HIPAA Risk Analysis
Is HIPAA Risk Analysis a requirement?
In order to effectively comply with § 164.308, an organization must conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the CIA of e-PHI held by the covered entity or business associate.
When should a HIPAA Security Risk Analysis be done?
A covered entity or business associate should conduct a security risk analysis periodically to update and document its security measures as needed, and when any of the following occurs:
- New projects, technologies or applications are introduced that have the potential to impact the CIA of e-PHI or otherwise introduce compliance risk to the organization’s network.
- When an exception to an IT policy or standard is submitted that has the potential to affect the security or privacy of e-PHI.
- Before making changes to physical safeguards that could increase vulnerability of computer systems containing e-PHI.
- When there are changes in external factors including but not limited to new threats or vulnerabilities, regulatory changes, changes in business requirements or conditions that could impact CIA of e-PHI.
- When inappropriate disclosure of information has occurred that could impact compliance or present harm to the business, a client or an employee. This could include loss of an unencrypted laptop or other external media or unauthorized access to e-PHI. Please refer to the Breach Notification Rule for further details on assessing risk during a breach or incident affecting CIA of e-PHI.
What is the HIPAA Security Risk Analysis process?
Before beginning a security risk analysis it is crucial that the covered entity or business associate conduct a data discovery exercise involving all business unit representatives to identify and document where the organization is accessing, storing or transmitting e-PHI and identifying the assets involved. The risk assessment process must identify the assets and evaluate all threats, vulnerabilities, impact, likelihood and mitigating controls associated with those assets.
- Assets: An asset can be information (data), hardware, software, personnel or a physical facility.
- Threats: Identify and characterize threat sources of concern, including capability, intent, and targeting characteristics for adversarial threats and a range for non-adversarial threats. Identify potential threat events, relevance of the events, and the threat sources that could initiate the events.
- Vulnerabilities: Identify the vulnerabilities associated with the system being evaluated developing a list of system vulnerabilities that could be exploited by the potential threat sources.
- Impact: An impact assessment should consider the scope and magnitude of the overall business loss expected using measurable terms when possible.
- Likelihood: The likelihood that an event will occur must be considered. The threat-source motivation and capability, the nature of associated vulnerability and existence and effectiveness of current controls should be considered.
- Controls: Analyze the existing controls in place to minimize or eliminate the likelihood of a threat exercising a vulnerability. Controls should be evaluated for their effectiveness to determine residual risk.
The graphic below depicts how these elements can be combined to determine a level of risk.
Are there industry standards for conducting a HIPAA Security Risk analysis?
There are various security industry standards a covered entity and business associate can use when constructing and performing a security risk analysis to evaluate compliance with the HIPAA Security Rule, here are two:
- National Institute of Standards and Technology (NIST) SP 800-53 Rev. 4. Guidance provided by Health and Human Services commonly refers to using NIST SP 800-53 when developing and implementing a HIPAA Privacy & Security Program. These standards are designed to assist organizations in developing a compliance and risk assessment program to comply with various federal laws and regulations, such as HIPAA Privacy & Security Rules. https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf
- HITRUST Risk Management Framework (RMF) is another framework example. HRF is a framework built around a basic four-step risk management process model designed to meet the specific needs of the healthcare industry: (1) identify data protection requirements, (2) identify controls, (3) implement and manage controls, and (4) assess and report. https://hitrustalliance.net/documents/csf_rmf_related/RiskAnalysisGuide.pdf
Questions? Call one of our HIPAA experts today at 1-800-262-8146