The purpose of a Risk Assessment is to identify threats and vulnerabilities and develop a plan to mitigate the risks identified within the assessment. Like all processes, we can make it easy or extremely complicated and difficult. Planning is the key.
The C-I-A triad consists of three elements: Confidentiality, Integrity and Availability of data and data systems.
Confidentiality simply means controlling access to those who have a legitimate need to know. Integrity is ensuring that the data hasn’t been altered; and Availability means the data can be accessed and used by those who need to access the data.
This is a relatively simple concept that has far-reaching impact in the world of Healthcare and HIPAA.
A Risk Assessment will help administrators and compliance personnel identify risks to their medical practices before they become a problem.
An annual Risk Analysis is required by the Department of Health and Human Services.
Risk Analysis and the Security Rule
The Department of Health and Human Services through its lower level agencies requires an annual Risk Assessment. This Risk Assessment is based on Special Publication 800-66, by the National Institute of Standards and Technology, which provides instructions for conducting a Risk Analysis as defined by the HIPAA Security Rule.
The outcome of the Risk Analysis is critical to discovering and mitigating actual and potential vulnerabilities from your information systems and workflow practices.
Failure to comply may cost your business money due to fines and penalties.
Risk Analysis Process
Like anything else conducting a Risk Analysis is a process and your first one can make it seem like an overwhelming task. Let’s tame this beast.
The first step is to understand the basic information and definitions regarding conducting a Risk Assessment.
Have you heard the old joke about how do you eat an elephant? Answer: One bite at a time.
This punch line could have been expressly written for conducting risk assessments.
First, we need to know the jargon used in the process. We need to develop a baseline for understanding what we are going to do, how we do it, and finally what are we going to do with it.
NIST SP 800-33 defines vulnerability as a… ” flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system security policy.”
No system is without vulnerabilities. Vulnerabilities arise out of coding errors, changes to procedures, system or software updates, and changes of threats over time. The analyst must be aware of evolving threats and vulnerabilities, while actively working to resolve currently defines problems.
This process never ends.
A threat is “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
A vulnerability isn’t necessarily an issue until there is a threat to exploit the vulnerability. Common natural threats are fires, floods, or tornados. Human threats are computer hacks, careless control of ePHI, or inadvertent data exposure. Environmental threats are things like power failures.
Risk is defined by the presence of a vulnerability that can be exploited by an appropriate threat. You can’t have one without the other.
The level of risk is determined by the expected level of damage that could result from the vulnerability being exploited combined with the likelihood of the vulnerability being exploited.
Risk = Severity of potential damage + Likelihood of the Threat
Elements of a Risk Assessment