Four ways Aligned Risk Management makes HIPAA easier in 2019

Many health care organizations struggle to comply with required HIPAA regulations and many have forfeited important Merit-base Incentive Payment System (MIPS) incentive funds. Aligned Risk Management is here to ensure that every health care organization can affordably comply with HIPAA and MIPS. Below are four simple steps you can take today.

  1. Visit our HIPAA site.
  2. Call or email for a free HIPAA checkup.
  3. Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.
  4. Check out our free FAQ.

Visit our HIPAA site.

https://alignedriskmanagement.com/HIPAA

Here you will find many free educational opportunities, tools, policy and procedure templates, and other important materials to assist you with your HIPAA compliance efforts.

Call or email for a free HIPAA checkup.

505-908-9040 or patrick@riskaligned.com

Have an easy conversation with our certified HIPAA professional and gain confidence about your current HIPAA and MIPS readiness, or find out what steps you can take to benefit your organization and patients.

Take advantage of our low cost, comprehensive HIPAA privacy and security risk assessment.

505-908-9040 or patrick@riskaligned.com

Federal HIPAA regulations and the advancing care information (ACI) category of MIPS require you to perform an audit-worthy security risk analysis and complete a risk management plan to become HIPAA and MIPS compliant. Aligned Risk Management will guide you through the process and provide you with the policy and procedure templates, tools, and materials necessary to comply with HIPAA, pass an audit, and receive the MIPS incentives you deserve.

Check out our free FAQ.

https://alignedriskmanagement.com/category/memo/

Whether you are new to HIPAA or just need a refresher, you will find our HIPAA webinars informative
and helpful. Join us as we share our HIPAA knowledge and experience, and answer your HIPAA
questions.

How our company’s public exposure benefited from the government shutdown

Sit back, relax, and read my story about how the Aligned Risk Management team was able to benefit in a most unexpected way from the recent government shutdown.

The longest partial government shutdown in the history of the United States was ended recently. It began on December 22, 2018 after Democrats refused to support a new temporary continuing resolution in the Senate that included approximately $5 billion for the new border wall. Lasting 35 days, the deadlock was resolved on January 25, 2019.

With a 1980 interpretation of the 1884 Antideficiency Act, a “lapse of appropriation” caused by political impasse on proposed appropriation bills requires that the federal government curtail agency activities and services, close down non-essential operations, furlough non-essential workers, and only retain essential employees in departments covering the safety of human life or the protection of property.

This lapse of appropriation impacted the National Institute of Standards and Technology. NIST is a physical sciences laboratory, and a non-regulatory agency of the US Department of Commerce. Its mission is to promote innovation and industrial competitiveness. The institute’s activities are organized into laboratory programs. For our purposes, we’re going to focus on the institute’s information technology standards.

NIST has published a great number of excellent standards followed by innumerable business, government agencies, and the like. They’re referred to as NIST Special Publications, which are a type of publication issued by NIST. Specifically, the Special Publication 800-series reports on the Information Technology Laboratory’s research, guidelines, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations

Just days before the shutdown, NIST released the highly anticipated Risk Management Framework 2.0. Because of the shutdown, this directly impacted the availability of this new document as the NIST website was partially taken offline.

For about 35 days, the Aligned Risk Management team […] were unable to review certain NIST Special Publications […].

For about 35 days, the Aligned Risk Management team and the entire country were unable to review certain NIST Special Publications that serve as standards for the information technology industry and related fields.

Aligned Risk Management takes great pride in consolidating the best industry practices in information technology, security, and privacy, and relies on standards set by NIST and other trusted bodies. As such, we were among those that were anticipating the release of the Risk Management Framework 2.0. We published a story related to the release.

Segue.

Everyone these days is aware of Search Engine Optimization, or SEO. Do your keywords right and you’ll show up better in search results. As a result of our increased focus on our own SEO, the unavailability of the NIST site allowed Aligned Risk Management to pick up on some of the NIST-specific keyword traffic during the shutdown.

Aligned Risk Management’s quantifiable benefits resulting from the partial government shutdown, in the form of Google analytics.

The unavailability of certain web-pages caused Google, Bing, DuckDuckGo, and other search engines to penalize the cached listings of NIST in search results. The timing was perfect, and Aligned Risk Management picked up considerable traffic for search terms related to the NIST Risk Management Framework 2.0 for obvious reasons: our page was available and theirs wasn’t.

