The extra power invested in HIPAA as a result of the HIPAA/HITECH Omnibus final rule has ensured that healthcare providers are now familiar with the need for an IT security risk assessment.
However, they still risk neglecting the opportunity to learn lessons and take action based on the issues a risk assessment highlights. That is the view of Michael Kanarellis, IT Assurance Senior Manager for public accounting and business consulting firm Wolf & Company.
“It’s a requirement of HIPAA to do a risk assessment. Because HIPAA never had any real punitive power the regulations were largely ignored but now because of the increased regulatory control hospitals are finally going through those exercises,” he said.
“However, you want to make sure that it’s a useful exercise. We tell clients that once you do a risk assessment that’s not the end of the process. It’s a matter of really looking at what you found then coming up with mitigating strategies to lessen those risks.”
A risk assessment should form the cornerstone of any healthcare organization’s security measures, said Kanarellis. It should look thoroughly at your information technology environment, taking into account threats and risks, and should include an inventory of all the devices that house electronic patient health information.
“You need to identify where within the network this information is held and take mitigating steps to reduce the risks of individual threats – and that can range from external threats from hackers coming from the outside in and gaining entry to internal risks such as unpatched devices and weak passwords that can be exploited by disgruntled employees or contractors with motivation and access,” he said.
HIPAA, HIPAA/HITECH Omnibus final rule
