At the heart of a HIPAA Risk Analysis are the gaps in an organization’s systems that threaten protected health information (PHI). Uncovering those gaps is the only way to fix the problem because you can’t fix what you can’t see. And what we mean by “fix the problem” is eliminating or reducing the risk of breaches of PHI.
We don’t suggest people strive for perfection since it’s usually not possible – ironclad guarantees are not realistic. And seeking perfection can get in the way of progress. The good news is that HIPAA Risk Analysis – Risk Management can significantly reduce risks, strengthen an organization’s security and improve patient care. It’s also required by law.
There is no cookie cutter solution – a thorough HIPAA Risk Analysis is unique because it captures what is unique about one organization and results in a Risk Management plan tailored to the specific risks uncovered in the analysis.
Threats, Vulnerabilities and Risk Assessment
HIPAA law and guidance from NIST use certain defined terms to describe gaps and weaknesses, specifically: threats, vulnerabilities and risks. Each of these concepts are related to one another, and in The HIPAA E-Tool® Risk Analysis module, the questions are logically organized so they’re easy to follow and answer.
To answer the questions the way HIPAA requires, it’s important to know how these terms are defined and used.
Last week we discussed Threats and Vulnerabilities. Today we cover the Risk Assessment of each Threat/Vulnerability pair. Quick review:
- A threat is something that can cause a harmful event.
- A vulnerability is a weakness that provides an opening for a harmful event.
Once a Threat is identified it must be paired with a Vulnerability. The next step is to assign a level of risk to each Threat/Vulnerability pair.
Use Best Judgment to Assess Levels of Risk
The Risk Assessment of each Threat/Vulnerability pair takes into account the likelihood of a harmful event happening, and the impact – the kind of effect a harmful event would have on people, organizations and property (e.g., legal, operational, reputational, business or financial).
We recommend that you choose a risk level by using your best judgment to answer two questions.
- What is the likelihood this Threat will actually occur and exploit this Vulnerability?
- If the Threat occurs, how severe will the resulting impact be to the privacy and security of your organization’s PHI (electronic and non electronic) and on the normal day-to-day operations of your organization? In other words – “How bad could it be?”
The HIPAA E-Tool® provides five options to describe level of risk, from Very Low, to Low, Medium, High, and Very High. The entire Risk Analysis module is interactive and each section ties in to the Risk Management plan. The risk assessments you choose help create the final Risk Management plan.
A Threat that is very unlikely to occur (earthquake), or where the potential damage or loss is low (because you have a contingency plan), will be sorted as a lower priority than a Threat that is highly likely (cyber attack), and very damaging (potential breach of PHI or shutdown of the business). Each of these questions has a unique answer, depending on your organization, where it’s located, the physical layout, the number of locations, whether software is up to date and protected, are there data backups, how much training staff has, is there a Contingency Plan, etc.
By asking the right questions and choosing the (sometimes difficult) answers, you’ve created an honest Risk Management plan, and are on the way to better security and stronger HIPAA compliance.
Finding Risks is the Goal
Don’t be alarmed as you identify Risks.
- Identifying a Risk is a success.
- You must recognize a Risk in order to manage it.
- The U.S. Department of Health and Human Services (HHS) (and the Office for Civil Rights or OCR which enforces HIPAA) does not find fault because an organization identified and documented a Risk.
The HIPAA E-Tool® Helps Make Choices
The Step-by-Step Guidance through Risk Analysis in The HIPAA E-Tool® makes it easy. When you have to make choices, listen to good advice.
For more on HIPAA Risk Analysis, start with the basic How to do a Risk Analysis and in more detail, the Security Rule Checklist, the IT Asset Inventory, NIST and HIPAA Risk Analysis, Business Associate Due Diligence, How to Create a HIPAA Contingency Plan and HIPAA Risk Analysis Demystified (covering Threats/Vulnerabilities).
Review those for more guidance on a topic you need help with.