Both HIPAA’s Security Rule and the Merit-based Incentive Payment System (MIPS) program require documentation of periodic Security Risk Analyses. A Security Risk Analysis assesses compliance with standards within the Rule. Many times, information within a Security Risk Analysis is anecdotal, meaning the person completing it is simply typing in information to the best of their knowledge.
Background
HIPAA’s Security Rule requires covered entities to implement written policies and procedures to prevent, detect, contain, and correct security risks to the electronic protected health information (EPHI) that they have created, collected, and maintain. In simple terms, the Rule provides a list of instructions that require written policies and procedures which, when implemented, should limit the risk to your EPHI.
Technical Review
A Technical Network Assessment (TNA) is a documented snapshot of your practice’s IT infrastructure with regard to specific Security Rule requirements. The TNA will verify technical aspects of your Security Risk Analysis (SRA) and provide documentation to support information collected as part of the SRA.
The purpose of a TNA is to evaluate the risks and vulnerabilities of EPHI that is created or stored on your practice’s computer network, and to provide objective documentation concerning the security protections that have been implemented. A key aspect is that a TNA produces factual reports from your network demonstrating that protections are in place rather than a strictly anecdotal response.
Reports from a TNA will enable your organization to determine whether any corrective actions need to be implemented to mitigate or reduce risks to EPHI on the network. A repeat or periodic TNA should be performed to address environmental, technical or operational changes affecting the security of EPHI.
A TNA should be conducted by qualified IT staff. You could have your existing IT vendor/staff perform a TNA, or contract with an outside entity. Using an outside entity will provide your practice with an independent confirmation that key technical security requirements have been met.
Completing an SRA can be likened to having a physical exam by your primary care provider. The provider asks questions and you provide anecdotal information about your health. A TNA can be likened to blood tests, EKGs or other diagnostics that produce factual reports to document your good health or, in some cases, identify conditions that may require corrective actions such as medication and further treatments.
Elements of a TNA
A TNA should evaluate technological risks and vulnerabilities including, but not limited to:
- Open Port Security
- Identify internal and external User IDs
- Identify User IDs that have been inactive for a period of time (i.e., 30 days or more)
- Identify network devices and implementation of current security updates or patches
- Identify current network protocol for complexity and frequency of password changes by users
- Verify installation of antivirus/malware protection and a firewall
- Verify automatic logoff and the period of inactivity to activate logoff
- Verify activation of lockout protections (a predetermined number of allowable unsuccessful login attempts).
- A vulnerability scan
- Penetration testing
Documentation of TNA results should be available in network-generated reports as outlined below (note that the names and types of reports will vary depending on the tools used to generate the TNA):
Computer Identification Report: A list of the active and inactive computers found in the Active Directory. It should show the machine name, its enabled status, operating system, last login date, and should include columns to indicate whether the machine contains any EPHI.
User Identification Report: A list of the active and inactive user accounts found in the Active Directory. It should show the username, display name, last login date, last password reset date, password expiration date, and last login time. It would be helpful if the report included columns to manage the users and note their access to EPHI.
Endpoint Security Status: A listing of all the computers and servers found on the network and lists their status on antivirus, antispyware, firewall, and backup software installed.
External Vulnerability Scan Detail Report: Detailed information on all the external vulnerabilities found during the external IP address scan performed on the IP addresses used by the network.
Security Policy Assessment: The results of a security scan performed internally on the network. This document would highlight your company’s password policies, account lockout policies, audit policies, event log policies, and group policies.
Patch Status: This report will contain a list of each computer and its corresponding patch status.
After the data has been gathered and reports generated, your practice should evaluate the results for possible corrective actions, if any, to mitigate risks and vulnerabilities. The combined documentation of the SRA, TNA, and implemented corrective actions will enhance your practice’s ability to demonstrate a reasonable effort for protecting EPHI.
If you contract with an IT vendor, that vendor should be able to produce the reports described above. Some vendors will provide them at no charge as part of your existing maintenance contract (especially if you pay a monthly/regular management fee). Other IT companies charge exorbitant fees for completing a TNA and providing reports.
The government agency known as CISA (Cybersecurity and Infrastructure Security Agency) now offers assistance in what they call Cyber Hygiene Vulnerability Scanning. You can reach out to vulnerability@cisa.dhs.gov to get started. These assessments are available to both public and private organizations at no cost, but availability is limited. The service offered includes the following:
- Target Discovery, which identifies all active internet-accessible assets to be scanned, including networks, systems and hosts.
- Vulnerability Scanning, which initiates non-intrusive checks to identify potential vulnerabilities and weaknesses.
