Have you ever tried to wrangle an octopus? Neither have I, but I imagine the six-arm advantage of the octopus would quickly overpower my best efforts. Health plans and other participants in the Healthcare Insurance Exchange (HIX) face a similar challenge when it comes to security, particularly with risk analysis.

A requirement of the HIPAA Security Rule, a risk analysis assesses the potential risks and vulnerabilities to the confidentiality, integrity, and availability of an organization’s electronic protected health information (PHI). It is a complex calculation for determining risk based on many factors—a difficult-enough task in one’s own ecosystem. Raised to the level of a healthcare insurance exchange, risk analysis becomes exponentially more complicated.

The biggest problem is what I call the “mosaic theory,” the risks of data in disparate places—the arms of the octopus, if you will—now being brought together in one place. Under the new healthcare system, the Department of Health and Human Services (HHS) operates a central data hub that connects participating state health insurance exchanges with federal government agencies—such as the Treasury Department and Internal Revenue Service, and with other state agencies—to verify enrollees’ eligibility. While the government hub doesn’t store data on individuals, the risk that identity thieves could steal the identity of one participating organization to gain access through the hub to data held by another. Isolating and resolving security problems in such a complexity of systems is difficult at best.

Three Tips for Successful Risk Analysis in the Exchange

Despite these challenges, I believe that risk analysis will be critical to the future security and thus success of the federal and state exchanges. Here are a few ideas that may help:

1. Do it in good faith. It may be tempting to adopt a “what’s the use” mentality, but that’s the worst thing to do. Besides the legal mandate to conduct risk analysis, doing so demonstrates goodwill to stakeholders and what the Office for Civil Rights (OCR) calls “a culture of compliance”—always a good thing for regulators to see. Smart organizations are proactive.

2. Consider the professionals. Just like you’d leave octopus wrestling to the experts, consider using a reliable third-party to tackle the complexities of risk analysis. According to a September Compliance Today article, reposted on the ID Experts blog here: “Risk analysis by independent experts can help an organization quickly analyze and benchmark security programs against peer organizations and industry best practices.”

3. Go to the source: No gold standard exists for conducting a risk analysis. However, the federal government does provide guidelines atwww.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html. These resources are particularly helpful:


Despite our two-arm limitations, I believe we can tackle the security octopus one organization at a time. It starts with an intrinsic commitment to safeguarding data. Every member of a health insurance exchange must build in security from the beginning, not as an afterthought. It has to be part of the system’s DNA. And I’m not just taking authentication, authorization, and accounting, but also monitoring, risk analysis, and privacy policies and processes.

In other words, the whole creature.

James Christiansen is chief information risk officer of RiskyData, a firm that specializes in information security and privacy management solutions for companies in finance, healthcare, high-tech, government, and more.