Risk Assessments: Expert AdviceHow NIST Guidance Can Help Healthcare Security Pros
The recently updated risk assessment guidance from the National Institute of Standards and Technology can help healthcare security pros gain a better understanding of how to assess security risks and take action to mitigate them, says Borten, president of The Marblehead Group.
The HIPAA Security Rule, as well as the HITECH Act's electronic health record incentive program, require risk assessments. Nevertheless, many healthcare organizations find conducting a risk assessment "intimidating," she acknowledges in an interview. That's why the NIST guidance will prove helpful to many, she says.
The Department of Health and Human Services has helped call attention to the importance of risk assessments through HIPAA enforcement actions. In recent cases, HHS has issued large financial penalties after data breach investigations identified HIPAA compliance shortcomings, including the lack of a current risk assessment. (see: Another Big Fine After a Small Breach.)
By using the NIST guidance, healthcare providers can get a much better understanding of fundamentals such as risks, threats and vulnerabilities, Borten suggests. "It's very important that healthcare organizations are aware of this resource, use it and develop their own policies," she says.
The updated NIST SP 800-30 guidance is "more accessible" to healthcare providers than NIST's earlier guidance, Borten says. "My sense is that the core content hasn't changed, but what has changed is the tone. It's more business-oriented."
Still, the NIST guidance is just a roadmap, but it does't give specific directions for reaching your chosen destination, she stresses. She advises healthcare organizations to use the guidance to help craft a customized assessment and pinpoint a plan for mitigating risks.
In the interview, Borten also discusses:
- The differences between doing risk assessment for compliance with HIPAA versus the HITECH EHR incentive program;
- How frequently risks assessments should be conducted;
- Circumstances when encryption of health data might not be needed, and how to document such decisions.
Before founding The Marblehead Group in 1999, Borten led the enterprisewide security program at Massachusetts General Hospital in Boston and established the first information security program at Beth Israel Deaconess Medical Center and its parent organization, CareGroup, as its chief information security officer.