The answer to that question should be NO! Although many covered entities and business associates believe they do not truly need an assessment, let me give you a few reasons why you do a HIPAA Risk Assessment:
1.) Preventative - If you are in the medical field or service businesses in the medical field, there is a good change you have EPHI on your network, in your email, or on some smart device that one of your providers or employees has. Do you know who has access to that EPHI? Do you know where that EPHI has gone? Do you know if that EPHI is backuped, secured, audited for access? If you are like many other businesses, the answer to all those questions would be no. According to the NIST Security rules, you muyst complete a regular risk assessment to show that you are taking the appropriate measures to secure you EPHI or your devices that could access EPHI.
2.) Reactive - Have you ever been struck by the virransomwareus? Have you ever had an employee leave the company and forgot to change their passwords? Has any one accidently gained access to your systems without you knowing, either physically or virtually? If so you are required to do a assessment to determine what EPHI might have been exposed and what EPHI might have been tampered with. Simply the belief that an attempt to access your EPHI was made could require you to complete an audit and notify your patients and clients.
3.) Best Practice - Technology is ever changing, you are constantly updating and replacement technology or adding new software to your network. Often times as we are implementing new technologies we do not assess what the impacts might be to the vulnerabilities on our network. Did that software you just installed on your server require you to open your firewall or type in your administrator password? If so, it might be time to complete an annual risk assessment to determine what those changes to your network and how to mitigate any risks
In Short - we ALL need a risk assessment done. Our security experts can assist you with this and provide your staff education on how they protect your network. In a future article I will outline how we need to train our employees to be better defense for our network and the EPHI it contains.
In the meantime, please visit us at http://kaptechs.com or email us at firstname.lastname@example.org