By: Craig Taylor


If your clients deal with health care records of any kind, for HIPAA purposes their business is considered either a covered entity or a business associate, and they should be preparing in earnest for Office of Civil Rights (“OCR”) HIPAA audits in 2015 and 2016.  That preparation should include an examination of one’s compliance with HIPAA’s Privacy, Security, and Breach Notification Rules.  An entity’s compliance is best assessed by having a risk assessment conducted by a qualified security professional who examines the threats and vulnerabilities to physical and electronic HIPAA data (i.e. the risks) within an organization.  A thorough and proper risk assessment by a qualified solution provider will go two steps further by (a) estimating both the impact and probability of those risks to the entity and then (b) will work with the entity to identify mitigating controls to eliminate or reduce those risks to acceptable levels.  Let’s look at each of these in turn now.


OCR Audit Program

Back in 2013 the OCR concluded its pilot HIPAA audit program of covered entities.  After a three (3) year hiatus, and in light of the massive Anthem security breach last year (69 million records compromised), the heat has been turned up on the OCR to ramp up their auditing and enforcement program as mandated by the HITECH act.

HITECH… requires [OCR] to perform periodic audits of covered entity and business associate compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

Given OCR’s recent HIPAA fines windfall ($8M in 2014 and $5.5M in 2015) and its ability to use fines to expand enforcement activities[1], combined with increased funding from the President’s FY 2016 budget[2], then it follows that Covered Entities should earnestly prepare for a HIPAA audit in the coming years. The question asked next is ‘how do we prepare’? According to the HIPAA Security Rule the required answer is to “conduct an annual risk assessment”.

The Risk Assessment Requirement

As a covered entity (or Business Associate) in possession of ePHI data, the HIPAA Security Rule requires an annual risk assessment be performed to identify confidentiality, integrity, and availability risks to ePHI data. Sun Tzu wrote the following words thousands of years ago concerning warfare:



Security professionals should heed these words and perform a meaningful examination of an entity’s strengths and weaknesses, an assessment of threats and vulnerabilities faced, and then a proactive effort to mitigate risks. Thus prepared, an entity need not fear the hundred battles they will face!  Looked at another way, the risk assessment is the first step an entity takes to prepare for battle and for HIPAA compliance[3].

Impact and ProbabilityImpact-and-Probability

Once the security professional’s risk assessment has documented the threats and vulnerabilities to the entity’s critical data, the next step is to categorize those risks relative to probability and impact.  If an event has occurred previously, the probability of reoccurrence if no mitigating controls are enacted would remain 100%.  However, probability of occurrence should not be the only measure guiding which risks the entity remediates.  To properly prioritize their remediation efforts, security professionals should help the entity factor in the potential impact of a particular risk.

The impact of a risk event can range from benign to catastrophic.  A large data breach for an SMB could easily be catastrophic; the National Cyber Security Alliance reports that “60 percent of small firms go out of business within six months of a data breach”.   Less extreme risks such as a Cryptolocker infection (assuming a robust backup solution is in place) may temporarily Defense-in-Depthimpact the entity’s ability to meet operational deadlines.  Through a candid discussion with their risk assessor, each risk is prioritized based upon potential impact, probability of occurrence, and mitigating controls.  Using the chart above, red risks are unacceptable to the business and must be eliminated; yellow may be acceptable with additional mitigating controls, while green risks are acknowledged and formally accepted by the entity.

Assess, Remediate, and Repeat

Enemies are probing your entities’ networks, phishing and social engineering their employees, and only need to succeed once to breach their environment.  The benefits of a risk assessment are many while the costs of them not understanding their risks can be devastating.  Planning and addressing threats and vulnerabilities in order of most to least critical, responsibly using the finite resources available to them (budget and labor), and on their time schedule rather than the long-weekends and evenings when hackers like to strike is their decision. Ask your clients if they will follow Sun Tsu’s advice and prepare for battle prior to an attack.  Doing so ensures they need not fear 100 battles nor the OCR’s HIPAA auditors either!