NOTE:  This article discusses proposed changes to existing regulations.  These changes are not in effect as of this article’s date and may change significantly before inclusion in an interim or final rule.  Monitor the official Website linked below for the latest information on publication specifics.

The proposed changes to the Health Insurance Portability and Accountability Act (HIPAA) security rule represent a response to observations made by the Department of Health and Human Services. In the lengthy Notice of Proposed Rulemaking (NPRM), the keyword search for “risk analysis” yielded 123 results. This is because, on top of the proposed improvements to the risk analysis itself, most of the other requirements are at least somewhat dependent on the output of the risk analysis. In reading the NPRM, it is useful not just to look at the recommendations but also to look at the observations and experiences that led to them.

A key part of the NPRM reads:

“The Department found that most regulated entities failed to implement the Security Rule requirements for risk analysis and risk management…According to the report…94 percent of covered entities and 88 percent of business associates ‘failed to implement appropriate risk management activities sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.’”

Entities need to understand their cyber risk landscape to fulfill the security rule requirements and prioritize remediation. To perform any risk analysis, the entity must clearly understand the scope of the analysis (in this case, any ePHI in their possession). With this information, a properly conducted risk analysis can identify threats and vulnerabilities to the ePHI, potential attack vectors, and possible loss events. The element of risk management is essential to choosing and completing a risk treatment.

The recommendations provided in the NPRM represent a wealth of information that, when dissected, can act as a guide to correcting common issues in cyber risk analysis.

Scoping

According to the NPRM:

“Entities generally failed to:

Identify and assess the risks to all of the ePHI in their possession.”

Proper and complete scoping forms the foundation of a successful risk analysis. It is essential to understand what information systems “create, receive, maintain, or transmit ePHI and all technology assets that may affect ePHI”. As part of vendor management organizations must also know what vendors meet the same requirement regarding ePHI. If any assets are missed during scoping, then they will not be a part of the analysis, leaving organizations ignorant of risks.

Risk Analysis

According to the NPRM:

“Entities generally failed to:

Identify threats and vulnerabilities to consider their potential likelihoods and effects and to rate the risk to ePHI.”

This may be a more difficult area for entities as it requires a deep dive into threats and controls. The identified assets need to be put into potential loss events, or risk scenarios. Threats should be considered against their potential impact to the confidentiality, integrity and availability of the ePHI. Vectors of attack and the profile of likely threat actors should be considered to paint a more complete picture of each scenario, yielding a more accurate and complete risk analysis.

The task becomes more consistent by identifying a risk matrix tailored to the entity (or one already in use). Accounting for impact and likelihood using measures such as the quantity of ePHI records and factors such as preventive controls will help calculate risk for each loss event. The exercise results can help show the remediation path that will most affect risk. It is often worth the effort to consider recommendations for remediation and then look at how the risk score would be affected if the solution was implemented. This will show the potential risk reduction that is associated with the recommendation, which will help with prioritization.

Visually representing the findings may seem burdensome, but a well-documented report with supporting tables can help highlight the loss events and risk scores. The use of colors also helps. Typically, reds are at the top, with a gradient down to yellows or greens for the lower risks. In this manner, the output of the risk analysis serves as a map for securing an entity against potential loss events.

The NPRM presents a list of proposed requirements for the risk analysis, which have already been covered in this document for reference they are:

• Scope using the asset inventory and the network mapping to identify where ePHI may be created, received, maintained, or transmitted.
• Identify all threats to the confidentiality, integrity, and availability of the scoped ePHI.
• Identify potential loss events to in-scope information systems.
• Conduct and document an assessment of the security measures used to protect in-scope data.

• Calculate the reasonable likelihood of each potential loss event.
• Calculate the reasonable impact of each potential loss event.
• Document the risk level for each identified loss event.

Further considerations in the NPRM include requiring risk assessment to be performed in a manner that conforms with (the National Institute of Standards and Technology (NIST) and Cybersecurity and Infrastructure Security Agency (CISA) standards. Using a blended approach is helpful to customize the risk analysis with NIST often serving as the framework. This can help with all aspects of the risk analysis, from running it to how to best document the process.

One of the requests for comments issued by the Department of Health and Human Services is whether the risk analysis should be performed at least once every twelve months. This is a requirement in other regulations and frameworks and is considered best practice. This continual risk analysis helps entities track improvement and stay ahead of new and emerging threats and vulnerabilities.

Risk Management

According to the NPRM, it was common that entities:

“Generally failed to…implement policies and procedures for conducting a risk analysis”

and were:

“Failing to document any efforts to develop, maintain, and update policies and procedures for conducting risk analyses.”

The statements above highlight the need for governance around risk management. Documenting and maintaining a risk management framework, policy, and supporting procedures is critical to an effective risk management program. The risk assessment or analysis portion should be included as a component of the risk management documentation. Basing the risk management program on an industry standard framework will provide consistency and ensure important details are considered. This complements the proposed requirement for entities to adopt a risk-based approach in their security program.

The risk management program should have a process for documenting and analyzing risks as they are discovered. Identified risks should flow into a process that documents and tracks the risk treatment plans. Well-documented procedures supported by risk management platforms or tools enhance the Enterprise Risk Management (ERM) and Cybersecurity Risk Management processes. This enables entities to ensure the implementation of the recommendations gleaned from the risk analysis, deepening the entity’s security posture and culture.

The NPRM is not finalized at this point and could change drastically prior to implementation. However, it is important to consider the work and thought that went into the NPRM. These changes are being considered as they would help entities become more secure, so getting ahead of them will only strengthen security around ePHI. Furthermore, it would be worth looking at implementing the recommendations at a wider scope where other assets would benefit from the same enhanced security.

While this discussion is driven by the NPRM it is important to consider how some of these proposed changes would be an effective defense to deploy regardless of how the final change comes out.