HIPAA-required risk analysis can prevent malware attacks

CDA has fielded calls recently from dental practices wishing to learn more about the risk analysis required of all entities covered by the Health Insurance Portability and Accountability Act. Coincidentally, in response to the rapid rise of ransomware attacks, the U.S. Department of Health and Human Services' Office of Civil Rights in July issued new guidance to help health care providers prevent, detect and respond to malware attacks. Conducting a risk analysis is identified as a key step.

Malware (malicious software) is an intrusive software designed to damage or disable computer systems, and includes such forms as computer viruses, adware, spyware and ransomware — which prevents a computer user from accessing data, then demands payment of a ransom to regain access. 

The guidance emphasizes that, under the HIPAA Security Rule, health care providers are required to comply with security measures to help prevent infection by ransomware and other types of malware. Among other actions, the provider should:

  • Implement a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic-protected health information and implement security measures to mitigate or remediate those identified risks.

The risk analysis should be "accurate and thorough." Furthermore, the guidance notes that HIPAA-covered providers are expected to use risk analysis not only to satisfy the specifications of the security rule, but to implement security measures to reduce "to a reasonable and appropriate level" the identified risks and vulnerabilities throughout an organization's entire enterprise. The guidance cites Firmware 3 updates as an example; providers using the program should "identify and address the risks [to electronic-protected health information] of using network devices running on obsolete firmware, especially when firmware updates are available to remediate known security vulnerabilities."

The OCR can impose (and has imposed) financial penalties on a health care provider for not appropriately managing the risk to protected patient information, such as failing to install software patches.

Dental practices have several do-it-yourself options for conducting a risk analysis:

  • Use the ADA's "Complete HIPAA Compliance Kit," available for purchase at the ADA store. The kit includes tools to help practices "design and implement a comprehensive HIPAA compliance program using a step-by-step approach." Chapters cover risk analysis, security awareness, response and reporting, and contingency plans among other topics.
  • Use the "Security Risk Assessment Tool," developed by the Office of the National Coordinator for Health Information Technology in collaboration with the HHS Office of the General Counsel and OCR. This tool guides health care providers in small to medium-sized offices through each HIPAA requirement by presenting questions about the practice's activities; yes or no answers determine whether the practice needs to take corrective action on a specific item. The free application also produces a report that practices can provide to auditors. The app will run on Windows OS (desktop and laptop) and on Apple iOS for iPad. It may be downloaded at healthIT.gov or from the Apple iTunes store.
  • Hire a third party or utilize existing IT service providers. Some dentists may want to utilize an IT consultant to examine how electronic information is stored and transmitted at their practice and to identify risks and threats. The risk analysis would entail several elements, including data collection; identification and documentation of potential threats and vulnerabilities; assessment of current security measures; and determination of the likelihood and potential impact of threat occurrence and the level of risk.

Another resource, "Guidance on Risk Analysis Requirements Under the HIPAA Security Rule," is available on the HHS website.

Related Items

The U.S. Department of Health and Human Services’ Office for Civil Rights released new guidance to help health care providers better understand the malicious software and the steps required to help prevent, detect and respond to attacks.

In May, several thousand HIPAA-covered entities received emails from the U.S. Department of Health and Human Services Office of Civil Rights (OCR) as the agency rolled out Phase 2 of its HIPAA Audit Program. One email asked covered entities to confirm contact information, then, if information was confirmed, covered entities received a questionnaire and were given 30 days to complete it.

Dental practices are among the victims falling prey to ransomware, a type of malware that infects and disables computers and demands payment from victims to restore computer access. The Dentists Insurance Company warns dentists that ransomware can bring a practice to a standstill.