The purpose of a risk assessment is to identify threats and vulnerabilities and develop a plan to mitigate the risks identified in the assessment. Like all processes, we can make it easy or extremely complicated and difficult. Planning is key.
The C-I-A triad consists of three elements: confidentiality, integrity and accessibility of data and data systems.
Confidentiality simply means controlling access to those who have a legitimate need to know. Integrity ensures that the data has not changed; and accessibility means that the data can be accessed and used by those who need access to the data.
This is a relatively simple concept that has far-reaching impact in the world of healthcare and HIPAA.
A risk assessment will help administrators and compliance staff identify risks to their medical practices before they become a problem.
The Department of Health and Human Services requires an annual risk analysis.
Risk analysis and the safety rule
The Department of Health and Human Services through its lower-level agencies requires an annual risk assessment. This risk assessment is based on special publication 800-66 of the National Institute of Standards and Technology, which provides instructions for conducting a risk analysis as defined in the HIPAA safety rule.
The outcome of the risk analysis is critical to finding and mitigating actual and potential vulnerabilities from your information systems and workflows.
Failure to comply can cost your business money due to fines and penalties.
Risk Analysis Process
Like everything else, performing a risk analysis is a process and your first one can make it seem like an overwhelming task. Let’s tame this beast.
The first step is to understand the basic information and definitions of conducting a risk assessment.
Have you heard the old joke about how to eat an elephant? Answer: One bite at a time.
This stamp line could have been explicitly written for conducting risk assessments.
First, we need to know the jargon used in the process. We need to develop a basis for understanding what to do, how to do it, and finally, what to do with it.
NIST SP 800-33 defines vulnerability as a … “failure or weakness in system security procedures, design, implementation or internal controls that can be exercised (accidentally triggered or intentionally exploited) and result in a security breach or system security policy violation. “
No system is without vulnerabilities. Vulnerabilities occur as a result of coding errors, changes in procedures, system or software updates, and changes over time. The analyst must be aware of the evolution of threats and vulnerabilities while actively working to resolve the moment defines problems.
This process never ends.
A threat is “the potential for a person or thing to exert (accidentally trigger or intentionally exploit) a particular vulnerability.
A vulnerability is not necessarily a problem until there is a threat to exploit the vulnerability. Common nature threats are fires, floods or tornadoes. Human threats are computer hacks, careless control of ePHI, or accidental data exposure. Environmental threats are things like power outages.
Risk is defined by the presence of a vulnerability that can be exploited by an appropriate threat. You cannot have one without the other.
The level of risk is determined by the expected level of damage that may result from the exploitation of the vulnerability combined with the likelihood of the vulnerability being exploited.
Risk = Severity of Potential Damage + Risk of Threat
Elements of a risk assessment
By dividing the risk assessment process into smaller, more manageable pieces, we can accomplish our task quickly and efficiently. Well at least effectively.
Field of application
The extent of a risk analysis in an understanding of what the analyst is trying to determine. Different industries have different requirements, so the analyst needs to be up to date with their processes and procedures.
Within the framework, the analyst and the business unit clearly define the project objectives. They decide how to achieve these goals and how the required data can be collected based on the risk management process.
Care should be taken not to compromise ePHI during this data collection process. Part of the data collection process refers to how protected data is stored and should be treated like any other data point.
Identify potential threats and vulnerabilities
As each threat or vulnerability is identified, it must be recorded for evaluation. This evaluation should include risk levels if the threat or vulnerability is exploited.
The analyst can only mitigate the known risks. Therefore, it is critical that the risk assessment team has access to the data.
Assess current security and potential measures
All identified risks, threats and vulnerabilities must be evaluated. Some risk will always be present. The analyst must categorize what is harmful and what is possible, and then develop safeguards to correct the perceived risk.
Determine the probability of threat occurrence
Probability is based on how likely the vulnerability is exploited. If the probability is low, it is less likely to happen. In that case, the risk is lower.
Determine the potential impact
Putting it all together allows the analyst to determine the potential impact of a particular event. For example, if your area is prone to flooding, how would it impact your business?
Determine the level of risk
Combining all the data you have collected into a risk matrix or risk register will help you determine the potential for injury.
For example: If your identified risk is low, the potential for injury is low and the probability of occurrence is low; then your risk will be low. However, should one of these items have a large or medium impact or probability, your potential for risk increases.
Using a risk register is important to carry out your risk assessment correctly.
Complete the document and reports
After collecting and analyzing your data, you will need to submit a Risk Assessment report. This report must be clear and concise with detailed information on all activities that have taken place, their results and potential risks.
The HHS site has some tools to help with this effort.
Risk mitigation is often the most difficult part of conducting a risk analysis, as actual resources and money must now be allocated. It is important to create a priority list here.
Your goal is to mitigate all negative issues. You probably won’t reach this goal, but you have to try. At the very least, start your mitigation process with the most dangerous processes first and work your way down the list in order of severity.
By conducting an annual risk assessment, you can ensure that you comply with compliance standards, protect your patients and minimize the overall risk of your medical practice.
Risk assessments are not glamorous or even fun, but they are necessary to prevent security-related problems and meet state regulations.
Creating an outline of your risk analysis plan and dividing it into smaller pieces will help you complete it with the least amount of time and frustration. Unfortunately, the greater your medical practice, the more complicated the risk assessment.
The Department of Health and Human Services has several tools to help you perform your own risk assessment. Oh, and remember risk assessments are required!