And now the final nitty gritty. Now, you have probably figured out that I like to show rather than tell as much as possible. So, of course, showing certain things is harder than others, but luckily showing you the thing we keep talking about, which is our risk analysis and policies and procedures is a possible thing to do. What I’m about to show you is a risk analysis tool, specifically, it’s the one that we make at Person Centered Tech. It’s our home brewed risk analysis tool, and it’s available to our members. Most of the people watching this training are our members. So if you are, you’ll just get to go right into using it after you finish this training. I also am going to show you a little bit about our policies and procedures templates. Now, check the resources page for this course and you’ll see that we’re not the only ones out there who make these. You can go do alternatives. I’m about to show you ours and yes, there is a commercial interest in that. So I want to make sure to disclose that. And I also want to make sure that you know in the resources handout we tell you about alternative ways to get risk analysis tools or policy and procedure templates, including from free resources, although those resources we find to be either very technical and difficult to use, such as the HIPAA COW tool set, although that’s too bad because HIPAA COW is actually a great resource, even if it is a little too technical. There’s also the NASW tool kit, which we find to be a little anemic. It’s kind of hard to apply it in a practical sense, although it is still there and it’s available to NASW members and you can check the resources page for other options as well. But in the meantime, I’m going to show you what Person Centered Tech provides. Take a look at this. This is a spreadsheet that we’re showing you via Google Docs. I’m gonna move this up here a little bit, give us more space. This is the Person Centered Tech Risk Analysis Tool. It’s not the very final version, but it’s one of our working versions. You’ll see it’s a spreadsheet. It doesn’t sound fun. Usually for therapists, mental health clinicians, spreadsheets are one of those things we may have been trying to escape in our careers. Or perhaps escape ever having to learn much about, and that’s legit. I’m totally with you there. Part of the point of being in mental health is to be working with people rather than spreadsheets. However, there’s a good reason why risk analysis tools are almost universally built as spreadsheets. In fact, when I talk to our consultants, people we work with to help make sure we’re on track with the way we do things for HIPAA compliance, they say they will look at our risk analysis materials and say where is the spreadsheet when it wasn’t a spreadsheet yet. They’d say where’s the spreadsheet? What’s going on? I’m looking for a spreadsheet here. That’s because risk analysis tools are usually spreadsheets. That’s a lot to do with the fact that you need to be able to sort things, which I’ll show you towards the end of it. I’m not gonna do a whole demo of this, but I want to give you a general idea of what a risk analysis tool looks like so you can actually conceptualize what getting into risk analysis looks and feels like. It’s often hard to know until you’ve seen it. There’s a few sheets here. I’m not gonna go through all of them. But one that you may have already looked at when we looked at the unit on tracking where your information is this is the sheet that we use for helping you to get a big list of all the information you have in your practice. We give a lot of types of PHI that you might have, so that, meant to jog your memory, or to get you thinking or brainstorming. Often we recommend that people load this up on a tablet computer or a laptop, and as they go about their day and kind of spot things, they say hey, there’s an email there, or there’s client contact and address info in that spot I hadn’t thought about, that kind of thing. You go ahead and make a note here that says I found this info and it’s in this asset, that kind of thing. Then you have an asset inventory here, just like we talked about in that other unit where we talked about asset catalogs and information catalogs. There’s a lot more information here than just about the PHI, because as you do a risk analysis you’re gonna want to learn more stuff about your assets related to how they’re secured and how they’re not secured, such as over here there’s a spot for writing down what kind of security measures that asset has protecting it, for example. So this is, here we have an example of a Macbook Pro. This is all made up information to get some examples of what you might see in there. So for this MacBook Pro we see current technical, not encrypted, no firewall, that’s not a good scene. We’re gonna find some risks related to this MacBook Pro I am sure as you all know at this point in the training. Then the Asset PHI Map sheet is where it’ll show all of your assets across the top, and then underneath it you list the PHI that’s on it. So this MacBook Pro does video calls. It does emails. It does ♪ Do do do do ♪ client payment info, a whole bunch of stuff. So in this sheet you get that big picture of where you can compare the assets to the stuff. You remember in the unit in which we talked about tracking your info, we talked about having a list of assets and then listing the information that’s on those assets. This is a sheet where you can do that. So you can see that is part of risk analysis. Any risk analysis tool will have something like it. It looks different on different tools. On some tools it’s much simpler. Ours, we make it kind of big so that it’s more automated or easier to follow what’s going on. Different preferences will call for different ways of doing this. This is just how we do it. But all of them want you to be able to compare where is your information to what assets it’s being accessed by or stored on. They want you to know where your information is. That’s a first step. Now, we’ve already talked about that in a previous unit. Let’s talk about this one. This is the real kicker. This is kind of the