In unrelated news, here’s our copy of NIST Special Publication 800-63-3: Digital Identity Guidelines. You know, just in case.

The team at Aligned Risk Management wish to thank President Donald Trump, Speaker of the House Nancy Pelosi, and the United States Senate for allowing us to take such great leaps in public exposure. We promise to use this newfound publicity wisely.

That’s my story. Thanks for reading.

Critical Parts of a Quality Risk Management Plan (Part 1)

A Risk Management Plan is the part of your compliance approach that plans, identifies, and analyzes risks.

The premier HIPAA compliance consulting firm, Aligned Risk Management.

Parts of a Risk Management Plan

  1. Risk Planning
  2. Risk Identification
  3. Risk Analysis
  4. Risk Response Plans
  5. Risk Register

Risk Planning

Risk is defined by the Project Management Institute as an uncertain event or condition that, if it occurs, has a positive or negative effect on one or more project objectives. Risk management is the process of identifying, analyzing, mitigating, and communicating risks.

Definitions

All systems have vulnerabilities. The US Department of Health and Human Services defines a vulnerability as:

[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.

The US Department of Health and Human Services defines a risk as:

The net mission impact considering the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular vulnerability and the resulting impact if this should occur.

Risks arise from legal liability or mission loss due to:

Unauthorized (malicious or accidental) disclosure, modification, or destruction of information; Unintentional errors and omissions; IT disruptions due to natural or man-made disasters; Failure to exercise due care and diligence in the implementation and operation of the IT system.

When a risk event occurs, it is no longer uncertain. It becomes an issue.

Risk is a function of the likelihood of a given threat exercising a particular potential vulnerability, and the resulting impact of that adverse event on the organization, mitigated by controls. The relationship among these five concepts forms the basis of our risk assessment approach, which can be thought of as a formula:

(Impact · Likelihood) × (Threat · Vulnerability)
Controls

“Math”

The risk level is calculated using three underlying components:

  • Likelihood: The probability of the event happening. How likely is it that a threat acts on the vulnerability?
  • Impact: The consequences of the risk event. What happens if the threat acts on the vulnerability?
  • Effectiveness of Existing Controls: Existing controls and their effectiveness at mitigating risk. What is being actively done to mitigate the effects of a risk?

Likelihood × Impact − Controls ⇒ Risk Level

To illustrate, a plane crashing into your office has a high impact, but a low probability. In fact the probability is so low that the overall risk is probably insignificant. On the opposite end of the scale, a road construction project getting delayed due to rain is an event with a low impact but a high probability of occurrence. Thus, it is a significant risk.

A HIPAA Risk Management Plan should begin with an analysis of the risk tolerance of the organization, a Risk Assessment.

  • What projects have been completed in the past and what unexpected issues occurred?
  • What was the response of the organization?
  • What permanent changes were made? Were they justified?
  • Did the response cause a corresponding loss of business?
  • Did the response cause a corresponding loss of future projects?

Risk Levels

Another part of the risk planning portion of the Risk Management Plan is the definition of risk levels. Here is an example:

  • Very Low: The event is highly unlikely to occur under regular circumstances.
  • Low: The event is unlikely but should be noted by the project team.
  • Medium: The event has a normal chance of occurring and the project team should be aware of it.
  • High: The event has a reasonable chance of occurring. It should be regularly discussed and mitigation actions taken.
  • Very High: The occurrence of the event should be actively managed and mitigation actions taken.

Aligned Risk Management breaks down risk levels into four categories: Negligible, Marginal, Serious, and Critical.

Negligible Risk

Theoretical risk. Unlikely to be a serious concern.

  • Vulnerability is very unlikely to be exercised, OR
  • Existing controls are highly effective at mitigating the risk, OR
  • Potential impact on security, privacy and availability of ePHI is low

Marginal Risk

Unlikely to be an immediate concern, especially in light of other, more severe risks.

  • Some likelihood that vulnerability could be exercised
  • Existing controls provide some effective mitigation of risk

Serious Risk

Potential for significant impact on operations. Effective Risk Management or reasonable plan for such recommended in near future.

  • Vulnerability is likely to be exercised
  • Existing controls provide inadequate mitigation of risk
  • Potential for significant impact on security, privacy or availability of ePHI

Critical Risk

Failure to implement controls required by HIPAA. Potential liability and exposure to penalties. Potential for malicious exploitation. Exercise of vulnerability could cause mission-critical damage to business operations. Prompt intervention strongly recommended.

