Speaker 1: You're listening to Your Practice Made Perfect, support, protection and advice for practicing medical professionals brought to you by SVMIC. J. Baugh: Hello everyone and welcome to this episode of Your Practice Made Perfect. My name is J. Baugh, and I'll be your host for this episode. Today we're going to be talking about Security Risk Analysis, step one of an effective cybersecurity program and to join us today is Loretta Verbeck. And we'll introduce her in just a moment. With the increase of cyber attacks in the healthcare industry. There is even more emphasis being placed on securing patient information. Today we're joined by Loretta Verbeck to discuss one of the major requirements of the HIPAA security rule and how it can play a key role in an effective cybersecurity program. Loretta, it's good to have you with us today. Speaker 1: Thanks Jay. It's great to be here. J. Baugh: Before we get started on the topic. Maybe you could give us a brief introduction of yourself for us. Loretta Verbeck: Sure. I have been in working in the healthcare industry for over 25 years now. And some of the listeners may remember that I spent 12 of those years in the medical practice services department at SVMIC. And during that time and prior to, I've spent a lot of time working with physicians in their of practices on HIPAA compliance. And it seems like there has been a great need for those private practices to really understand the HIPAA privacy and security rules. So I have enjoyed that work and I hope that I can provide some very helpful information to the listeners today. J. Baugh: Well, I'm sure that you will be able to do that, Loretta. I am one of the claims attorneys at SVMIC, and I know that Loretta was very helpful in providing information for us as our HIPPA guru while she was at SVMIC. So I'm looking forward to hearing what Loretta has to tell us today. So Loretta, there's been so much talk lately about cyber security, multifactor authentication, ransomware attacks, and it seems overwhelming to try to keep up with everything that you have to do to keep patient information safe. Loretta Verbeck: I agree Jay, it can be overwhelming. And that's why I think it's important for medical practices to really get back to the basics of security. J. Baugh: Now, what do you mean when you say the basics of security? Loretta Verbeck: What I mean by the basics is the HIPAA security rule. This rule has been around since 2005. And since that time it has required covered entities, which are our policy holders to protect not only the confidentiality of that information, but also the integrity of the information and the availability of that information. So if a practice is protecting those things in regard to Electronic Protected Health Information, then they're not only checking that compliance box, but they're also addressing and minimizing cyber security risks. The unfortunate part is that many covered entities and their business associates still struggle to meet those security rule requirements. Loretta Verbeck: And one in particular is the Security Risk Analysis. And we know this because of the information that has been made available through either enforcement, through the office of civil rights or through some of the audits that have been conducted. And actually there were the latest audit industry report, which was released in December 2020. It actually indicated that most covered entities and their business associates failed to implement the HIPAA security rule requirements for Security Risk Analysis. And then that next step which is risk management. And another thing that was identified is that even if a security risk assessment has been performed, in most cases it wasn't accurate. And so lack of an accurate and thorough Security Risk Analysis has been one of the most cited deficiencies in enforcement action taken by HHS through the OCR. J. Baugh: So you mentioned a moment ago that this rule has been around since 2005, which means these requirements have been in place for the last 16 years. So shouldn't it be easier now to comply with these rules? And why do you think it's been so hard for medical practices to do that? Loretta Verbeck: I really think that there's been a lot of confusion that has then in turn led to some misconceptions with what really has to be done from a security standpoint. So taking the Security Risk Analysis or SRA, for example, it requires covered entities to conduct an assessment of all of the potential risks and vulnerabilities, again to the, not only the confidentiality, but also the integrity and availability of all Electronic Protected Health Information. This means any protected health information that is created, received, stored or maintained. So I believe that opens up some of the confusion because it historically, or when going back to 2005, not a lot of healthcare providers had an Electronic Health Record. So there was this misconception that if I don't have an Electronic Health Record, I don't have to worry about the security rule, but in essence it's any Electronic Protected Health Information. J. Baugh: So you emphasize the word all and any, when you said all electronic PHI and any PHI so I'm assuming this means that the scope of the SRA goes beyond the Electronic Health Record, is that right? Loretta Verbeck: Yes. And if you don't include all electronic PHI and only focus on your EHR, then that's where the Security Risk Analysis will not be considered accurate and thorough. J. Baugh: So can you give us some examples of where electronic PHI might be other than the EHR, maybe some of the commonly overlooked areas that you've noticed in your work with physician practices? Loretta Verbeck: Sure. So in addition to the Electronic Health Record, PHI can be found in your billing