HIPAA Risk Analysis Demystified

Risk Analysis – Risk Management is the heart of HIPAA compliance.

Compliance also requires policies, the right forms, and workforce training. But if you have policies and don’t do the Risk Analysis every year you are vulnerable – to cybercrime, insider threats, an OCR investigation or a lawsuit. Doing your own Risk Analysis is much less time consuming and less expensive.

Some call it a Security Risk Assessment or a HIPAA Risk Assessment. We use the term Risk Analysis – Risk Management because it’s all-encompassing, following the HIPAA Privacy and Security Rules and guidance from the National Institute of Standards and Technology (NIST). This blog focusses on Threats and Vulnerabilities, and uses terminology from the Office for Civil Rights (OCR), the agency which enforces HIPAA, and NIST.

We have covered other HIPAA Risk Analysis topics, starting with the basic How to do a Risk Analysis and in more detail, the Security Rule Checklist, the IT Asset Inventory, NIST and HIPAA Risk Analysis, Business Associate Due Diligence and How to Create a HIPAA Contingency Plan.  Review those for more guidance on a topic you need help with.

HIPAA Risk Analysis Gives You a Risk Management Plan

The key to a successful Risk Analysis is to not worry about getting an “A” grade. In fact, the whole point is uncover problems and issues known as Threats, Vulnerabilities and Risks. Every organization has them, but you can’t fix what you don’t know about. Look at the Risk Analysis as an opportunity to get to know your organization better, and make it stronger.

Today we will cover the concepts of Threats and Vulnerabilities. Next week we will talk about assessing the Risks of those Threats and Vulnerabilities. All of these concepts are defined under HIPAA and are woven throughout a HIPAA Risk Analysis.

What is a Threat?

A Threat is something that can cause a harmful event.

A Threat can occur in nature, the environment or be done by a person, which can accidentally trigger or intentionally exploit a vulnerability in your organization and cause a risk to the privacy and security of Protected Health Information (PHI) maintained by your organization, including both electronic and non-electronic PHI.

There are Four Categories of Threats

Natural Threats – for example, hurricanes, earthquakes, tornadoes, floods, wildfires, landslides, avalanches or electrical storms.

Note: The geographic location of a Facility is closely connected to identifying a specific Natural Threat. For example, a Hurricane is a likely Threat on the Gulf and Atlantic Coasts as is an Earthquake in California and a Tornado in the Midwest.

Intentional Human Threats – for example:

1. Criminals who steal electronic devices or other records from your facility or steal a laptop or USB drive from a staff person’s car;
2. Cyber criminals who infect your system with malicious software by Phishing or exploiting weak passwords;
3. Cyber criminals who get access to your system by exploiting a weak firewall or a software flaw hat has not been updated or is no longer supported by the manufacturer;
4. Nosy people including staff who like gossip about celebrities or people in the community;
5. People in your facility including cleaning crews, visitors and staff who deliberately take PHI for dishonest reasons like using it in a divorce or child custody case, blackmail or to embarrass someone.

Unintentional Human Threats – for example:

1. Staff speaking about a patient in a loud voice on the telephone is overheard by others in a reception room;
2. Staff uses a simple, easily guessed password like “password”, “qwerty” or “abc123” or puts the password on a post-it note;
3. Staff who open Phishing emails, click on pop-ups, leave a workstation turned on at night, leave PHI unattended in a public area or send faxes to the wrong number.

Environmental Threats – for example, air or water supply pollution, hazardous materials released from nearby industrial plants, train or truck accidents, long-term power failure and water or chemical leakage from any source such as broken pipes or valves in the facility.

In The HIPAA E-Tool^® the interactive Risk Analysis module helps you pair Vulnerabilities with Threats, as required by HIPAA. This is the essential heart of HIPAA Risk Management. This is where you find out how to strengthen your own security in a way that is unique to your organization and improve your HIPAA compliance, your way.

Every Threat requires Vulnerability to be paired with it. HIPAA requires this, because the vulnerabilities reveal areas that can be improved.

What is a Vulnerability?

A Vulnerability is a flaw or weakness that provides an opening for a harmful event.

A Vulnerability could be accidentally triggered or intentionally exploited by a Threat causing a risk to the privacy and security of PHI.

Like Threats, Vulnerabilities are based on the specific circumstances of your organization including locations where PHI is maintained, the ability of your staff to recognize Threats and protect EPHI and non-EPHI, the effectiveness of your Contingency Plan and the overall strength of your HIPAA compliance program.

Examples might include: a lack of cybersecurity awareness training; an incomplete Contingency Plan; an outdated facility security system; unprotected software.

Step-by Step Makes it Easy in The HIPAA E-Tool^®   

Take the mystery out of the HIPAA Risk Analysis and gain the confidence you need to manage your own risks. The most complete answer is available in The HIPAA E-Tool^®, with step-by-step guidance covering every HIPAA requirement. And answers to your questions are a phone call away.