The purpose of a Risk Assessment is to identify threats and vulnerabilities and develop a plan to mitigate the risks identified within the assessment. Like all processes, we can make it easy or extremely complicated and difficult. Planning is the key.
The C-I-A triad consists of three elements: Confidentiality, Integrity and Availability of data and data systems.
Confidentiality simply means controlling access to those who have a legitimate need to know. Integrity is ensuring that the data hasn’t been altered; and Availability means the data can be accessed and used by those who need to access the data.
This is a relatively simple concept that has far-reaching impact in the world of Healthcare and HIPAA.
A Risk Assessment will help administrators and compliance personnel identify risks to their medical practices before they become a problem.
An annual Risk Analysis is required by the Department of Health and Human Services.
Risk Analysis and the Security Rule
The Department of Health and Human Services through its lower level agencies requires an annual Risk Assessment. This Risk Assessment is based on Special Publication 800-66, by the National Institute of Standards and Technology, which provides instructions for conducting a Risk Analysis as defined by the HIPAA Security Rule.
The outcome of the Risk Analysis is critical to discovering and mitigating actual and potential vulnerabilities from your information systems and workflow practices.
Failure to comply may cost your business money due to fines and penalties.
Risk Analysis Process
Like anything else conducting a Risk Analysis is a process and your first one can make it seem like an overwhelming task. Let’s tame this beast.
The first step is to understand the basic information and definitions regarding conducting a Risk Assessment.
Have you heard the old joke about how do you eat an elephant? Answer: One bite at a time.
This punch line could have been expressly written for conducting risk assessments.
First, we need to know the jargon used in the process. We need to develop a baseline for understanding what we are going to do, how we do it, and finally what are we going to do with it.
NIST SP 800-33 defines vulnerability as a… ” flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system security policy.”
No system is without vulnerabilities. Vulnerabilities arise out of coding errors, changes to procedures, system or software updates, and changes of threats over time. The analyst must be aware of evolving threats and vulnerabilities, while actively working to resolve currently defines problems.
This process never ends.
A threat is “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
A vulnerability isn’t necessarily an issue until there is a threat to exploit the vulnerability. Common natural threats are fires, floods, or tornados. Human threats are computer hacks, careless control of ePHI, or inadvertent data exposure. Environmental threats are things like power failures.
Risk is defined by the presence of a vulnerability that can be exploited by an appropriate threat. You can’t have one without the other.
The level of risk is determined by the expected level of damage that could result from the vulnerability being exploited combined with the likelihood of the vulnerability being exploited.
Risk = Severity of potential damage + Likelihood of the Threat
Elements of a Risk Assessment
By breaking the Risk Assessment process into smaller, more manageable pieces, we can complete our task quickly and efficiently. Well at least efficiently.
The Scope of a Risk Analysis in an understanding of what the analyst is attempting to determine. Different industries have difference requirements so the Analyst must be up to date on their processes and procedures.
In the scope, the analyst and the business entity clearly define the goals of the project. They determine how to accomplish those goals, and how the required data can be gathered based during the Risk Management process.
Care must be taken to not compromise ePHI during this data collection process. Part of the data collecting process refers to how protected data is stored and should be treated like any other data point.
Identify Potential Threats and Vulnerabilities
As each threat or vulnerability is identified, it must be recorded for evaluation. This evaluation should include, level of risk should the threat or vulnerability be exploited.
The analyst can only mitigate risks that are known. This is why it is critical that the Risk Assessment Team have access to the data.
Assess Current Security and Potential Measures
All identified risks, threats and vulnerabilities must be evaluated. Some risk will always be present. The analyst must categorize what is harmful and what is possible, and then develop security measures to correct the perceived risk.
Determine the Likelihood of Threat Occurrence
Likelihood is based on how likely the vulnerability is to be exploited. If the likelihood is low then it is less likely to happen. If so, then the risk is lower.
Determine the Potential Impact
Putting everything together allows the analyst to determine the potential impact of a specific event. For example, if your area is prone to flooding, how would that affect your business?
Determine the Level of Risk
Combining all the data you have collected into a Risk Matrix or Risk Register will help you determine the potential for damage.
For example: If your identified risk is low, the potential for damage is low and the likelihood of occurrence is low; then your risk will be low. However, should one of these items be high or medium impact or likelihood, then your potential for risk will be increased.
Using a risk register is essential to completing your risk assessment properly.
Finalize the Document and Report
After gathering and analyzing your data you will need to present a report Risk Assessment. This report must be clear and concise, detailing all activities that took place, their outcomes and potential risks.
The HHS website has some tools to assist with this effort.
Risk mitigation is often the hardest part of completing a Risk Analysis in that now actual resources and money must be allocated. Establishing a priority list here is essential.
Your goal is to mitigate all negative issues. You probably won’t reach that goal, but you should try. At the very least, you should start you mitigation process with the most dangerous processes first and work your way down the list in order of severity.
By conducting an annual Risk Assessment, you can ensure you are meeting compliance standards, protecting your patients, and minimizing the overall risk to your medical practice.
Risk Assessments aren’t glamorous or even fun, but they are necessary to help prevent security related problems and meet governmental regulations.
Creating an outline of your Risk Analysis plan and breaking it into smaller pieces will help you complete it with the least amount of time and frustration. Unfortunately, the larger your medical practice, the more complicated the Risk Assessment.
The department of Health and Human services has several tools to help you conduct your own Risk Assessment. Oh, and remember Risk Assessments are required!