OCR published in its April 2018 cybersecurity newsletter the importance of performing a gap analysis. While a risk analysis is necessary to identify risks and vulnerabilities which hackers can potentially exploit to access ePHI, a gap analysis helps determine the extent to which a healthcare organization or business associate is compliant with certain elements of the HIPAA Security Rule.
A comprehensive, organization-wide risk analysis is a requirement of the HIPAA. Covered entities and business associates need to perform it to identify risks to the confidentiality, integrity and availability of ePH – 45 CFR § 164.308(a)(1)(ii)(A). Not performing a risk analysis could mean that certain vulnerabilities have not been identified and threat actors can exploit them to gain access to ePHI. HIPAA did not specify a specific method when conducting risk analyses. But there are certain elements that risk analyses should have.
- It should include a comprehensive assessment of all risks to ePHI. This is a must for data that is created, received, stored or transmitted wherever the ePHI is located or sourced from.
- It should include all locations and information systems that are used for creating, receiving, maintaining or transmitting ePHI in the risk analysis. Do an inventory of all applications, communications equipment, mobile devices, electronic media, physical locations, networks, workstations, EHRs and servers.
- The risk analysis includes assessment of technical and non-technical vulnerabilities. Technical vulnerabilities refer to the software flaws, misconfigured information systems and security solutions and weaknesses in IT systems. Non-technical vulnerabilities refer to the policies and procedures.
- The risk analysis includes assessment of the effectiveness of current controls, such as AV software, encryption software, endpoint protection systems and patch management then documents them.
- The risk analysis does not only identify the vulnerability that can be exploited by specific threats but also the impact of the vulnerability if exploited.
- The risk analysis should determine the level of risk of a specific threat or vulnerability so that it will be easy to prioritize what action should be done when mitigating risks.
- The risk analysis must be properly documented to show that a comprehensive, organization-wide risk analysis was indeed conducted. This documentation is necessary in case OCR investigate or performs a compliance audit.
- The risk analysis isn’t a one-time process. Although HIPAA does not say how frequent it should be, it must be a regular, ongoing process to ensure HIPAA compliance. It is most effective if integrated into business processes.
After the risk analysis, an HIPAA-compliant security risk management process must be in place to reduce risks to an appropriate level – 45 CFR § 164.308(a)(1)(ii)(B).
The HIPAA does not require a gap analysis but it helps to confirm if the healthcare organization has satisfied the requirements of the HIPAA Security Rule. It can help pinpoint which areas they still need to comply with. A gap analysis may be used as part of the organization’s compliance efforts. The organization can perform several gap analyses covering different sets of standards and implementation specifications of the HIPAA Rule. But take note that a gap analysis is not the same as a risk analysis because it does not cover all potential risks to ePHI confidentiality, integrity and availability.