meat of the risk analysis once you’ve done that initial very important process of knowing where your information is. Here’s where you start looking at actual risks and assessing the level of those risks. We haven’t talked about risk analysis in this kind of way yet, or at least with this level of specificity. So I want to show you a little bit about how the process works here, alright. On the left we have a threat. I know this is not the kind of language we really like getting into as clinicians. As a counselor I’m not super excited to talk about threats. I never have been as a counselor. But when I’m doing risk analysis, I realize it really is the most precise way to talk about the idea of things or forces that can cause bad stuff to happen regarding my information. So we use the word threat. And you can think of a threat like some kind of antagonist in a story. Threats are sometimes human threats. Sometimes they’re bad circumstances, like a medical emergency. If we’re doing the antagonist in a story concept we can even go all the way down to the bottom of this list, and there’s a lot of them on this list, and see things like the natural disasters, a natural disaster. We put those in just one row because we want to let you think about all those independently. But in fact, natural disaster threat is, on a lot of other tools natural disasters are listed out, tornado, earthquake, hurricane, etc., etc. So think of a disaster movie, this is your antagonist. It’s just a bad situation. And then along with the antagonist there’s a threat event description. We choose to do this particular method of risk analysis because it kind of relates to risk analysis as a story-telling technique. There’s a number of ways to do risk analysis. And the National Institutes of Standards and Technology actually recommend a number of ways and this one of them, which is to come up with threat events, which is sort of story starters of how a threat, an antagonist, enters the story of interacting with you and your assets. And the threat event tells you something about it. Like here, we’ve got, oh here’s one that actually, one of the hacker threat events, which hacker finds and uses discarded paper documents or electronic media in order to get information that helps him or her figure out how to access your electronic services. So in this story, there’s a hacker who finds something, like a discarded USB stick or like some paper in your garbage or something that has a password on it, and it lets them get into your wifi. Or let’s them get into your email account, or something like that. That’s the story starter here. And we see that that story will threaten the confidentiality of the information, also the integrity of the information, and the availability of information. This one can threaten all of those things. And then here it has you consider what circumstances surrounding your practice would cause this threat event to come up or to exacerbate this threat event. What circumstances would prevent it from happening? For example, if you don’t ever use paper or electronic media that you might throw away ever, that would certainly make it hard for this to come up. So you want to note that here. And then you consider what security measures do we already have that caused this story to end happily? Ending happily meaning we don’t have a confidentiality, integrity, or availability breach. That’s a happy ending to this story. If you play this tape forward, the hacker finds somehow something you disposed of that gives them the password to, let’s say, your email or something else, what kind of thing would prevent that? Well, a measure that could prevent that from having a bad ending, for example, is if you have two-step login or two factor authentication, because even though the bad guy has that password to get into your service online, they need more than just the password. They need the password and they need whatever your second step is, whether it’s that you, usually it’s like you get a code sent to your phone and you gotta enter the code. Or maybe there’s an app on your phone that has a code in it and then you gotta enter that code along with your password. The bad guy just has your password. They don’t have your second step. In that case, that would actually completely foil the bad guy in worst case you’d write in here two-factor authentication used on all cloud services, which is actually really unlikely, but you might say something like our policy says we use two-factor authentication wherever it’s available, things like that. Also, we have, we have a disposal policy. Disposal policy prevents disposing of information such as paper or electronic electronic media with info still on it. Like, it says you must shred paper, or delete everything off of a device before you can get rid of it, that kind of thing. Now, those are kind of the security measures that would cause this story to end usefully. Like, the bad guy, in this case the bad guy gets your password, goes and tries to log in to your email, and finds they can’t because they can’t do a second factor, because they don’t also have your phone. They would need both things. Or the bad guy comes around and find themselves in a circumstance where you might find something, like maybe you find your old USB stick, but your disposal policy had you delete everything off that before getting rid of it, or giving it someone else and the hacker gets the USB stick, but there’s nothing useful on it. So this story ends happily, or at least it ends without a breach of your data because of your security measures. Now, if you didn’t have these, you’re just like, none. None, no measures, you imagine the story ending with a data breach because the hacker gets into your email or your record system and plays havoc. Now, in any risk analysis tool there’s gonna be a cell where it talks about exactly what I just did. Where it talks about what kind of security measures would prevent this bad outcome. Usually, like this cell would be full of recommendations. Unless, we didn’t do it that because filling a spreadsheet cell with a whole bunch of text is really messy