard and NIST 800-66 is considered to be the “industry standard” for protecting data by the OCR auditors. ISO 27001 and NIST 800-66 are converging over time. At present (2015) the ISO protocol involves 124 elements compared to 101 for the NIST protocol. Either can be expected to provide useful results, although only the NIST protocol is referred to by the Office for Civil Rights audit group as the “industry standard” for protecting information. NIST protocols are free to download while ISO documents must be purchased.
- Various proprietary systems - A number of proprietary standards exist, of varied degrees of quality. Proprietary standards, often based on simple checklists, have not done well in OCR audits (due to burden of proof issues).
Burden of Proof Issues
The auditing agency for Meaningful Use, the Office for Civil Rights, is required by law under the Federal Information Security Management Act (FISMA) to use the NIST protocols to secure its internal protected information. This gives the NIST protocols an assumption of validity that is not shared by other approaches. If something other than the NIST protocol is chosen for a civilian HIPAA risk assessment, the burden of proof to show full meaningful use compliance rests with the applicant. DIACAP, COBIT and ISO protocols have extensive organizational support. Proprietary protocols are typically unsupported, and have problems demonstrating full regulatory compliance.
Applying a risk calculation protocol
In general, there are three routes to producing a viable information security risk analysis using DIACAP, COBIT, ISO or NIST protocols:
- Develop in-house expertise.
- Involve a hired expert consultant.
- Use an expert system computer model.
Developing in-house expertise in ISO or NIST risk assessment protocols is a significant commitment of resources. For example, a partial set of the NIST 800-66 references is shown at right. While this approach is common in federal agencies and some selected hospitals, it is seldom cost effective for medical practices.
Expert consultants are widely available for DIACAP, COBIT, ISO and NIST protocols. In general, NIST protocols are more useful for operations with only US activities, while ISO protocols are common for businesses with international offices.
Expert system computer models are increasingly popular since the advent of Turbo-Tax in the income tax area. Commercial computer models are available for both ISO 27001 (Modulo) and NIST 800-66 (Symantec and Hewlett Packard). The Symantec version is associated with the Allscripts EMR, while the Hewlett Packard “HIPAA Compliance In-A-Box” system is integrated with the NSA SCAP validated vulnerability scanners and the National Vulnerability Database. Either NIST software package can be expected to be significantly less expensive than a competent consultant.
Steps 8 and 9: Control Recommendations and Results Documentation
Starting in 2014, Meaningful Use audit information requests from CMS include the line “If deficiencies are identified in this analysis, please supply the implementation plan; this plan should include the completion dates.”
Meaningful Use Security Summary
Meeting the ever expanding Meaningful Use security requirements is not a trivial task. Data from Phase I Meaningful Use audits and NueMD’s 2014 HIPAA survey suggest that many practices have not effectively met this mandate and are at risk of having their EMR subsidies recouped by CMS. Worth noting - CMS has up to six years to audit practices and may at its discretion recoup subsidies for all six years for practices that fail to comply with the Meaningful Use security requirements.
Be confident that your patients’ health information is secure, and that your incentive payments arrive safe and sound - conduct a risk analysis!