Healthcare Risk Assessment

The purpose of a Risk Assessment is to identify threats and vulnerabilities and develop a plan to mitigate the risks identified within the assessment. Like all processes, we can make it easy or extremely complicated and difficult. Planning is the key.

C-I-A Triad

The C-I-A triad consists of three elements: Confidentiality, Integrity and Availability of data and data systems.

Confidentiality simply means controlling access to those who have a legitimate need to know. Integrity is ensuring that the data hasn’t been altered; and Availability means the data can be accessed and used by those who need to access the data.

This is a relatively simple concept that has far-reaching impact in the world of Healthcare and HIPAA.

A Risk Assessment will help administrators and compliance personnel identify risks to their medical practices before they become a problem.

An annual Risk Analysis is required by the Department of Health and Human Services.

Risk Analysis and the Security Rule

The Department of Health and Human Services through its lower level agencies requires an annual Risk Assessment. This Risk Assessment is based on Special Publication 800-66, by the National Institute of Standards and Technology, which provides instructions for conducting a Risk Analysis as defined by the HIPAA Security Rule.

The outcome of the Risk Analysis is critical to discovering and mitigating actual and potential vulnerabilities from your information systems and workflow practices.

Failure to comply may cost your business money due to fines and penalties.

Risk Analysis Process

Like anything else conducting a Risk Analysis is a process and your first one can make it seem like an overwhelming task. Let’s tame this beast.

The first step is to understand the basic information and definitions regarding conducting a Risk Assessment.


Have you heard the old joke about how do you eat an elephant? Answer: One bite at a time.

This punch line could have been expressly written for conducting risk assessments.

First, we need to know the jargon used in the process. We need to develop a baseline for understanding what we are going to do, how we do it, and finally what are we going to do with it.


NIST SP 800-33 defines vulnerability as a… ” flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system security policy.”

No system is without vulnerabilities. Vulnerabilities arise out of coding errors, changes to procedures, system or software updates, and changes of threats over time. The analyst must be aware of evolving threats and vulnerabilities, while actively working to resolve currently defines problems.

This process never ends.


A threat is “the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.

A vulnerability isn’t necessarily an issue until there is a threat to exploit the vulnerability. Common natural threats are fires, floods, or tornados. Human threats are computer hacks, careless control of ePHI, or inadvertent data exposure. Environmental threats are things like power failures.


Risk is defined by the presence of a vulnerability that can be exploited by an appropriate threat. You can’t have one without the other.

The level of risk is determined by the expected level of damage that could result from the vulnerability being exploited combined with the likelihood of the vulnerability being exploited.

Risk = Severity of potential damage + Likelihood of the Threat

Elements of a Risk Assessment

The New Approach to Healthcare Enterprise Information Management – EHR, EMR, EIM

The lack of a healthcare specific, compliant, cost-effective approach to Enterprise Information Management (aka EIM) is the #1 reason integration, data quality, reporting and performance management initiatives fail in healthcare organizations. How can you build a house without plumbing? Conversely, the organizations that successfully deploy the same initiatives point to full Healthcare centric EIM as the Top reason they were successful (February, 2009 – AHA). The cost of EIM can be staggering – preventing many healthcare organizations from leveraging enterprise information when strategically planning for the entire system. If this is prohibitive for large and medium organizations, how are smaller organizations going to be able to leverage technology that can access vital information inside of their own company if cost prevents consideration?

The Basics –

What is Enterprise Information Management?

Enterprise Information Management means the organization has access to 100% of its data, the data can be exchanged between groups/applications/databases, information is verified and cleansed, and a master data management method is applied. Outliers to EIM are data warehouses, such as an EHR data warehouse, Business Intelligence and Performance Management. Here is a roadmap, in layman terminology, that healthcare organizations follow to determine their EIM requirements.

Fact #1: Every healthcare entity, agency, campus or non-profit knows what software it utilizes for its business operations. The applications may be in silos, not accessible by other groups or departments, sometimes within the team that is responsible for it. If information were needed from groups across the enterprise, it has to be requested, in business terminology, of the host group, who would then go to the source of information (the aforementioned software and/or database), retrieve what is needed and submit it to the requestor – hopefully, in a format the requestor can work with (i.e., excel for further analysis as opposed to a document or PDF).

Fact #2: Because business terminology can be different WITHIN an organization, there will be further “translating” required when incorporating information that is gathered from the different software packages. This can be a nightmare. The gathering of information, converting it into a different format, translating it into common business terminology and then preparing it for consumption is a lengthy, expensive process – which takes us to Fact #3.

Fact #3: Consumers of the gathered information (management, analysts, etc) have to change the type of information required – one-off report requests that are continuously revised so they can change their dimensional view (like rotating the rows of a Rubik’s cube to only get one color grouped, then deciding instead of lining up red, they would really like green to be grouped first). In many cases, this will start the gathering process all over again because the original set of information is missing needed data. It also requires the attention of those that understand this information – typically a highly valued Subject Matter Expert from each silo – time-consuming and costly distractions that impact the requestor as well as the information owner’s group.

Fact#4: While large organizations can cope with this costly method in order to gather enough information to make effective and strategic business decisions, the amount of time and money is a barrier for smaller or cash strapped institutions, freezing needed data in its silo.

Fact #5: If information were accessible (with security and access controls, preventing unauthorized and inappropriate access), time frames for analysis improve, results are timely, strategic planning is effective and costs in time and money are significantly reduced.

Integration (with cleansing the data, aka Data Quality) should not be a foreign concept to the mid and smaller organizations. Price has been the overriding factor that prevents these tiers from leveraging enterprise information. A “glass ceiling”, solely based on being limited from technology because of price tag, bars the consideration of EIM. This is the fault of technology vendors. Business Intelligence, Performance Management and Data Integration providers have unknowingly created class warfare between the Large and SMB healthcare organizations. Data Integration is the biggest culprit in this situation. The cost of integration in the typical BI deployment is usually four times the cost of the BI portion. It is easy for the BI providers to tantalize their prospects with functionality and reasonable cost. But, when integration comes into play, reluctance on price introduces itself into the scenario. No action has become the norm at this point.