The HIPAA Security Rule specifically focuses on the safeguarding of ePHI and requires all HIPAA covered entities (CEs) and business associates (BAs) to ensure the confidentiality, integrity, and availability of the ePHI data that it creates, receives, maintains, or transmits to:
- protect against any reasonably anticipated threats and hazards to the security or integrity of the ePHI;
- protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule;
- and ensure compliance by its workforce.
Among HIPAA’s Administrative Safeguards are two (2) implementation specifications under the Security Management Process standard at §164.308(a) (1) (i).
Security Risk Analysis – The required implementation specification at § 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Security Risk Management – The required implementation specification at § 164.308(a) (1) (ii) (B), for Risk Management, requires a covered entity to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
The risk assessment report provides evidence that these implementation specifications have been addressed. These requirements exist in HITRUST as well. Contact us if you want to know more about HITRUST risk management and assessment.
Performing a risk assessment/analysis is not a one-time event. It should be reviewed periodically when major changes occurred or at least annually.
What are the steps in risk assessment?
The risk assessment should follow established, repeatable assessment methodologies like the National Institute for Standards and Technology (NIST) processes or the ISO 31000. These processes are predicated on thorough understandings of:
- The information and technology assets in use by the organization;
- The business and operational processes that define and depend on these assets;
- Identifying vulnerability present within the processes and assets that could create risk;
- Identifying reasonable threats that could exploit vulnerability and create harm; and
- Estimating the likelihood and impact of the risks to information and information systems.
While all risk assessments are inherently subjective, this assessment will contain a series of value metrics that will help you remove much of the uncertainty and imprecision of qualitative assessments. These values will be defined by senior management and other key stakeholders to assure they are appropriately defined, scoped, and valid to the organization’s business processes.
Since this risk assessment is a snapshot of the organization’s risk posture, risks should be continually refined and updated to reflect changes to controls, technology, threats, and overall business. Risk treatment decisions should be thoroughly discussed and documented. Control decisions should be established in a comprehensive framework of objectives that tie directly into organizational policies and implementation standards. Findings and output from security assessments and audits should be mapped into control and asset vulnerability, to provide an even clearer depiction of organizational risk. Most importantly, organizational management should regularly update and review this document to assure risks are current and reflect a solid understanding of the organization’s current risk posture.
Final Thoughts…
Per HIPAA Security Rule, a risk analysis is required to be performed to identify risks to ePHI. It is a required first step towards HIPAA compliance. Not doing one is a regulatory risk and can invite huge fines if there is a data breach. We have deep expertise in helping organizations like you to stand up a risk management program.
We bring a deep understanding of the risks facing healthcare companies today. We have successfully performed Risk Analysis for many clients, both covered entities and business associates over the past years.
We are a small firm and do not have overhead expenses like other big cybersecurity companies, and as a result, we’re able to pass on the savings to you. Contact us today!