From healthcare-privacy-skills
Conducts HIPAA risk analysis per 45 CFR §164.308(a)(1) and OCR guidance for ePHI, covering threat identification, vulnerability assessment, risk scoring, and mitigation planning.
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin healthcare-privacy-skillsThis skill uses the workspace's default tool permissions.
The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization. Risk analysis under §164.308(a)(1)(ii)(A) is the foundational requirement of the Security Rule — it drives all subsequent safeguard decisions. OCR ...
Acquire memory dumps from live systems/VMs and analyze with Volatility 3 for processes, networks, DLLs, injections in incident response or malware hunts.
Provides x86-64/ARM disassembly patterns, calling conventions, control flow recognition for static analysis of executables and compiled binaries.
Identifies anti-debugging checks like IsDebuggerPresent, NtQueryInformationProcess in Windows binaries; suggests bypasses via patches/hooks/scripts for malware analysis, CTFs, authorized RE.
The HIPAA Security Rule requires covered entities and business associates to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the organization. Risk analysis under §164.308(a)(1)(ii)(A) is the foundational requirement of the Security Rule — it drives all subsequent safeguard decisions. OCR has identified failure to conduct a comprehensive, enterprise-wide risk analysis as the most common finding in breach investigations and compliance reviews. The risk analysis must be ongoing, not a one-time event, and must be updated whenever significant changes occur in the environment or in response to security incidents.
45 CFR §164.308(a)(1)(ii)(A) — Risk Analysis (Required):
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate."
45 CFR §164.308(a)(1)(ii)(B) — Risk Management (Required):
"Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a)."
OCR published "Guidance on Risk Analysis Requirements under the HIPAA Security Rule" (July 14, 2010) establishing nine essential elements that an adequate risk analysis must address. This guidance, while not binding regulation, represents OCR's enforcement expectations and has been consistently applied in settlement agreements and corrective action plans.
The risk analysis must encompass all ePHI that the organization creates, receives, maintains, or transmits, in every form and location:
Asclepius Health Network Scope Inventory:
| ePHI Location | System/Medium | Data Categories | Volume |
|---|---|---|---|
| Electronic Health Record (Epic) | Production servers, disaster recovery site | Complete clinical records, demographics, insurance | 4.2 million patient records |
| Practice Management System | Cloud-hosted (Azure US East) | Scheduling, billing, referrals | 4.2 million patients |
| Laboratory Information System | On-premises servers | Lab orders, results, specimen tracking | 12 million results annually |
| Radiology PACS | On-premises SAN storage | Diagnostic images, reports | 850 TB imaging data |
| Email System (Exchange Online) | Microsoft 365 tenant | Incidental ePHI in clinical communications | Estimated 15,000 messages/day containing ePHI |
| Mobile Devices | 3,200 organization-owned tablets, 800 BYOD smartphones | Clinical reference, secure messaging, patient photos | Variable |
| Medical Devices | 1,400 networked devices (infusion pumps, monitors, ventilators) | Real-time patient data, device logs | Continuous streaming |
| Paper-to-digital Conversion | Scanning workstations, OCR servers | Scanned historical records, faxed referrals | 2,000 pages/day |
| Business Associate Systems | 47 BA relationships with ePHI access | Varies by BA (billing, transcription, cloud hosting, analytics) | Varies |
| Backup and Archive | Tape library, offsite vault, cloud archive | Complete system backups | 6-year retention |
| Health Information Exchange | Regional HIE platform | ADT feeds, CCD documents, lab results | 150,000 transactions/month |
Identify and document where ePHI is stored, received, maintained, or transmitted. Methods include:
| Threat Category | Specific Threats | Source |
|---|---|---|
| Natural | Flood, earthquake, tornado, hurricane, wildfire, pandemic | Geographic and climate risk assessment |
| Human — Intentional | Hacking/IT incident, ransomware, phishing, insider theft, social engineering, nation-state APT | FBI IC3 reports, HHS cybersecurity alerts, threat intelligence feeds |
| Human — Unintentional | Misdirected email/fax, lost device, improper disposal, misconfiguration, training failure | Incident history, OCR breach portal patterns |
| Environmental | Power failure, HVAC failure, water damage, fire, electromagnetic interference | Facility assessments, utility reliability data |
| Technical | Software vulnerability, hardware failure, network outage, cryptographic weakness | CVE databases, vendor advisories, penetration test results |
Document existing safeguards and their effectiveness:
Asclepius Health Network Current Controls Assessment (Sample):
| Control Area | Implemented Measure | Effectiveness Rating | Gap Identified |
|---|---|---|---|
| Access Control | Role-based access in EHR with unique user IDs | Effective | Quarterly access reviews not consistently completed for all departments |
| Encryption at Rest | AES-256 FDE on servers and endpoints | Effective | 12 legacy medical devices running unencrypted embedded systems |
