Risk assessments are the backbone to any good security and risk plan. Risk assessments test your current information system and reveal any areas where data is at risk of theft or exposure. But a risk assessment holds even greater importance in the healthcare setting. With regards to Protected Healthcare Information (PHI or ePHI), HIPAA sets clear recommendations on how PHI should be handled that elevates the risk if the data is stolen or accidentally disclosed. An in-depth risk assessment is needed to be HIPAA compliant. And if you choose to also become HITRUST certified, then you must have ongoing risk assessments to ensure your data is safe. So, how do you conduct a risk assessment?
The first step is to perform an initial risk assessment if you haven’t already done so. This should include:
Identify critical business functions and assets supporting ePHI processing
Develop a risk assessment framework
Create a risk treatment strategy
Determine the criteria for performing, reviewing, communicating and updating risks to ePHI
This risk assessment is a gauge on how secure things are currently, and more importantly, what changes need to be made to improve security and reduce risk. All businesses have risk, but you will want to reduce the risk to acceptable level.
Make sure your risk treatment strategy includes regular and frequent risk re-assessments
A big mistake a lot of healthcare companies make is to think the initial risk assessment is enough. As your practice grows and changes, so will your risks. Risk assessment should be performed on a regular basis to analyse potential threats that may exploit existing vulnerabilities and compromise assets processing ePHI.
Ensure your training program is comprehensive.
Assets don’t include only computers and servers. People are assets as well. They also come into contact with PHI and must be properly trained in your risk treatment strategy. The training must be thorough. You should also establish regular refresher training to ensure the people element of your business doesn’t get lax in their day to day functions.
Don’t be afraid to bring in outside help
Performing regular risk assessments and updating your risk treatment strategy can be an overwhelming and time-consuming process. Not all practices have an entire team devoted to information security. Hiring a third-party team, like ESHA IT, to perform your risk assessments and security plan updates can a time and cost-effective way to protect your patients and remain compliant, without the headaches of doing it all yourself.
How can ESHA IT help?
ESHA IT has worked with numerous healthcare companies, large and small, to help with every aspect of the risk assessment process. We can provide:
Initial risk assessments and security testing
Security plan creation and implementation
Ongoing risk assessments and security plan updates
Staff training on security protocols and minimizing risk