Why health care providers need to take HIPAA risk assessments seriously

Whether your organization falls under HIPAA, FISMA or PCI DSS you need to do a risk assessment. Yes it's a good thing to do self-assessment but in order to prepare for a full compliance audit it's important to get an independent outside consultant to perform this critical assessment.

I have worked in and audited many organizations that all too often wanted to do the minimum and were completely unaware of their full responsibility to meet their compliance. They also in many cases did not have the internal staff or expertise to do a high quality assessment.

To begin, let's look at HIPAA. From hhs.gov, The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations protecting the privacy and security of certain health information. To fulfill this requirement, HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security Rule.

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other personal health information. The Security Rule still focuses on individual's health records but specifically focuses on ePHI, Electronic protected health Information. Under the Security Rule, covered entities are required to evaluate risks and vulnerabilities in their environments and to implement security controls to address those risks and vulnerabilities.

Let's define compliance vs security. As I recently stated in a quote I made in the Nov 17 issue of Fortune, "How Frank Blake kept his legacy from being hacked", "Compliance is backward-looking and static, security is forward-looking, dynamic, and intelligent." Compliance is the foundation for security, it's the minimum.

You can't be secure if you are not compliant! A risk assessment will achieve compliance and actually make your organization more secure. The HIPAA Risk Assessment is required by law for HIPAA compliance, it's not optional.


NIST 800-66 Appendix E Risk Assessment Guidelines

  1. Scope the assessment. Where is the ePHI? Servers, Workstations, smartphones, Laptops, backups, cloud backup?
  2. Gather information. The conditions which ePHI is created, received, maintained, processed or transmitted.
  3. Identify realistic threats.
  4. Identify potential vulnerabilities. Save
  5. Assess current security controls.
  6. Determine the likelihood and the impact of a threat exercising a given vulnerability.
  7. Determine the level of Risk.
  8. Recommend security controls.
  9. Document the risk assessment results.


I have worked in many technical roles as well as performed many compliance audits as a consultant; we keep seeing many of the same things. No physical access controls, no vulnerability management, no PEN testing, no data loss prevention on mobile devices, no backups or backups not tested or not encrypted, account management issues, weak passwords or no separation of duties just to name a few. Just take a look at the Verizon data breach investigations report, it states most attacks are not highly difficult. Why? Because they involve the things required by compliance and too many organizations are weak on compliance. Besides the HIPAA law, why do we need to do risk assessments?

The HIPAA Risk Assessment

From hhs.gov RISK ANALYSIS Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].

The following questions adapted from NIST Special Publication (SP) 800-66 are examples organizations could consider as part of a risk analysis. These sample questions are not prescriptive and merely identify issues an organization may wish to consider in implementing the Security Rule:

Have you identified the e-PHI within your organization? This includes e-PHI that you create, receive, maintain or transmit.

What are the external sources of e-PHI? For example, do vendors or consultants create, receive, maintain or transmit e-PHI?

What are the human, natural, and environmental threats to information systems that contain e-PHI?

Notice they leave some room for reality by stating the sample questions are not prescriptive but rather issues an organization might consider in implementing the Security Rule.

NIST 800-66 states it this way:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.

  • A risk assessment methodology, based on NIST SP 800-30, is included in Appendix E of this document.
  • Are there any prior risk assessments, audit comments, security requirements, and/or security test results?
  • Is there intelligence available from agencies, the Office of the Inspector General (OIG), the US-CERT, virus alerts, and/or vendors?
  • What are the current and planned controls?
  • Is the facility located in a region prone to any natural disasters, such as earthquakes, floods, or fires?
  • Has responsibility been assigned to check all hardware and software, including hardware and software used for remote access, to determine whether selected security settings are enabled?
  • Is there an analysis of current safeguards and their effectiveness relative to the identified risks?
  • Have all processes involving EPHI been considered, including creating, receiving, maintaining, and transmitting it?

There are too many documents and rules and regulations, so sorting it all out can be confusing, but to do the actual Risk Assessment you must look to NIST 800-66 Appendix E.


With the federal mandate to put more healthcare records online, data breach after data breach spanning healthcare, military, retailers, and universities have become common. One must ask the question, what's the root cause?

According to Leon Rodriguez, Director Office Civil Rights, US department Health and Human Services, since the HITECH Act, HIPAA complaint traffic geometrically increased. In the last three years, there have been over 70,000 HIPAA violation complaints. Pre-HITECH, the maximum penalty per year per provision violated was $25,000. Now it's $1.5 million.

Before the new rules, willful neglect had to be proven to pursue any type of penalty. Any lesser measure of culpability was not actionable through penalties. But consumers need confidence that there is an effective enforcement entity if they are going to feel comfortable being forthright in sharing sensitive health information. The HIPAA penalties applied were due to:

  • Failure to have adequate HIPAA compliance policies and procedures as administrative safeguards.
  • Failure to complete HIPAA security training for their staff.
  • Failure to implement access controls as physical safeguards.
  • Failure to encrypt the information on the device or an equivalent protection.

In 2009, the breach notification for unsecured protected health information was enacted, the U.S. Department of Health and Human Services' database of major breach reports (affecting 500 or more people) has tracked 944 incidents affecting personal information from about 30.1 million people. There are also many more incidents of smaller-scale breaches (less than 500 people per incident). In 2012, HHS received 21,194 reports of smaller breaches affecting 165,135 people, according to the department's most recent report to Congress. Similar numbers were reported in 2011. In all, data breaches cost the industry $5.6 billion each year, according to the Ponemon Institute.

It's obvious that we are pushing more healthcare data out than we can possible safely secure. We see basic compliance failures across all industries. CEOs need to take the lead and put policies, and processes in place that assure that 100% of the compliance objectives are met, this includes the mandated HIPAA risk assessment (no matter how small the healthcare practice) and at that same time start focusing on proactive, intelligence driven security monitoring and response. We can no longer do some compliance or some security or work in silos, our adversaries are well organized and funded and will stop at nothing to take what we are unable to properly secure for their personal gain.

We must always remember that "we must think of every way our data can be compromised, while a cyber-criminal only needs to think of one!"

George Grachis, CISA, CISSP, is a senior consultant with Maxis360, located in Orlando Florida. He can be reached at Maxis360.com or Ggrachis@maxis360.net.

Join the CSO newsletter!

Error: Please check your email address.

Tags Department of Healthhealth careindustry verticals

More about ----Department of HealthVerizon

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by George Grachis

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts