Security Risks- What’s the Rule?

 | 1 Comment on Security Risks- What’s the Rule?

The first step towards compliance with the HIPAA Security Rule is to perform a risk assessment on your system.   You aren’t required to do this yourself- you may choose to hire a consultant- but you will be expected to understand the assessment findings.  So what are ‘risks’, and how are they measured?  Let’s start by defining some terms as they appear in the Rule.

Section 164.308(a)(1) requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.”  In this statement:

“EPHI” stands for Electronic Personal Health Information.  This includes all medical information related to patients in your care.   

“Vulnerabilities” are weaknesses in the way your system handles information.   This can mean anything from inadequate physical security at your office (such as locks and alarms), to employing out-of-date software, to failing to employ the security features included in your software (not creating passwords, etc.).

Threats are forces that will exploit vulnerabilities.  This can mean people, such as disgruntled employees, burglars and hackers, or it can mean things like fires, floods, earthquakes and tornadoes. 

“Risk”, therefore, is a calculation of two things:  first, the probability that a given threat will exploit vulnerabilities in your system, and second, an estimate of how much damage would be caused by that exploitation.  Risk is hard to assess; the factors involved are often subjective.  Just because an event has a low probability level doesn’t mean it can’t or won’t happen…and highly probable events with risk assigned might not impact your system security at all.

For instance:  a viral infection on a computer in your system is highly probable, but the likelihood that the infection would lead to a system failure or security breach is small…therefore it would be considered a low-risk scenario.   If a burglar, however, were to break into your office and steal all of your equipment, there is a 100% chance that your data will become unavailable to you and a good chance it may end up in malicious hands.  Even if the crime rate is low in your neighborhood, this would be considered a high-risk scenario.

No matter what your assessment finds, when you address the vulnerabilities of your system and (where possible) eliminate threats, you reduce your overall risk levels- this is the best way to ensure you’ll be in compliance with the Rule. 

Join us next week for some tips on how to conduct your risk analysis. 

Ryan Ricks
Security Officer

Easy Ways to Secure Your System and Work Towards HIPAA Compliance

 | No Comments on Easy Ways to Secure Your System and Work Towards HIPAA Compliance

Easy Ways to Secure Your System and Work Towards HIPAA Compliance – by Ryan Ricks, XLEMR
As published in the Spring 2008 Edition of EHR Scope

As we all know, medical practices see patients with the aim of improving their health. Like any other business, medical practices have many concerns, ranging from the quality of services they provide, to regulation and compliance issues, and ultimately, the bottom line and
financial well-being of their practice. Why then, should doctors and their staff worry about information security?

What is information Security?

First, you may wonder exactly what we mean by information security. Simply put, information security is the confidentiality, availability, and integrity of the data, or information
stored at your practice, whether electronic or in hard copy. Medical practices should take information security seriously, because failing to do so could have negative consequences
for quality of care, revenue streams, and may subject the practice to legal action.
Confidentiality is critical for medical practices. A patient’s medical history is highly sensitive, and there are huge consequences for a breach. Unlike a compromised credit card,
medical history can ruin one’s life, resulting in embarrassment, loss of employment, or any other terrible scenarios. Federal regulations like the Health Insurance Portability and Accountability Act mandate severe penalties if a practice fails to protect medical information. Availability is perhaps even more important. Good health care depends upon the availability of information. What
happens at your practice if you misplace a patient’s chart? Usually the staff finds it stuffed inside another chart, but what happens if the chart is destroyed? Hurricane Katrina
wiped out many practices and their charts. If you lose your information, you cannot see patients, and ultimately you lose your revenue as well. Integrity relates to the accuracy of information. Accurate information can mean the difference between life and death. How many news stories have you heard where someone died due to inaccurate medical information? Perhaps a crucial
allergy was missing from their charts, or maybe someone misplaced a decimal point for a dosage. Integrity encompasses accuracy at the point of data entry, (e.g. where there any typos?) as well as malicious tampering (e.g. did someone purposefully change a patient’s history?)

Ryan Ricks is the Security Officer for XLEMR. To reach Ryan directly for more information, email . To see full article, please visit