Enterprise-Wide Risk Analysis: How Non-Healthcare Organizations Can Learn From HIPAA

Enterprise-Wide Risk Analysis

Enterprise-wide risk analysis. This was the common theme running through the 11th Annual OCR/ NIST HIPAA conference – Safeguarding Health Information: Building Assurance through HIPAA Security.  But this is a best practice for all organizations from all industries, not just healthcare.  Other industries can probably get valuable input from HIPAA law because it focuses on enterprise-wide risk analysis and management to have a comprehensive baseline security posture for your organization. Compliance exists to provide a measure of security and you can look into compliance laws to understand security best practices. Systems are connected. A cyberattack on one system can easily propagate to another system within your organization.  This heightens the importance and needs for every organization to undertake an enterprise-wide risk analysis as a critical step towards strengthening security posture. Risk analysis must be thorough and accurate. In the largest medical data breach settlement with Anthem, the Office for Civil Rights (OCR) reported that Anthem had failed to conduct an enterprise-wide risk analysis, among other violations.   For this and other process vulnerabilities, Anthem has been levied a 16 million dollar penalty by OCR, the largest ever HIPAA penalty to date.  

Some key learnings about enterprise-wide security analysis

• When you do your risk analysis, there must be evidence that you have considered your organization in total for this enterprise-wide risk analysis. All locations should have been considered.
• If your vendors have access to your confidential information or to Personally Identifiable Information (PII), have you conducted a Third Party Information Security Assessment?
• Know your data. Prepare a complete data map of everywhere your confidential and private data is held, and in all forms and formats.  You can't protect it if you don't know where it is.  Where is your data, how does it flow in and out of the organization, and between departments and functional areas.
• Classify your data.  How would a data breach impact the confidentiality, integrity, and availability of your data? 
• After the risk analysis or risk assessment is done, ensure that a detailed report outlining findings and recommendations is produced and communicated at the highest levels of your organization.
• Prioritize your risks and prepare a plan to address them. Critical and high-priority risks or vulnerabilities should obviously be addressed at the earliest.
• Risk analysis is an ongoing process. You must reassess periodically especially if you are implementing new tools and systems. A commonly followed best practice is to conduct a security risk assessment once a year, at a minimum, and more frequently if infrastructure changes may require it. 

Another way for you to learn from HIPAA, even if you are not in healthcare, is this HIPAA Compliance flowchart.

This is a high-level flowchart to help a healthcare organization strategize on steps needed to comply with HIPAA.  Even as a non-healthcare organization you can go through the process to see if you have reviewed your safeguards at all levels to prepare a security or risk management plan. 

If you have not yet conducted your organization’s enterprise-wide security risk assessment or security risk analysis, schedule it today.  You can either conduct it using in-house personnel or you may choose to outsource it. Either way, you cannot afford to wait.