  • Vulnerability is very likely to be exercised or is currently being exercised
  • Existing controls provide little effective mitigation of risk
  • Potential for high or even catastrophic impact on security, privacy or availability of ePHI

Assumptions

A good brainstorming tool is to consider the assumptions made by the project. Most projects have disclaimers in their underlying contracts absolving the performing party of various obvious risks, but what about the next most obvious ones?

  • What assumptions has the project budget made?
  • What assumptions has the project schedule made (completion date, milestones, etc.)?
  • What expertise or prior experience does the company have in this work? How long ago was this experience? What areas require additional training?
  • Which relationships are being assumed to be strong that are not necessarily (owner, sponsor, client, contractor, consultant)?
  • How many previous projects with similar components have been completed successfully? What were the project issues?

Stay tuned for Part 2 of Aligned Risk Management’s series, Critical Parts of a Quality Risk Management Plan.

Project Engineer, Building Better Project Managers.

HIPAA compliance consulting

HIPAA compliance consulting firm
The premier HIPAA compliance consulting firm, Aligned Risk Management.

Aligned Risk Management helps healthcare organizations streamline and simplify HIPAA compliance efforts so that you can get back to providing the critical services your patients need. Our expert consulting staff works with you to ensure the privacy, security, and integrity of your systems. This specialized knowledge makes us the leading consulting firm for HIPAA compliance and healthcare risk management.

We’ll play defense so you don’t have to…

Defense of protected health information and the security of your systems is important to the safety of your patients. But it is also critical to the success of your practice. Data privacy concerns make headlines every day, and healthcare companies are especially vulnerable to the effects of unaddressed risk. Patient concern is growing. Regulations are poised to become more demanding. You want to concentrate on better serving your patients, and we make that possible.

HIPAA compliance has to start somewhere…

Everything starts with a HIPAA risk assessment report, which our analysts will perform and interpret for you. They perform the assessment according to the standards outlined in NIST Special Publication 800-30 (Guide for Conducting Risk Assessments), the gold standard for assessing risk. The results of this report are used to define actionable steps informed by deep-dive interviews with your organization’s key staff, regular site visits, policy document analysis, and vendor contract reviews.

…but our process doesn’t stop with just a risk assessment.

It doesn’t stop there. Risk management is a process, so our program includes regular follow-ups to make sure that you are successful. We assist in implementing recommendations and in documenting your efforts to ensure your success in case of an audit. Together, we’ll find high-value solutions that really matter, instead of wasting resources on unnecessary tools or time-consuming procedures that do not fit the way your organization operates.

Compliance with HIPAA can feel overwhelming. The most frequent question we hear is “Where do I start?” Start right here with Aligned Risk Management, and put yourself ahead of the curve.

Ready to get started? Schedule a meeting with Patrick.

Four easy steps to address the HIPAA elephant in 2019

This is Heather, the HIPAA elephant, because we know that HIPAA can feel like an elephant. How do you tackle Heather, the HIPAA elephant? One bite at a time!

HIPAA fines are up. Audits by the Department of Health and Human Services are up. 2019 is shaping up to be a rather tumultuous and dangerous year for healthcare providers as they ramp up to address their HIPAA privacy obligations.

Here are four steps to FAIL your next HIPAA audit.

And here are four steps to start out ahead this year….

1. Do SOMETHING.

There are so many different ways to start tackling another aspect of HIPAA. Are you wanting to make some headway in implementing technical safeguards? Great! Two-factor authentication. What about administrative safeguards? Awesome. Update your workforce sanctions policy and make sure it’s realistic. What about physical safeguards? Get those contingency operations plans updated. Whatever you decide to do, you’ll have to start somewhere.

“When eating an elephant take one bite at a time.”

Creighton Williams Abrams Jr.

I never said that eating the HIPAA elephant was going to be easy. But since you have to, you might as well start with one bite at a time. Approach HIPAA like you would an elephant and you’ll be surprised at just how much you can accomplish in a short period of time.

2. Business Associate Agreements

I’ve seen a lot of embarrassingly insufficient business associate agreements (BAA). As a recap, a “business associate” is likely a vendor to a healthcare provider, other than a member of the workforce of a covered entity, who provides certain services to a covered entity. Remember, this service directly involves access by the business associate to protected health information (PHI).

Among other confusing relationships that can exist between entities, a covered entity can be a business associate to another covered entity.