systems, it can be in email applications. A lot of organizations now are using digital faxing services and even thinking beyond that, even certain medical devices or medical equipment that is being used to, for example, an x-ray machine or a CT scanner, those pieces of equipment also store electronic health information. And then if you're storing backups of your EHR or your billing system in the cloud, that would have to be included as well. And then of course you can't leave out laptops, tablets, mobile devices, any other electronic media that involves that Electronic Protected Health Information. Some of the most common overlooked places that I have noticed in my years of doing this is, email typically gets overlooked, but also voice over IP telephone systems. We have so many organizations now that are using that technology. Loretta Verbeck: And if you think about it, if patients are leaving voicemails, or if you have the ability to store those conversations, that's also Electronic Protected Health Information. And then we can't leave out personal devices that are used by physicians or any of their staff. So in order to get a true picture of all EPHI, practices really need to involve the entire organization when they are beginning to conduct that Security Risk Analysis. And they also, in that process, and I think there is sometimes some confusion between administration of a practice and then what's actually happening in the practice. So I don't think it should just be assumed that people aren't using their personal devices for either creating or transmitting Electronic Protected Health Information, which is why it's important to conduct those interviews and actually talk to the physicians and the staff. J. Baugh: Well, it sounds like an SRA can be a really big project. So is this something that the practice has to do or is it something that can be outsourced to another party? Loretta Verbeck: Well, the practice can conduct it on their own or they can contract with a third party to do it for them. And sometimes I think, because of the nature of the security rule, and again, kind of going back to what I said about some confusion and misconceptions, I think there are many practices that do want to outsource that. But regardless of whether it's done in the practice or it's outsourced to a third party, the responsibility of making sure that an accurate and thorough SRA is conducted, that responsibility is on the covered entity or the practice. Loretta Verbeck: Another thing I would mention is that, but someone in the practice, whether it's the office manager administrator, or if there is a designated HIPAA officer, even if the task is outsourced to a third party, that individual needs to be involved in that SRA process because the assessment is not just technical in nature. In fact, more of the assessment is based on administrative tasks, like policies and procedures. So it really is something that has to involve someone at the practice level. And then if they're outsourcing it, someone with a technology background to help them complete the entire process. J. Baugh: Well, it sounds like even if you outsource the job, there still needs to be a level of involvement to make sure it's complete. Loretta Verbeck: It's exactly right and I think this is a process that gets missed because again, thinking if you're outsourcing the task, you've outsourced it so you don't have to worry about it. But as I've mentioned, that's really not the case. You want to make sure that the end result of what you are getting in that security risk assessment, you can actually use it to reduce risk. That's the ultimate goal of the Security Risk Analysis, is to identify risks and then reduce those risks to reasonable levels. A bonus of doing this is not only again, are you meeting your security role requirements and obligations, but you are putting things in place that protect that Electronic Protected Health Information, which also protects patient care because you will be able to have availability of that information. And it also protects the confidentiality of that information. J. Baugh: So you mentioned mitigating risks identified by the SRA. Can you tell us a little bit more about this process? Loretta Verbeck: Sure, sure. So this is the risk management process, which is also a requirement of the security rule. So risk management includes the prioritization and actual implementation of security measures that can reduce the risks that were identified by the SRA. You're not going to be able to completely remove risk, but the goal is to bring those risks down to reasonable and appropriate levels. An example is your SRA may indicate a high risk of EPHI being lost because appropriate backups aren't in place. Loretta Verbeck: So since that's a high risk issue, it would need to be addressed as soon as possible with a safeguard that would reduce that risk to a reasonable level and an option of what you could do to reduce that risk would be to implement an offsite backup. And this is the process that would be done with all identified risks based on their assigned risk levels, because a risk assessment, the output of that is going to give you direction on where focus that mitigation. And you should always focus on your highest level of risk first, and then of course, work down the list. J. Baugh: So since this is an ongoing process, what do you recommend as a timeline for conducting an SRA? Or is there a specific HIPAA requirement that dictates how often one should be completed? Loretta Verbeck: This is, and this is such a good question because there's also quite a bit of confusion around the timeline as well. So in the rule itself, there is no specific timeline outlined within that security rule. Instead, the rule states that risk analysis and risk