In order to effectively comply with § 164.308, an organization must conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the CIA of e-PHI held by the covered entity or business associate.
When should a HIPAA Security Risk Analysis be done?
A covered entity or business associate should conduct a security risk analysis periodically to update and document its security measures as needed, and when any of the following occurs:
New projects, technologies or applications are introduced that have the potential to impact the CIA of e-PHI or otherwise introduce compliance risk to the organization’s network.
When an exception to an IT policy or standard is submitted that has the potential to affect the security or privacy of e-PHI.
Before making changes to physical safeguards that could increase vulnerability of computer systems containing e-PHI.
When there are changes in external factors including but not limited to new threats or vulnerabilities, regulatory changes, changes in business requirements or conditions that could impact CIA of e-PHI.
When inappropriate disclosure of information has occurred that could impact compliance or present harm to the business, a client or an employee. This could include loss of an unencrypted laptop or other external media or unauthorized access to e-PHI. Please refer to the Breach Notification Rule for further details on assessing risk during a breach or incident affecting CIA of e-PHI.
What is the HIPAA Security Risk Analysis process?
Before beginning a security risk analysis it is crucial that the covered entity or business associate conduct a data discovery exercise involving all business unit representatives to identify and document where the organization is accessing, storing or transmitting e-PHI and identifying the assets involved. The risk assessment process must identify the assets and evaluate all threats, vulnerabilities, impact, likelihood and mitigating controls associated with those assets.
Assets: An asset can be information (data), hardware, software, personnel or a physical facility.
Threats: Identify and characterize threat sources of concern, including capability, intent, and targeting characteristics for adversarial threats and a range for non-adversarial threats. Identify potential threat events, relevance of the events, and the threat sources that could initiate the events.
Vulnerabilities: Identify the vulnerabilities associated with the system being evaluated developing a list of system vulnerabilities that could be exploited by the potential threat sources.
Impact: An impact assessment should consider the scope and magnitude of the overall business loss expected using measurable terms when possible.
Likelihood: The likelihood that an event will occur must be considered. The threat-source motivation and capability, the nature of associated vulnerability and existence and effectiveness of current controls should be considered.
Controls: Analyze the existing controls in place to minimize or eliminate the likelihood of a threat exercising a vulnerability. Controls should be evaluated for their effectiveness to determine residual risk.
The graphic below depicts how these elements can be combined to determine a level of risk.
Are there industry standards for conducting a HIPAA Security Risk analysis?
There are various security industry standards a covered entity and business associate can use when constructing and performing a security risk analysis to evaluate compliance with the HIPAA Security Rule, here are two:
National Institute of Standards and Technology (NIST) SP 800-53 Rev. 4. Guidance provided by Health and Human Services commonly refers to using NIST SP 800-53 when developing and implementing a HIPAA Privacy & Security Program. These standards are designed to assist organizations in developing a compliance and risk assessment program to comply with various federal laws and regulations, such as HIPAA Privacy & Security Rules. https://www.hhs.gov/sites/default/files/nist-csf-to-hipaa-security-rule-crosswalk-02-22-2016-final.pdf
HITRUST Risk Management Framework (RMF) is another framework example. HRF is a framework built around a basic four-step risk management process model designed to meet the specific needs of the healthcare industry: (1) identify data protection requirements, (2) identify controls, (3) implement and manage controls, and (4) assess and report. https://hitrustalliance.net/documents/csf_rmf_related/RiskAnalysisGuide.pdf