As part of your approach to HIPAA in 2019, perhaps it’s time to evaluate the relationship between yourself and your vendors, or between yourself and your clients. Are you a covered entity? Are you a business associate? Do you have business associates?

Once you’ve done some review of those relationships and you’ve identified all your vendors and business associates, it’s time to review those business associate agreements.

There are ten critical terms that must be addressed in these contracts. Find out more about these ten terms here: Requirements of a Business Associate Agreement (BAA).

3. Policies, Procedures and Internal Operations

Cookie cutter policies aren’t going to cut it. In this industry, so highly regulated by HHS, it’s highly unlikely that you’ll get away with taking any shortcuts. Let’s tackle your policies and procedures and how they relate to the realistic operations of your organization.

Are they accurate? I mean, do your policies accurately reflect how your workforce carries out their day-to-day operations? If you’re documenting in your policies that your workforce implements rigorous access revocation procedures upon employee termination, but this isn’t being practiced regularly by your IT staff, that’s not good. You’re saying that you’re doing this, but if that can’t be proven and is likely to be disproved by the dozens of former employee accounts that haven’t been deactivated, HHS will certainly have a field day. At your expense.

Don’t let that happen. Get on top of your policies and procedures. Make sure they’re honest and truthful. Maybe it’s time to actually change some operations and procedures to better protect patient privacy. Maybe you’ll learn something about your own organization. It’s another bite you can take out of the HIPAA elephant. It’s getting smaller!

4. Risk Assessment

Calling in the experts can be totally nerve-racking. You’re inviting others into the sensitive operations of your organization, exposing your internal practices to a stranger. We’re not the bad guys. We’re here to help you.

Updating your risk assessment can give you invaluable insight into modern best-practices that you weren’t aware of. It can make you aware of problematic business operations that really ought to be corrected and streamlined.

And best of all, you’ll get a great plan for continuous improvement: a plan consisting of the best actionable steps you can take to make the most impact in mitigating risk at your organization.

Don’t forget, HIPAA compliance starts with a risk assessment.

“When eating the HIPAA elephant, take one bite at a time.”

Patrick Brenner

Take action. Put yourself at ease and get started. Together, we can minimize your exposure to HIPAA and make 2019 a bad revenue year for HHS.

NIST Risk Management Framework 2.0 Updates Cyber-Security Policy

The final version of the NIST Risk Management Framework 2.0 is now available, providing government agencies and commercial enterprises alike with new guidance that aligns risk, privacy and cyber-security controls.

The National Institute of Standards and Technology is out with the final version of its Risk Management Framework (RMF) 2.0 update, providing organizations with new detailed insight into how to define and manage risk.

RMF 2.0 was officially released on Dec. 20 and follows seven months of consultation and comments. RMF 2.0 is formally titled NIST Special Publication (SP) 800-37 Revision 2 and outlines how federal agencies and those that wish to align with the standard can address security and privacy risk management. Among the key additions in the RMF 2.0 updates is an alignment and integration with the NIST Cybersecurity Framework, which outlines controls and processes that should be used by U.S. government agencies.

“RMF 2.0 gives federal agencies a very powerful tool to manage both security and privacy risks from a single, unified framework,” NIST’s Ron Ross, one of the publication’s authors, wrote in a media advisory. “It ensures the term compliance means real cybersecurity and privacy risk management—not just satisfying a static set of controls in a checklist.”

RMF 2.0 itself is a lengthy report of 183 pages that is freely available. The report noted that organizations implementing the RMF will be able to maximize the use of automated tools to manage security categorization as well as control selection, assessment and monitoring.

“The RMF provides a dynamic and flexible approach to effectively manage security and privacy risks in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities,” the RMF states. “The framework is policy and technology neutral, which facilitates ongoing upgrades to IT resources and to IT modernization efforts—to support and help ensure essential missions and services are provided during such transition periods.”

The RMF 2.0 includes a long list of tasks that includes an outline of risk management roles within an organization as well as strategy. Identifying common controls as well as having a continuous monitoring strategy is another key component that is part of RMF. Risk itself is at the core of RMF 2.0, with the requirement that organizations execute a risk assessment that includes all assets that need to be protected.

“As a key part of the risk assessment, assets are prioritized based on the adverse impact or consequence of asset loss,” RMF 2.0 states. “The meaning of loss is defined for each asset type to enable a determination of the loss consequence (i.e., the adverse impact of the loss).”

