- Risk analyses are vital to identifying privacy and security vulnerabilities resulting from the introduction of novel forms of health information technology (IT). And in an afternoon panel on privacy and security last week’s 2013 eHealth Summit hosted by the Centers for Medicare & Medicaid Services (CMS), this lesson was hammered home.
According to panelists of the session, “Challenges and Opportunities with Privacy and Health information Technology, there are no shortcuts when it comes to performing a risk analysis of the threats posed by mobile devices in healthcare environments.
“Don’t take shortcuts,” explained Mark Savage, Director of Health IT Policy and Programs at the National Partnership for Women & Families (NPWF). “Don’t think just because it’s easier to do this now and there’s a risk, I’m going to go ahead and do it. Follow the risk analysis. It’s what is going to tell you this is the thing we know from experience is going to provide the greatest protection for the patient’s information and for the doctor’s information, too, for that matter.”
Couple with this understanding of there being no shortcuts to a proper risk analysis is the understanding that analyzing risk is an ongoing and continual process. “The risk analysis is an ongoing process. Circumstances change; therefore, the risk changes,” add Savage.
An important facet of ensuring that risk analyses are conducted on a recurring schedule involves educating staff as to the importance of mitigating threats to protected health information (PHI) or personally identifiable information (PII). “It’s a culture change of weaving in the assessment of privacy and security into the workflow,” the NPWF Director of Health IT Policy and Programs Savage emphasized.
As to how a proper risk analysis should be conducted, a panelist representing the Office for Civil Rights (OCR) offered details, in particular identifying how a risk analysis is one of two key steps in the process of security management.
“There is quite a lot of guidance on the OCR website as to how to conduct a security management process,” said John Benevelli, Acting Senior Advisory for HIPAA Compliance and Enforcement at OCR. “The two fundamental steps to that process is a risk analysis where the covered entity would identify the risk as their environment changes incorporating mobile devices, have those risks, and then they would develop a mitigation strategy to address those risks appropriate for their environment.”
As for the timing of this performing these tasks, Benevelli advised covered entities to resist the urge to wait until official policy is issued:
What I would encourage (and I think OCR would encourage) would be to not wait until there’s an official policy that mobile devices can be used in our environment for EHRs or to just communicate with patients. But as they see people using their iPhones and their iPads more, make sure it’s in your security analysis. Make sure it’s identified as a possible risk and then develop a mitigation strategy. A mitigation strategy with mobile technology should start with encryption — encryption, encryption, encryption — and also just making sure that the apps that you upload are appropriate.
According to Benevelli, the importance of the risk analysis cannot be overstated, especially considering the role one plays in the wake of a health data breach.
“As your environment changes, which includes more mobile devices,” he continued, “do another security analysis because from the enforcement perspective that’s the first document that OCR is going to ask for if there’s a breach that comes out of the loss of a mobile device, ‘Show me your risk analysis.’”
In short, there’s no replacement for a risk analysis in healthcare, and the path of least resistance is often one that could come back to haunt a covered entity.