The HIPAA Omnibus Final Rule, released January 2013, goes into effect this month – Sept 23, 2013. Over the last several weeks, I’ve been posting a blog series around nine HIPAA network considerations.
- HIPAA Audits will continue
- The HIPAA Audit Protocol and NIST 800-66 are your best preparation
- Knowledge is a powerful weapon―know where your PHI is
- Ignorance is not bliss
- Risk Assessment drives your baseline
- Risk Management is continuous
- Security best practices are essential
- Breach discovery times: know your discovery tolerance
- Your business associate(s)must be tracked
This blog focuses on #6 – Risk Management is Continuous.
You can look at the Risk Management implementation specification as the actions taken in response to the Risk Assessment. The HIPAA Security Rule defines Risk management (Required): “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [§ 164.306(a)]”
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information
One common mistake companies make in compliance programs is taking the approach that once the work is done, the network doesn’t have to be looked at again for compliance. If they put the security programs, processes, and technologies in place, they don’t have to spend time on compliance until next year (or the year after that, or even longer).
This makes compliance a onetime effort that is then ignored. Worse, securing PHI often follows the same path, making it easy to hack and steal, causing a lot of problems for everyone involved. Risk management―reducing risk―needs to be a continuous activity. Through your risk assessment, you’ll know where your PHI is, what your highest risk factors are, and where to implement more continuous risk management tools in the network.
Continuous risk management does not mean tracking every single event on every single device throughout the network. It may mean turning on automatic alerts on critical devices, setting traffic thresholds in network areas where PHI resides, logging anomalous events in those critical areas, and using network management tools to make sense of all this information the network devices are collecting.
Risk management is about a lot more than achieving HIPAA compliance, reducing risk to PHI and helping to prevent theft of PHI is of critical value.
Recommendation: Understand where you should implement continuous risk management, and what logging, alert, detection, and management tools you already have that can help with risk management.
To learn more about Cisco® compliance solutions and HIPAA services, please visit http://www.cisco.com/go/compliance