Industry Reaction

NIST’s guidelines for cyber-security have become foundational elements in the product portfolios of multiple vendors that align their offerings to help enable organizations with governance, risk and compliance (GRC) needs. Multiple industry experts contacted by eWEEK were enthusiastic about the improvements made in the RMF and how it will help improve cyber-security overall.

“We view the NIST Risk Management Framework (RMF) as further refinement of NIST’s message around the practice of risk management and a bridge in the continuation of their guidance encompassing security of the organization, individual privacy, and organization-wide risk management,” Steve Schlarman, risk management strategist at RSA, told eWEEK. “We have long been committed to the belief that in order to effectively and efficiently manage information security, you have to take a risk-based approach.”

McAfee’s chief policy officer and head of government affairs, Tom Gann, is also supportive of RMF 2.0. He noted that the NIST Cybersecurity Framework presents a rational, step-by-step approach to identifying and managing an organization’s cyber-security risk. 

Abdul Rahman, chief data scientist at Fidelis Cybersecurity, commented that from his perspective looking at the RMF 2.0 update, the focus is on enhancing the protection of individuals’ sensitive data. 

“Organizations need to go beyond threat prevention—we’ve already seen that preventive tools alone don’t suffice against motivated and sophisticated attackers,” Rahman told eWEEK.

Istvan Molnar, product marketing manager and compliance specialist at One Identity, also sees as noteworthy the emphasis on privacy in RMF 2.0. Molnar said the RMF 2.0 document specifically calls out the need for organizations to “consider how to best promote and institutionalize collaboration between the two Privacy and Information Security programs to ensure that the objectives of both disciplines are met at every step of the process.”

“It’s also noteworthy that the report not only refers to access but also ‘system activity or behavior’ going a step further than simply focusing on controlling access to data,” Molnar told eWEEK. “Additionally, the framework promotes the notion of designing risk management into the security and privacy capabilities of information systems throughout the system development life cycle.”

For Meerah Rajavel, CIO at Forcepoint, there are three key takeaways from RMF 2.0. The first is that digital and cyber-security are becoming center seat in the boardroom. 

“The RMF Revision 2.0 focusing on linkage and communication to the C-suite governance, and providing guidance on the synergy between Cybersecurity & Risk Management framework, can help elevate the CISO and CIO to be more powerful at the boardroom table,” Rajavel told eWEEK.

She added that the second aspect of interest is the focus on the IT/OT and supply chain, which are crucial to protect critical infrastructure that affects civilians and the economy.  

“The third element, which is inspiring in lieu of many recent events, is linking privacy to risk, which helps other compliance and regulations like GDPR, CA Privacy Act, etc.,” she said.

“NIST Risk Management Framework 2.0 Updates Cyber-Security Policy”. eWeek. QuinStreet, Inc. Retrieved December 27, 2018.

Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?

The Question:

Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and HITECH?

The Answer:

Yes.

Classifying the entity

Are medical device or pharmaceutical companies designated as a qualifying entity subject to HIPAA and the HITECH Act? Yes. In general, a provider that “transmits any health information in electronic form in connection with a transaction covered by this subchapter” is considered a covered entity. Moreover, according to the 45 CFR §160.103(2)(ii)(3), “a covered entity may be a business associate of another covered entity.” In fact, CMS recognized that as a government agency, it is subject to HIPAA, the HITECH Act and related rules in an October 2012 report issued by the Office of the Inspector General, “CMS Response to Breaches and Medical Identity Theft.”

In turn, a business associate, as defined by the HIPAA Rules, is “a person who performs functions or activitieson behalf of, or certain services for, a covered entity that involve the use or disclosure of protected health information” (emphasis added). A subcontractor is a person who contracts with a business associate and stores, handles or transmits PHI. Regardless, under Section 164.308(b) of the Security Rule and 164.502(e) of the Privacy Rule, a covered entity or business associate is required to enter into an arrangement known as a business associate agreement to provide parameters and some legal protection when a contracted entity is handling PHI.

Effective Feb. 18, 2010, Section 13408 of the HITECH Act provides that health information organizations, e-prescribing gateways, vendors of personal health records and other persons that facilitate data transmission and require access to PHI, regardless of their status as a covered entity, business associate or subcontractor, are subject to business associate agreements in accordance with the HIPAA Rules.