| Encryption in Transit | TLS 1.2+ enforced on all external connections | Effective | 3 internal legacy interfaces still using TLS 1.0 |
| Audit Logging | Centralized SIEM with 6-year retention | Effective | Log review staffing insufficient for alert volume |
| Backup | Daily incremental, weekly full, offsite replication | Effective | Restore testing frequency needs improvement |
| Physical Security | Badge access, CCTV, visitor management | Partially Effective | Server room access badge list includes 15 individuals who no longer require access |
| Anti-Malware | EDR deployed on all managed endpoints | Effective | Coverage gap on BYOD devices with MDM enrollment below 100% |
| Patch Management | Monthly patch cycle, 14-day critical patch SLA | Partially Effective | Medical device patching delayed by manufacturer certification requirements |
Assign likelihood ratings based on threat capability, motivation, and existing controls:
| Likelihood Level | Definition | Scoring |
|---|---|---|
| Very High | Almost certain to occur within the next year; active exploitation observed | 5 |
| High | Likely to occur; threat source is capable and motivated; controls have known weaknesses | 4 |
| Medium | Possible occurrence; threat source exists and has some capability; controls are partially effective | 3 |
| Low | Unlikely but possible; limited threat capability or motivation; controls are generally effective | 2 |
| Very Low | Remote possibility; no known threat source targeting this vulnerability; strong controls in place | 1 |
Assess the magnitude of harm if a threat exploits a vulnerability:
| Impact Level | Definition | Examples | Scoring |
|---|---|---|---|
| Critical | Catastrophic harm to individuals or organization | Breach of >500K records, permanent patient harm from data integrity failure, organizational insolvency | 5 |
| High | Significant harm to many individuals or severe organizational impact | Breach of 10K-500K records, extended system outage affecting patient care, OCR investigation | 4 |
| Medium | Moderate harm to limited individuals or substantial operational disruption | Breach of 500-10K records, multi-day system unavailability, significant remediation costs | 3 |
| Low | Limited harm to few individuals or manageable operational impact | Breach of <500 records, brief system disruption, contained incident | 2 |
| Negligible | Minimal or no harm | No ePHI exposure confirmed, minor operational inconvenience | 1 |
Risk is calculated as the product of likelihood and impact:
Risk Score = Likelihood × Impact
| Risk Score | Risk Level | Action Required |
|---|---|---|
| 20-25 | Critical | Immediate mitigation required; senior leadership notification; consider system suspension |
| 12-19 | High | Mitigation plan required within 30 days; management approval to accept risk |
| 6-11 | Medium | Mitigation plan required within 90 days; documented risk acceptance alternative |
| 2-5 | Low | Monitor and address in normal operations; annual review |
| 1 | Minimal | Accept and document; review at next scheduled risk analysis |
Asclepius Health Network Risk Register (Sample Entries):
| Risk ID | Threat/Vulnerability | Likelihood | Impact | Risk Score | Risk Level |
|---|---|---|---|---|---|
| R-001 | Ransomware attack on clinical systems | 4 (High) | 5 (Critical) | 20 | Critical |
| R-002 | Insider unauthorized access to celebrity patient records | 4 (High) | 3 (Medium) | 12 | High |
| R-003 | Unencrypted legacy medical device data exposure | 3 (Medium) | 4 (High) | 12 | High |
| R-004 | Phishing leading to credential compromise | 4 (High) | 4 (High) | 16 | High |
| R-005 | Lost/stolen unencrypted mobile device | 2 (Low) | 3 (Medium) | 6 | Medium |
| R-006 | Misdirected fax containing ePHI | 3 (Medium) | 2 (Low) | 6 | Medium |
| R-007 | Natural disaster affecting primary data center | 2 (Low) | 5 (Critical) | 10 | Medium |
The risk analysis must be documented in sufficient detail to demonstrate:
Required Documentation Components:
The risk analysis is not a one-time activity. It must be updated:
For each risk above the organization's acceptable risk threshold, develop and implement a mitigation plan:
Mitigation Plan Template (Risk R-001: Ransomware):
| Element | Detail |
|---|---|
| Risk ID | R-001 |
| Risk Description | Ransomware attack encrypting clinical systems, rendering ePHI unavailable |
| Current Risk Score | 20 (Critical) |
| Mitigation Measures | (1) Deploy advanced EDR with behavioral ransomware detection; (2) Implement network segmentation isolating clinical systems; (3) Maintain immutable backup copies with air-gapped storage; (4) Conduct quarterly tabletop ransomware exercises; (5) Implement application whitelisting on clinical workstations |
| Implementation Timeline | EDR: Complete; Segmentation: 60 days; Immutable backups: 90 days; Tabletop: Quarterly; Whitelisting: 120 days |
| Responsible Party | CISO (overall); Network Engineering (segmentation); Backup Administrator (immutable backups) |
| Target Risk Score | 8 (Medium) — likelihood reduced from 4 to 2 through layered controls |
| Residual Risk Acceptance | Approved by CIO and CPO on documented risk acceptance form |
| Review Date | Next comprehensive review or 90 days post-implementation |
OCR consistently identifies the following deficiencies in risk analyses:
Risk analysis deficiency is cited in the majority of OCR enforcement actions: