Demand Quarterly Risk Assessments From BAs

December 27, 2016

One wonders what would be revealed if all companies accessing ePHI were to do a comprehensive risk assessment today. How many breaches would be discovered?

The chilling fact about the breach of ePHI at Community Health Plan of Washington, was that it was not discovered by them or their BA, Transaction Applications Group Inc., doing business as NTT Data, but by a “unidentified caller”. Add to this that 11 months went by from the original breach until it was discovered.

We have been preaching about the need for quarterly risk assessments and obviously we should add that you need to demand this from anyone accessing your ePHI. Many people think that they only need an annual risk assessment other still think that a checklist will do, but the requirement from HHS and OCR is do a risk assessment whenever there are changes in your business. This could include new software, a new business associate, a new line of business and many more changes.

HHS also talks about only having to meet standards that are reasonable and appropriate to you business. To some this might be a reason to say that they can’t do quarterly risk assessments because an outsourced risk assessment is too expensive or they don’t have technical staff to do the risk assessments in-house. These arguments don’t stand up when there are SaaS models that can deliver quarterly risk assessments for as little as $1495 per year. While simple to operate they deliver the most sophisticated risk assessment reports and are based on the NIST methodology. The NIST methodology is the only one mentioned by HHS and OCR and is the gold standard for risk assessment.

Another troubling fact about the CHPW breach is that is was discovered by an unidentified person calling their customer service line and telling them that the caller had accessed their ePHI. Investigation revealed that the original breached had occurred 11 months prior to the call.


Back to News