Interview with Security Compliance Associates for HIPAA Security Risk Assessment

Yearly HIPAA Security Reviews are critical to meeting compliance requirements of all organizations under the HIPAA umbrella, either directly or via being a Business Associate.  We have found that many organizations, especially the smaller ones, do not place much emphasis on these reviews, skip them, ignore them, or hope that they go away.  They treat them as a necessary “check mark” rather than an active process that is instrumental to maintaining security and preventing the breaches that been cropping up all over the news.

Solid Security Reviews improve your company’s inherent security posture and awareness and the security of all services you employ through all vendors … including your secure email and secure forms.  I.e. the security of your outsourced services can be compromised if your own systems are compromised.

As such, LuxSci proactively recommends all HIPAA customers and all customers with similar needs, to undergo yearly security reviews.  One excellent organization that performs these is Security Compliance Associates.

Today we are interviewing Randy Homa, Senior Vice President and Director of Health Care Services, at Security Compliance Associates (SCA). He will address many of the questions we have had posed with respect to HIPAA Security Reviews.

Randy Homa, Senior Vice President and Director of Health Care Services

Randy initially began working with SCA as the Business Development Manager for Health Care Services. He basically sees his role as the primary contact for all new prospects and current clients.  He reviews the clients/prospects needs, determines which services are the best options for them, discusses those options and assists them with meeting there information security and compliance needs. As part of his position, it is vital for him to stay up to date on information that Healthcare providers need to be aware of.

Randy, Can you briefly describe the history of Security Compliance Associates? What is your mission?

Security Compliance Associates provides what many consider to be the finest information security services available in the market today. Our seasoned team of professionals deliver superior work product and unparalleled relationship value.

For over 10 years the core team has established a sterling reputation among more than 1,500 engagements with financial institutions, healthcare organizations and other business’ who handle sensitive information. SCA has a long history of success based on its core values which include building lifetime partnerships based on mutual trust and respect, a culture of service and employing dedicated, knowledgeable staff. These values have allowed us to expand, strengthening the depth and breadth of our people and services. Safeguarding critical information, regardless of media, is the sole focus of SCA. Whether the requirement is policy development or true penetration testing of the network, SCA is poised to assist you in creating a customized program that fits your individual demand and culture.

The regulatory environment continues to intensify as regulators expand their scope of Information security examinations. SCA specializes in providing information security programs in compliance with NCUA, FDIC, OCC, OTS, FTC, HIPAA, PCI-DSS and FRS regulations. Meeting information security guidance and regulation lie at the core of our program.

Our compliance oriented approach is not a “one-size-fits-all” solution. The (SCA) approach recognizes each client as an individual entity with diverse technologies, individual needs, distinctive management styles and a unique corporate culture.

We continue to invest in best industry talent and technology to ensure our deliverables are, as our clients tell us, “better than advertised”.

One of the services provided by SCA is the HIPAA Security Risk Assessment. Can you describe some of the most important things required by HIPAA for this yearly risk assessment?

When completing a HIPAA Security Risk Assessment, there are several critical areas that need to be assessed.

• Administrative Safeguards 164.308
• Physical Safeguards 164.310
• Technical Safeguards 164.312
• Organization Requirements 164.314
• Policies and Procedures and Documentation Requirements 164.316

A thorough risk assessment/analysis [(45CFR§164.308(a)(1)(ii)(A)] for the Security Rule includes a comprehensive assessment of the internal and external networks whether wired, wireless, or cloud-hosted.  In addition, the report must include a technical vulnerability assessment of all the IT assets, all electronic protected health information (ePHI), and physical and environmental controls, and operational processes (policies and procedures) of the underlying IT infrastructure across the enterprise.

With regards to the Meaningful Use compliance, a technical vulnerability as well as assessments of the physical, environmental, and operational controls surrounding the electronic healthcare record system satisfy the requirements of Meaningful Use objectives.

When performing a HIPAA Security Risk Assessment for a client, what are the things that SCA actually does?

When conducting the HIPAA Security Risk Assessment SCA always follows the following components:

1. We come on site.
2. We deploy industry best software with credentialed engineers to evaluate your critical information systems.  This includes all devices which store, process or transmit patient information both on site, as well as mobile devices.
3. We do a physical security assessment which includes:
   1. Administration-identification, courier/messenger services, janitorial services, access control
   2. External Conditions-exterior doors, windows, roof access, lighting, air ducts
   3. Vital Records-server room, media storage and protection
   4. Physical Protections-keys, anti-theft devices, physical location of devices
   5. Emergency Systems-emergency power and water shut off, emergency lighting
4. We request and review your policies and procedures.
5. We review your Business Associate Agreements and execute a Business Associate Agreement with you.
6. We provide you with a report on compliance based off of the assessment findings and offer concise remediation advice, in “plain English”.  This report will not only serve as your attestation documents for future audits, it will also serve as your roadmap to achieve compliance.

In your opinion, why is using a third-party organization for performing the risk assessment (vs doing it in house) extremely important?

In my opinion, the biggest reason to use a third-party to perform the risk assessment is impartiality.  If you bring in a third party, there is no inherent bias.  The third-party has no connection to your overall posture.  This allows for a transparent look at your security posture.  In many industries, a third party is STRONGLY recommended.  Although it may not be intentional, often times, when completed in-house, people over look simple things because it is not their primary area of focus.  However, those simple things can be of critical importance to the overall security posture for that institution.

Lack of overall understanding of the overall posture (that is not my job but I feel confident that I can answer that question) is also a very real concern. I have seen this first hand.  People answer some of those questionnaires and out of no malice, really mess everything up because they simply do not know or understand what is truly being asked.

