Covered entities and business associates need to move beyond the mind-set of HIPAA security as a checklist, and take an enterprise-wide approach that evaluates every asset containing protected health information (PHI), plus the security threats to those assets, according to a panel of chief security officers at the 2019 HIPAA Summit, held in Washington, D.C., in March.

This is a three-step process that “sounds simple upfront, but it is not so easy to do,” noted John Parmigiani, president of John C. Parmigiani & Associates LLC.

“A lot of this is common sense, but it gets mixed up in terminology,” Parmigiani said, adding that organizations need to know exactly where all their PHI lives. “Where is all your sensitive information that’s vulnerable?” Then, organizations need to identify the weaknesses in the security of those assets down to a very granular level, he said. Finally, organizations need to be able to identify all the threats to those assets coming into the organization.

The report released late last year from the industry-led working group mandated by the Cybersecurity Act of 2015 Section 405(d) are a good place to start, said Julie Chua, risk management branch chief, Office of Information Security, Department of Health and Human Services. Chua helped helm the group and shepherd the report, Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients (“Report Lays Out Top Cybersecurity Priorities, Practices,” RPP 19, no. 4).

Chua said there has been some confusion about the document, which is not intended to be a comprehensive checklist for organizations to comply with HIPAA. The report and its associated technical volumes “are not meant to be the end all be all solution for all cybersecurity needs,” Chua said, adding that “there are [security] threats beyond the five listed. If you think about threat vectors, these are five of many.”