Therefore, medical device and pharmaceutical companies can be classified as a qualifying entity subject to HIPAA and the HITECH Act. As such, they are subject to handling, storing and transmitting in accordance with the requisite laws and regulations. The consequences from civil and criminal monetary penalties alone are significant. Since the HITECH Act expressly expanded HIPAA’s requirements to business associates and subcontractors, the same standards for access to medical records, business associate agreements and other provisions equally apply.

Patient access rights

The tension between patients wanting to have access to their health data from a medical device, which is implanted in them, and a medical device company is highlighted. According to a representative of a medical device maker quoted in the article, “Federal rules prohibit giving Ms. Hubbard’s data to anyone but her doctor and hospital. Our customers are physicians and hospitals.” In general, 45 C.F.R. §164.524, Access of Individuals to Protected Health Information, sets forth the parameters of the HIPAA Privacy Rule. Included in these standards are the circumstances for providing protected health information to a patient and exceptions. Nothing in the scenario of the PHI being transmitted from a patient’s implant to a medical device company, who would be classified as a business associate in this instance invokes an exception to deny the patient’s request.

Section 13410(d) of the Health Information Technology for Economic and Clinical Health Act authorizes penalties to be assessed for violations of the Privacy Rule. In February 2011, HHS issued a Final Notice of Determination and held Cignet Health, a business associate, liable for $4.3 million in civil monetary penalties when they denied 41 patients access to their medical records. As OCR Director Georgina Verdugo indicated, “covered entities and business associates must uphold their responsibility to provide patients with access to their medical records, and adhere closely to all of HIPAA’s requirements.” And, “The U.S. Department of Health and Human Services will continue to investigate and take action against those organizations that knowingly disregard their obligations under these rules.” This area should be considered in drafting business associate agreements. Therefore, business associates such as Medtronic are required to release the PHI to the patient requesting the information, unless one of the exceptions is met, and the patient is informed.

“How Does HIPAA and the HITECH Act Impact Medical Device and Pharma Companies?”. Becker Hospital Review, US. Retrieved December 20, 2018.

Memo: reasonably anticipated threats to protected health information

What are possible threats to protected health information (PHI), electronic (ePHI) or otherwise?

The US Department of Health and Human Services defines a threat as “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.” Threats are broken down into three categories:

  • Environmental: referring to immediate physical environments, such as offices or data centers
  • Natural: referring to weather, natural disasters, mass human events, and Acts of God
  • Human: referring to individuals who could cause harm, either inadvertently or negligently, or intentionally and maliciously

Aligned Risk Management has identified the following reasonably-anticipated threats to the security, privacy and availability of ePHI.

  1. Environmental Threats
    1. Internet outage: Failure of application server to connect to internet, failure of DNS servers to resolve server domain name, upstream connection failure, and other internet outages.
    2. Power outageFailure of power systems at the data center, failure of power supply to the data center, and other power outages.
    3. Hardware failureFailure of any hardware component of the server or data center where the application is hosted. Refers to failures caused by wear, age, design flaws, and other inherent hardware weaknesses.
    4. Software failureFailure of any application, operating system or other software component to operate as intended. Includes malware infections, data corruption, functional failures.
    5. Site pollutionFire, spills, accidents, etc.
  2. Natural Threats
    1. Floods, earthquakes, tornadoes, landslides, etc.Any unpredictable large-scale threat over which humans have no control. Also includes mass human events, such as war, terror attacks, strikes, epidemics, alien invasions, zombie apocalypse, etc.
  3. Human Threats
    1. Internal threatsAuthorized users, staff, Business Associates, trusted advisors, etc. The least dramatic but most common threats to the security, privacy and availability of ePHI.
      1. Inadvertent disclosure of ePHIUnintentional action by authorized user or failure of Application that inadvertently discloses any ePHI to any unauthorized user
      2. Inadvertent data entry, modification or deletionUser error. Accidental and unintentional action or omission by an authorized user that causes damage to the security or availability of ePHI
      3. Malicious disclosure of ePHI by authorized userDeliberate disclosure by authorized user who intends to obtain some personal gain or to cause harm
      4. Malicious destruction of ePHI by authorized userDeliberate sabotage by authorized user who intends to cause harm
    2. External threatsEx-employees, hackers, thieves, etc.
      1. Unauthorized observation of ePHIUnauthorized person is able to observe improperly-controlled ePHI
      2. Unauthorized person gains access using genuine credentialsAttacker successfully logs into a controlled system using a genuine username and password or other credentials of an authorized user
      3. Technological attack against a controlled systemAttacker exercises a technological vulnerability of an ePHI system still controlled by the covered entity
      4. Technological attack outside any control or responseAttacker gains indefinite physical control of an ePHI system and is able to exercise vulnerabilities without detection or intervention by covered entity
      5. Social engineeringAttacker uses psychological manipulation to induce authorized users to act against security policies or divulge confidential information
      6. Malicious destruction of ePHI by unauthorized userDeliberate sabotage by attacker who intends to cause harm
  4. Compliance Gaps
    1. Civil liability for failure to implement HIPAA-mandated specificationFailure to implement or adequately document certain required polices and procedures
    2. Civil liability for failure to follow documented policiesFailure to implement or adequately document certain required polices and procedures