Of particular notice would be that liability issues are deflected to the third party if the business embraces the recommended remediation advice.

Many services provide simple “self-service compliance” via self-driven online questionnaires.  Obviously use of such a system is fast and relatively inexpensive.  Can you comment on the deficiencies of such a system and the ways in which an organization may leave themselves at risk by using one?

I run into that question a lot.  It has been so hard to answer that question without sounding like I am just trying to sell my services.  The bottom line is, there is no checklist that will make you compliant.  The “self-service compliance” products have great possibilities when used in coordination with an actual risk assessment or risk analysis and you know what you are talking about.  The key point is that a technical vulnerability scan must be completed.  It is a requirement. The Self-Help tools do not complete that for you.

I like to compare those tools to a directions application on your smart phone.  The old adage of “garbage in, garbage out!” still holds true. It goes back to the previous questions you had.  Let’s say I want to go to Decatur.  I tell my phone that is where I want to go and start driving.  An hour later, I realize it is taking me to Decatur, Georgia rather than Decatur, Illinois.  I just wasted my time right?  Not because I wanted to, but I did not ask the right question.  Well, that could happen to you if you answer the question with the best intention, but did not really answer what the tool was asking.

A third party should be unbiased, experienced, know what it is reviewing and what follow up questions to ask where appropriate.  They have to (required) also complete a technical vulnerability scan and provide you with a report on compliance listing the risk, threat and vulnerability that exists within your environment.  As part of this report they should also include remediation advice.  I have not yet met a self-service tool that does all of that the way a third party should.

Meaningful Use also requires a Security Risk Assessment in order to be eligible for monetary incentives.  Is this Risk Assessment any different from the regular HIPAA Security Risk Assessment?

The short answer is yes.  The HIPAA Security Risk Assessment is much more thorough and comprehensive than the Meaningful Use Security Risk Analysis.  The Meaningful Use Security Risk Analysis looks at the Technical, Physical and Administrative safeguards you have in place to secure ePHI.

A thorough risk assessment/analysis [(45CFR§164.308(a) (1)(ii)(A)] for the Security Rule includes a comprehensive assessment of the internal and external networks, whether wired, wireless or cloud-hosted.  In addition, the report must include a technical vulnerability assessment of all the IT assets, all electronic protected health information (ePHI), and physical and environmental controls, as well as the operational processes (policies and procedures) of the underlying IT infrastructure – across the enterprise.

With regards to the Meaningful Use compliance, a technical vulnerability review, as well as assessments of the physical, environmental and operational controls surrounding the electronic healthcare record system will satisfy the requirements of Meaningful Use objectives.

Once a Risk Assessment is performed, gaps (issues) will be identified.  Does SCA provide help or guidance in resolving these security deficiencies?

That is a great question.  The answer is yes and no.  Our report rates each risk by citation, it also provides exact remediation advice. It breaks the risk into HIGH, MEDIUM and LOW.  The technical report also includes CRITICAL.

We have a fantastic compliance department here at SCA, we can also develop the Policies and Procedures that you need to be compliant with regulatory requirements as well as appropriate Information Security Awareness training.

However, as we scan and validate any technical vulnerabilities that may exist, we will not complete or assist with the technical remediation.  We work with several companies who do a great job with that piece, but we will not do technical remediation.  That would be like the fox watching the hen house.

Customers are often concerned with “how long” they have to fix issues.  What is the standard answer that you give?

Another great question.  I get that one a lot too.  It all goes back to having a risk management plan.  This is supposed to be an ongoing, continual work in progress.  You should address your Critical and High as soon as possible.

There is a tight coupling between a yearly risk assessment and ongoing analysis and assessment to detect new issues as they arise and before a breach occurs.  What kinds of things do you recommend organizations do in order to stay on top of things?

A thorough and comprehensive assessment of risk following NIST guidance will allow you to gain a true understanding of your security posture.  An accurate picture of your security posture allows for you to make informed decisions regarding your risk management plan and process.

Conducting and reviewing these assessments annually as part of your Risk Management Plan are not only important for meeting the regulatory requirements for Meaningful Use and HIPAA Compliance, they will assure that you are putting your practice in the most secure environment possible.

Many other industries look to HIPAA-style Risk Assessments as a gold standard for determining their own operational security.  What other industries do you find most commonly performing Risk Assessments with you and why?

We currently are doing a lot of work in three specific areas.  We work with Financial Institutions, Healthcare and Title and Settlement.  They are a large focus of our business.  All three of these verticals are required to protect data.  As such that is where a large portion of our work comes from.  As I mentioned earlier, SCA specializes in providing information security programs in compliance with NCUA, FDIC, OCC, OTS, FTC, HIPAA, PCI-DSS and FRS regulations. Meeting information security guidance and regulation lie at the core of our program.

How long does a HIPAA Risk Assessment take?

Again, we know that there is no “one-size fits all solution”.  It varies based on the size and complexity of the organization. For a single doctor’s office, depending on size of network and number of locations, many times it will take 6-8 hours onsite to complete the assessment.  With larger groups, a few we have worked with, it took 4 days on site to complete all the necessary pieces.   Generally, the Report on Compliance (the report from the assessment with all the findings and remediation advice) is delivered within 4-6 weeks of the onsite assessment being completed.  The first time it is sent it is in draft form, then the client has the opportunity to review and ask any questions they may have to the engineer who completed the assessment before the finalized copy is sent to the client.  At this time, the client may insert comments such as acknowledging existing risks and accepting the risk.  Compensating controls may address certain vulnerabilities.  HIPAA also defines some areas as addressable, others are required.  If it is an addressable area, you can find an equivalent measure to meet the requirement for example.

Visit: Security Compliance Associates.