and hard to read. So instead, we have this click that links to a webpage where we can explore the different things you could do and links to our member resources that help you figure out how you would stop this threat. It looks like a lot, right? I mean, you see that there’s like 80 of these. It seems like you gotta do a real process with each row. Yeah, risk analysis takes time. That’s the thing. I don’t have a very happy answer to that. I don’t have an answer that says just do it like this and it’ll be done in 15 minutes. There’s no way of doing that with risk analysis. Risk analysis takes time, so you take it in chunks. You do it at the pace you can, and that’s just how it goes. When you’ve done all that stuff of figuring out what are your circumstances, what are your measures, there’s an instruction manual that goes with this that explains how to do this next step, but you assign a likelihood that this particular threat event will cause a breach of confidentiality, integrity, or availability. That’s a low, medium, or high, represented as 0.1, 0.5, or 1.0. Now, if I have all of those measures in place, I got my two-factor authentication, I’ve got my disposal policy that helps ensure that I don’t have passwords out there for a hacker to find, then my likelihood that the story will end badly is probably low. That’s what security measures do. Measures change the likelihood. I’m gonna say that again, ’cause this is actually a really one of the key things to remember here is that security measures that you put into place change likelihood, they change likelihood, ’cause the better the measures are, the lower the likelihood is that the threat event, or the threat, will be able to do what they’re trying to do. In this case, if I got those measures, I say it’s 0.1. It’s a low likelihood. Now, the impact here would be dependent on what kind of information is threatened by this threat. In my case, let’s say I have an email account online that’s full of client information, or I have online records, like a practice management system, in which case the potential for havoc is gigantic. If a hacker manages to get into one of those things, I’m in big trouble. So that’s probably a high impact, which in here is a 10, 50 or 100. So it’s a hundred because that’s high. When I select those it actually shows my overall risk level. You see the risk level thing here is a 10. It’s a green box because 10 is out of a hundred, considered below 25, it’s considered low. So this is a low risk, even though the potential impact is so high because my security measures reduce the likelihood to low I end up with a lower risk. Now let’s say I don’t have those measures. That’s that none. I haven’t done any of these things. In that case, there’s nothing I’m doing that prevents this outcome. Let’s also imagine that my circumstances are such that the threats realistic. Now, the circumstances on my case would be yeah, I have any EHR online, yeah, I have a practice management system online, yeah, we use media to store information about things. All that’s there. The circumstances don’t prevent the threat. They invite the threat. So there’s a full high likelihood that this threat could happen. And then if it does happen, that’s it gonna have its full effect. So the likelihood becomes 1.0, in which case our overall risk becomes a hundred and is red. It’s a high risk. So you gotta do that with all of these. That’s the idea. That’s how risk analysis works. Then you have basically this big set of these risks prioritized from high, medium, to low, and there’s a number as well. And then the reason why it’s a spreadsheet, among other things, but one of the main reasons is then you jus select all these rows, and you sort them from highest risk to lowest risk. Your highest risks are on top, and your lowest risks are on the bottom. Then, from there you go onto your risk mitigation plan. We have a sheet for risk mitigation plan. Most tools do actually has a sheet that relates to risk mitigation where then you list your highest risk, you list the things you probably need to do in order to reduce those risks, and then perform a cost benefit analysis for each measurement you might put into place. Apparently, for this hacker threat I need to start thinking about two factor authentication. I need to think about disposal policies. I’m gonna say implement, add two-factor authentication to password policy create a disposal policy, so that important info doesn’t leak out, that kind of thing. And then for each of these I need to actually do a little cost benefit analysis. That would be like easily I would be like that’s feasible. So we’re gonna do it. Create a disposal policy, information doesn’t leak out, but is also feasible. And actually the instructions will generally give you a specific way to do your cost benefit analysis because HIPAA actually has a system for doing that. It has a rubric you use for cost benefit analysis. So the instructions will explain what that rubric is. Then, if this is a low risk, in this case it’s a high risk, for a hacker our highest risk was high. But if it was a low risk let’s say like no new measures needed. If it was a low risk, here, when you have low risks you can decide whether or not you want to do anything new about them. When a risk is low, I might still decide that I’m gonna do some new stuff anyways, even though the risk is already low. And HIPAA actually requires that we decide what to do with those risks that are already low. It says, okay, if a risk is already low you have to have some way of deciding what you’re gonna do. Are you gonna put more measures into place? Or are you going to accept them as they are? Because when it’s a low risk you have the option to accept it. For this one I say no new measures needed, so I’m gonna go ahead and accept the risk, and I’m going to explicitly state yes, I am accepting the risk. No, I am not further mitigating it. That’s what this is saying. It’s because HIPAA requires that you explicitly make that decision about whether you’re going to do more about the low risk, or if you’re gonna go ahead and mitigate it more. You’re gonna