management are ongoing and must be periodically reviewed and updated based on changes within the organization's environment. So what this means is if new technology is added, for example, like a new EHR, or if a new process for communicating with patients is being used like maybe we're doing some video conferencing for telemedicine. I think that's been a big issue over the last 18 months. So that's new technology that would be added. So those things would need to be added to the Security Risk Analysis. Any risks that are identified have to have a corresponding security measure put in place again, like I said, to reduce those risks. Loretta Verbeck: So over time, this Security Risk Analysis, as we've talked about before, it's really ongoing. And even though you may reduce some risks as changes to your environment occur or new risks can pop up. So it's just that ongoing constant assessment of the systems that are in place and then the appropriate security measures that you have put in place. You also have to make sure that those are working. So I would recommend reviewing the SRA on at least an annual basis at the very minimum. Loretta Verbeck: And of course, if it's been six months in to an SRA and you have a new change in your environment, I'm not saying, wait until end of the year. I think you do need to assess it then, but if there are no changes to what you're doing in the practice then on an annual basis, seems to be a good recommendation. But you also have to keep in mind that if you're participating in any payment incentive program, like the MIPS program, that program actually has a requirement to perform, or at least review your SRA during the performance period. So even though the HIPAA security rule doesn't dictate you must do a risk analysis every year, the MIPS program and other incentive programs in the future may tie to that. And that is going to make the organization that is participating in that program, they're going to have to do it every year within the performance period. J. Baugh: Well, Loretta, you have certainly given our listeners a lot of really good information about the SRA and the risk management process. So as we're getting ready to wrap up this episode, do you have any final tips that you would like to give to our listeners? Loretta Verbeck: Sure, sure. Thanks Jay. I think the biggest thing that can be taken away from the SRA process is that following the security rule requirement to actually conduct the risk analysis, it's really that first step of an effective cybersecurity program because it puts the spotlight on areas that could pose the most significant risk to your practice. And then by identifying those risks, you what action to take that can reduce them to a reasonable and appropriate level through that risk management process. And I want to encourage the listeners to try not to be too overwhelmed by the Security Risk Analysis process. There really are several resources that are available to help healthcare organizations meet the requirements. In fact, SVMIC has fantastic resources that can be accessed to help policy holders. And then there is also the Department Of Health And Human Services through the Office For Civil Rights has a series of papers that are written specifically to provide guidance to the security rule. Loretta Verbeck: And those links to that information can be added to the notes part of this podcast. And I would encourage any organization that's getting ready to either review an existing process or conduct the Security Risk Analysis for the first time. I would absolutely recommend looking at the security rule series of papers that is online with HHS. And then finally, I think it's important to remember that it's all Electronic Protected Health Information that has to be included in this risk analysis. So I encourage practices to involve the higher workforce as you're doing this because you want to make sure that you are getting an accurate picture of where all of your Electronic Protected Health Information is being used, it's being created transmitted or stored. Loretta Verbeck: And by doing this, and I know many practices are focused on, we really want to be in compliance and you do that absolutely is so important. You want to be in compliance, but what this does when you're in compliance, it is also protecting that patient data, which is the ultimate goal, is to make sure that you can continue to treat your patients, have access to the data that's necessary to treat your patients. The Security Risk Analysis, even though it might seem a little overwhelming, the purpose is so important because you're ultimately making sure that you are protecting that patient data and that you have access to it in order to continue to treat your patients. J. Baugh: As always, we would like to remind our listeners that they can check out our show notes to find links to various resources that are mentioned in that particular episode. And in this episode, we will obviously have links in the show notes for the various resources that Loretta has mentioned. So we want to give a big you to Loretta Verbeck for being here with us today, giving us some great information on a very important topic. So once again, Loretta, thanks for being with us today. Loretta Verbeck: Sure. Thanks Jay. Speaker 1: Thank you for listening to this episode of Your Practice Made Perfect. Listen to more episodes, subscribe to the podcast and find show notes at svmic.com/podcast. The contents of this podcast are intended for informational purposes only and do not constitute legal advice. Policy holders are urged to consult with their personal attorney for legal advice as specific legal requirements may vary from state to state and change over time. All names in the case have been changed to protect privacy.