"I don't do risk assessments; I assess risk," said Sharon Finney, corporate data security officer at Adventist Health System, speaking Thursday at the Healthcare IT News/HIMSS Media Privacy & Security Forum in Boston.
There's a difference. One happens on a daily basis. The other might happen a time or two each each year. A risk assessment, said Finney, sounds like something that "has a beginning and an end, and it doesn't."
Added Ed Ricks, president of information services and CIO at South Carolina's Beaufort Memorial Hospital: "If it does have an end, it's the day you get fired because you're not paying attention."
Security risk assessments are a fundamental part of keeping compliant with HIPAA and HITECH regulations – not to mention meeting Stage 1 meaningful use – but they have been problematic for many providers.
"If you look at the numbers, you see they're pretty low," HIMSS Senior Director of Privacy and Security Lisa Gallagher told Healthcare IT News earlier this year. "We have organizations trying to meet meaningful use Stage 1, and they're calling me and saying, 'We can meet all of the requirements of Stage 1, except the risk analysis requirement.'"
Sometimes a lack of resources is the problem. Often, it's a lack of clarity: Providers – whether their hospitals or physician practices – don't know know just what to do, what will bring them into compliance.
The Department of Health and Human Services has never quite said plainly that "If you do the following, you are compliant," said Gallagher in March. "They said, 'Do a risk assessment, document it and make sure you mitigate any findings that you have.' But there's no standard for what is minimum to be compliant. And that's causing the industry a lot of stress."
[See also: Risk assessments leave hospitals hamstrung.]
A simple audit – taking the HIPAA security rule and ensuring certain requirements are being met – "is not really a risk assessment," said Finney.
Instead, it requires a much more holistic approach to the organization – focusing on "people, process and technology" – that reviews and redresses shortcomings and vulnerabilities in all three areas.
"You have to document what you do," she added. "What did you do to remediate it?"
The HIPAA security rule "has been around for a long time now," Ricks pointed out. People are paying more attention to it now, "trying to check a box for meaningful use."
But really, he said, it's just a "smart business practice." Joking about the specter of a catastrophic breach, he added: "I don't think I would look good in an orange jumpsuit."
Later in the day, Healthcare IT News Editor Bernie Monegain sat down for an on-stage interview with the chief enforcer of the HIPAA privacy rule, Leon Rodriguez, director of HHS' Office of Civil Rights (OCR).