Introduction
The purpose of a risk assessment is to identify threats and vulnerabilities and develop a plan to mitigate the risks identified within the assessment. Like all processes, we can make it easy or extremely complicated and difficult. Planning is the key.
CIA triad
The CIA triad consists of three elements: Confidentiality, Integrity, and Availability of data and data systems.
Confidentiality simply means controlling access to those who have a legitimate need to know. Integrity is ensuring that the data has not been tampered with; and Availability means that the data can be accessed and used by those who need to access the data.
This is a relatively simple concept that has far-reaching impact in the world of healthcare and HIPAA.
A risk assessment will help administrators and compliance staff identify risks to their medical practices before they become a problem.
The Department of Health and Human Services requires an annual risk analysis.
Risk Analysis and the Safety Rule
The Department of Health and Human Services through its lower level agencies requires an annual Risk Assessment. This Risk Assessment is based on Special Publication 800-66, of the National Institute of Standards and Technology, which provides instructions for performing a Risk Analysis as defined by the HIPAA Security Rule.
The outcome of the risk analysis is critical to discovering and mitigating actual and potential vulnerabilities in your information systems and workflow practices.
Non-compliance can cost your company money due to fines and penalties.
Risk analysis process
Like anything else, conducting a risk analysis is a process, and the first one can make it seem like a daunting task. Let’s tame this beast.
The first step is to understand the basic information and definitions related to conducting a risk assessment.
Definitions
Have you heard the old joke about how you eat an elephant? Answer: One bite at a time.
This joke could have been written expressly to conduct risk assessments.
First, we need to know the jargon used in the process. We need to develop a baseline to understand what we’re going to do, how we’re going to do it, and ultimately what we’re going to do with it.
vulnerability
NIST SP 800-33 defines vulnerability as… “a failure or weakness in system security procedures, design, implementation, or internal controls that could be exerted (accidentally activated or intentionally exploited) and result in a data breach.” security or a violation of system security policy”.
No system is free of vulnerabilities. Vulnerabilities arise from coding errors, procedural changes, system or software updates, and threat changes over time. The analyst must be aware of evolving threats and vulnerabilities, while actively working to resolve currently defined issues.
This process never ends.
threats
A threat is “the possibility that a person or thing will exert (accidentally trigger or intentionally exploit) a specific vulnerability.
A vulnerability is not necessarily a problem until there is a threat to exploit the vulnerability. Common natural hazards are fire, flood, or tornado. Human threats are computer attacks, careless monitoring of ePHI, or inadvertent data exposure. Environmental threats are things like power failures.
risks
Risk is defined by the presence of a vulnerability that can be exploited by an appropriate threat. You can’t have one without the other.
The level of risk is determined by the expected level of harm that could result from exploiting the vulnerability combined with the probability of exploiting the vulnerability.
Risk = Severity of potential harm + Likelihood of Threat
Elements of a risk assessment
By breaking the risk assessment process into smaller, more manageable parts, we are able to complete our task quickly and efficiently. Well, at least efficiently.
Scope
The scope of a risk analysis in understanding what the analyst is trying to determine. Different industries have different requirements so the Analyst must be up to date on their processes and procedures.
In the scope, the analyst and the business entity clearly define the objectives of the project. They determine how to achieve those objectives and how the necessary data can be collected during the risk management process.
Data collection
Care must be taken not to compromise ePHI during this data collection process. Part of the data collection process concerns how protected data is stored and should be treated like any other data point.
Identify potential threats and vulnerabilities
As each threat or vulnerability is identified, you must register for evaluation. This assessment should include the level of risk in case the threat or vulnerability is exploited.
The analyst can only mitigate known risks. This is why it is essential that the Risk Assessment Team has access to the data.
Assess current security and potential measures
All identified risks, threats and vulnerabilities must be assessed. Some risk will always be present. The analyst must categorize what is harmful and what is possible, and then develop security measures to correct the perceived risk.
Determine the probability of occurrence of threats
The probability is based on the probability that the vulnerability will be exploited. If the probability is low, it is less likely to happen. If so, then the risk is lower.
Determine the potential impact
Putting it all together allows the analyst to determine the potential impact of a specific event. For example, if your area is prone to flooding, how would that affect your business?
Determine the level of risk
Combining all the data you have collected into a risk matrix or risk register will help you determine the potential for harm.
For example: if your identified risk is low, the potential for harm is low and the probability of occurrence is low; then your risk will be low. However, if one of these items has a high or medium probability or impact, your risk potential will increase.
Using a risk register is essential to completing your risk assessment correctly.
Finalize the document and report
After collecting and analyzing your data, you will need to submit a risk assessment report. This report must be clear and concise, detailing all the activities that were carried out, their results and potential risks.
The HHS website has some tools to help with this effort.
risk mitigation
Risk mitigation is often the most difficult part of completing a risk analysis, as the actual money and resources now need to be allocated. Establishing a priority list here is essential.
Your goal is to mitigate all negative issues. You probably won’t hit that goal, but you should try. At a minimum, you should start your mitigation process with the most dangerous processes first and work your way down the list in order of severity.
continuous updates
By conducting an annual risk assessment, you can ensure you meet compliance standards, protect your patients, and minimize overall risk to your medical practice.
conclusion
Risk assessments aren’t glamorous or fun, but they are necessary to help prevent security-related issues and comply with government regulations.
Creating an outline of your risk analysis plan and breaking it down into smaller parts will help you complete it with the least amount of time and frustration. Unfortunately, the larger your medical practice, the more complicated the risk assessment will be.
The Department of Health and Human Services has several tools to help you conduct your own risk assessment. Oh, and remember that risk assessments are required!