Have You Completed a Risk Analysis? You’d Better, If You Are a Healthcare Organization
According to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR), healthcare organizations must provide a completed risk analysis. According to the OCR, “Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization]. See 45 C.F.R. § 164.308(a)(1)(ii)(A).”
So where do you find your vulnerabilities?
- Paper records – 21%
- Network server – 17%
- Laptop – 17%
- Email – 10%
- Desktop computer – 10%
- Other – 10%
Organizations frequently underestimate the proliferation of electronic protected health information (ePHI) within their environments. When conducting a risk analysis, an organization must identify all the ePHI created, maintained, received or transmitted.
The lack of an adequate risk assessment, as required by the Health Insurance Portability and Accountability Act (HIPAA), is an issue that comes up a lot. In fact, the problem of ePHI proliferating throughout an organization on various devices and systems where it may not be properly accounted is not new.
There are many places that ePHI can hide and come back to bite you. Examples are applications such as electronic health records (EHR), billing systems, documents and spreadsheets, database systems, web servers, fax servers, cloud servers, medical devices, messaging apps, media, transcriptions, and social media.
We invite you to read our Insight Into Healthcare Security article. And if you need to eliminate ePHI and sensitive data vulnerabilities, let us know.