Memo: SOC vs NIST

NIST SP 800-30: Guide for Conducting Risk Assessments

NIST Special Publication 800-30 provides guidance for conducting risk assessments of federal information systems and organizations, amplifying the guidance in Special Publication 800-39. Risk assessments, carried out at all three tiers in the risk management hierarchy, are part of an overall risk management process—providing senior leaders/executives with the information needed to determine appropriate courses of action in response to identified risks.

NIST SP 800-53: Recommended Security Controls for Federal Information Systems and Organization

Everyone interested in advancing design and planning of IT systems must become knowledgeable of the accomplishments of NIST by reading their Special Publication 800-series reports. The 800-series reports on ITL’s research, guidelines, and outreach efforts in information system security, and collaborative activities with industry, government, and academic organizations. The NIST Special Publication 800-53 “Recommended Security Controls for Federal Information Systems and Organization” list pages of specific controls that would be considered in the preparation of a standardized list of IT system controls for the private sector.

NIST SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

The HIPAA Security Rule specifically focuses on the safeguarding of electronic protected health information (EPHI). All HIPAA covered entities, which include some federal agencies, must comply with the Security Rule, which specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures.

Special Publication 800-66 Revision 1, which discusses security considerations and resources that may provide value when implementing the requirements of the HIPAA Security Rule, was written to:

  • Help to educate readers about information security terms used in the HIPAA Security Rule and to improve understanding of the meaning of the security standards set out in the Security Rule.
  • Direct readers to helpful information in other NIST publications on individual topics addressed by the HIPAA Security Rule.
  • Aid readers in understanding the security concepts discussed in the HIPAA Security Rule. This publication does not supplement, replace, or supersede the HIPAA Security Rule itself.

Service Organization Controls (SOC)

The American Institute of Certified Public Accounts (AICPA) has developed and adopted a set of guidelines and regulations for CPA audits in response the requirements of the Gramm-Leach-Bliley Act entitled, Service Organization Controls (SOC).  SOC is divided into two general types of audits SOC 1 and SOC 2 that are described on this site in detail.  SOC  is very specific as to the types of assessments that are to be made for each type of audit. SOC guidelines and regulations do not define the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

SOC 1 audits according to the requirements of SSAE No. 16 reports  ”On Controls at a Service Organization” that is processing private and nonpublic data that is personal for it’s customers. The controls obviously would vary differently in approach even though there would be some overlap.  Standardizing would require developing different categories of controls for each type of audit.

SOC 2 audits deal with five different concerns: security, availability, integrity, confidentiality, and privacy. There are specific controls that come into play for each of these areas include overlap of controls to prevent possible financial theft, timely transmission, intrusion/manipulation, limited access and nondisclosure.

Concluding Notes

SOC guidelines and regulations do not define the controls to be evaluated as part of an accounting audit to the same depth as controls identified by NIST.

Aligned Risk Management follows NIST SP 800-30, the framework for conducting risk assessments, and evaluates and reports on controls aligned to NIST SP 800-53 and NIST SP 800-66.

This article contains direct quotes and information from the National Institute of Standards and Technology (NIST), Integrated Accounting Services.

“SP 800-30: Guide for Conducting Risk Assessments”. National Institute of Standards and Technology. Retrieved September 4, 2018.

“SP 800-66: An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule”. National Institute of Standards and Technology. Retrieved September 4, 2018.

“NIST Special Publication 800-53”. National Institute of Standards of Technology. Retrieved September 4, 2018.

“Information Technology Laboratory”. Integrated Accounting Services. Retrieved September 4, 2018.