add more measures. We have these columns where you explicitly state what you’re gonna do to show you did that process of making that decision. Then here you talk about your timeline for putting new measures into place. Contingency plans, a whole other thing, date started, date plan implemented. The thing that I want you to notice about this, the existence of this column, is that it indicates that there’s no expectation that you will immediately fix anything. Once you’re done with your risk analysis, HIPAA, the Office of Civil Rights, your state attorney general, none of these people expect that you’re gonna immediately fix all the problems. Even the high risks. Even if this was a high risk and I need tons of measures. This is not even a thing. I still fill out a timeline. It’s going to be as soon as I can feasibly do it, accept that you don’t say that. You say something like completed by two months from now. But you’d say a real date there. And then you say when you started working on it, and then the date you finished all those measures. So you’ve got documentation of what your plan was, and then documentation of what actually happened. That’s how you document your risk mitigation plan and your risk mitigation process. The nice thing is this spreadsheet then also contains documentation of pretty much the whole risk management process. The risk analysis, what you plan to do about it, when you plan to do it, and then when you actually did it. There’s other sheets involved, or other processes involved, but here you have documentation of the high-level process. Then after risk mitigation, of course, part of all this is you end up with policies. I want to give you guys an idea of what real HIPAA security policies look like. We have a few sets of policies based on what kind of practice you are. If you’re a solo practitioner who has a front desk person or a partner helping you, where it’s just you, but there’s maybe one to three, or however many you need, people who help you as workforce, remember, that’s as workforce. We’re not talking about your business associates. We’re talking about your workforce. That we call Solo+. This would be our policy and procedure set for the Solo+. Now, I’m showing you this to give you an idea of how many documents are involved so you understand that even though they don’t have to be complex or super detailed, there are still a bunch of different things that you have to address. You have to address all of HIPAA’s security standards. So you end up having a lot of headers. And you have several documents, even if they aren’t super complicated. Here, you’ll notice, for example, one of them is a bring your own device policy, which is a policy for when those people who work for you use their own personal devices to work with your protected health information. It’s a policy that defines how they should do that, how they should take care of it, and what they need to do if they want to use their own device to work in our practice. We all need that these days. We all use our own personal devices all the time in every context. So if your practice expects to have other people working in it using devices that aren’t covered in your risk analysis because they are the persons personal devices, then you have this policy for what they must do with those personal devices, even though you didn’t cover them in your risk analysis. Then there’s all these other things, of course. To give you an idea what that looks like, here is, for example, that all important sanction policy. That’s part of the workforce management policy. You can see that. It has the bit that’s the sanction procedures. This is how we write our sample sanction procedures. The process you go through for sanctioning somebody who has violated a policy. The Solo, where they give no one backing you up at all, you see there’s actually still the same number of policies, but they’re a little different. And I can tell you all the contents are a little simpler. For example, for Solo you have the helper management policy. That’s what we call it because you don’t have workforce all the time but occasionally someone might help you with something, and at that moment they’re helping you, you need to treat them like they’re workforce. There’s this sort of policy for how you go about doing this kind of temporary workforce relationship with somebody without it getting overwhelming. That’s what this policy is meant to do. We want to show you the Solo device security policy. It’s actually very similar to the Solo+ one. There’s not much difference between the two. But this is like the technical security policy portion of that policy document. It says all the devices have to use encryption and anti-virus, firewalls. It’s kinda like you learned earlier in the course, but now it’s in a policy. It says this is how it must be, because HIPAA wants you to not just do these things, but have a policy that says you do these things. So that’s what that looks like. Then, of course, there’s a procedure here, really, for onboarding new devices. When you get a new device, you do this process with it to make sure it’s got all the technical security measures it’s supposed to have. These are things you would do after finishing this course anyways if you’re following all of our advice. But here, it’s in a policy, which is what the HIPAA people want you to do. That was the showing. It goes for the whole while, but of course, you can probably tell that digging into this process and doing it yourself will take quite a bit more time than this video. So I wanted to show you as much as I could. Don’t forget, once again, yes, this is our tool. This is the Person Centered Tech tool, and our tool set. If you’re a member watching this course, then all of this is waiting for you to dig in and start using it. And of course, if you’re not, or even if you are a member, and you want to look for alternatives, check out the resources page. Our tool set is not the only way to do this. We think it’s the best, but of course, we made it, so of course we love it. It’s our baby. But there are other options. Check it out. Happy risk analyzing.