How Do We Do a Risk Assessment?
_{May 29, 2018}

HIPAA Law requires healthcare providers, healthcare plans, and healthcare clearinghouses (covered entities) as well as business associates to have formal or informal policies or to conduct an accurate assessment of potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information (ePHI) (refer to 45 CFR § 164.308(a)(1)(ii)(A). However, many organizations do not understand how to perform the required risk assessments and would require assistance on such activity.

Risk Analysis is the first step in identifying and implementing safeguards that will ensure the confidentiality, integrity and availability of ePHI. There is no mention in the Security Rules of any specific methodology that the organization needs to use in order to assess the risks to ePHI. There is also no requirement to any special format for your risk analysis documentation. It is important to note that Risk Assessment is the foundational step in attaining HIPAA compliance and one of the key factor in preventing ePHI data breaches that as of the first quarter of this year is almost reaching to a million cases.

So, how do we do a Risk Assessment? The NIST Special Publication 800-66 has given us these steps on conducting Risk Assessment but not in a sequential manner as some of the steps can be conducted simultaneously.

1. Define the Scope of the Assessment

The scope of the risk assessment shall include the physical boundaries of a Covered Entity’s location as well as the logical boundary covering the media containing ePHI, regardless of its location. The scope shall consider the remote workers and telecommuters, removable media, and portable computing devices.

2. Gather Information

The organization needs to identify the circumstances where ePHI is created, received, maintained, processed, or transmitted by CE as well as determine the security controls implemented to protect the ePHI.

3. Identify potential threat sources

The common threat sources as enumerated by the NIST publication are (a) Natural, (b) Human, (c) Environmental. Examine the environments where the ePHI is being used and from there identify the probable threats. Make use of the several external sources of information of these potential threats like online searches, vendor information, data from health plan providers, crime statistics etc.

4. Identify potential vulnerabilities

Vulnerabilities as defined by HIPAA are “a flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat”.  One good source of software security vulnerabilities list is the National Vulnerability Database wherein the “Common Weakness Enumeration Specification” (CWE) has categorized these software security vulnerabilities.

5. Evaluate current Security Controls

In this step, the organization is to determine if the implemented or planned Security Controls within your organization will eliminate if not at least minimize the risks to ePHI. The organization must know if the security controls (both technical and nontechnical) are adequate to protect ePHI. Also, check if these measures that are required to be put in place in your organization are actually put in place, configured and properly used. It depends on the type and circumstances of an organization as to what is considered to be an appropriate and adequate security measures. The security controls that can be put in place may vary depending on the structure, size as well as the location or geographical coverage of the CE.

6. Determine the likelihood of a Vulnerability from happening as well as the impact of a Threat

Documents within your organization like the ones listed below maybe used to determine the likelihood of vulnerability from happening as well as its relative impact

1. Business Impact Assessment
2. Asset Criticality Assessment
3. Security Objectives and Impact Table

7. Assess the Level of Risk to the IT System

In this stage, the organization will need to assess the likelihood a threat will occur and what are the probable levels of impact when the threat occurs. An example of this matrix is shown here.

8. Recommend Security Controls

The Security Controls to be recommended are expected to reduce the level of risk to the IT system of your organization as well as the data in an acceptable level.  To further assess if the recommended security control will be appropriate for the organization, one must also conduct a Cost-Benefit Analysis on the recommended security controls. This analysis could help in determining the loss in value if the particular IT asset or system remains unprotected. It also determines the cost of protecting those assets. More importantly, this helps prioritize the security controls that needs to be implemented on a particular security risk.

9. Document the Risk Assessment Outcome

The outcome of each step in the risk assessment should all be properly and adequately documented. A Risk Assessment Report can be an ideal tool in documenting the risk assessment results and its three (3) sections are listed below. A sample can be referenced in NIST Special Publication 800-30.

1. an executive summary;
2. the main body containing detailed risk assessment results; and
3. supporting appendices

Learn more about what you need to consider with your Risk Assessment here in our Walkthroughs Checklist. Click here to download. Aim for the golden standard, go beyond the ‘best practices’ and be compliant at your best!