Instructions: Conducting a Risk Analysis and Using Risk Analysis and Plan
First and Foremost:
It is suggested you use an IT professional along with your software company to assist in setting this up originally. Do all in conjunction with your HIPAA Security Manual dated after September 2013.
Initial survey: Information systems are often complex. HIPAA Security Compliance Official should complete the HIPAA Security Checklist.
Inventory of information should include:
- Hardware Information Systems (list)
- Software Information Systems (list)
- Users of the Information Systems (list and level of access)
- ePHI contained on the information systems (list)
- Purpose and function of ePHI contained on information systems (list)
- Hardware/software control mechanisms (technical)
- Security Policies and employee training (non-technical)
HIPAA Security Compliance Officials must then identify any vulnerability associated with your ePHI and information systems. Areas of weakness may include flaws in procedures, internal controls and security implementation of information systems.
- Information systems
- Tests of Information systems
- Audit Reports
- Evaluation reports
HIPAA Security Compliance Officials must then identify any potential threats to electronic Protected Health Information (ePHI). Threats are divided into three areas: Natural, Human and Environmental.
Analysis of Security Controls
- Understanding Threat Areas
- Environmental – failure to power systems, spills, hazardous materials. ETC
- Natural – earthquakes, floods, hurricanes, tornadoes, mudslide, etc
- Human – Individuals unintentionally entering or deleting data and/or intentionally entering or deleting data, installing malicious hardware/software, etc.
HIPAA Security Compliance Officials must analyze the two security controls put in place for the protection of ePHI. The two security control areas are Preventative Controls and Detective Controls.
Preventative controls prevent or restrict malicious access to vulnerable areas or systems
- Control of Access
Detective controls detect violations and report violation.
- Paper trail/audit trail
Identifying Three Risk Factors HIPAA Security Compliance Official must identify and determine the risk factor for: A) Threat motivation, B) Vulnerability type C) Availability and existence of security controls.
- Current Security Controls are not effective
- Capable Threat
- Motivated Threat
- Current Security Controls may prevent breach
- Capable Threat
- Motivated Threat
Determine the Impact
- Current Security Controls will most likely prevent breach
- No Capable Threat
- No Motivated Thread
Analyze the result if a breach of vulnerability were successful. Determine the impact of such an event as either High, Medium or Low.
Determine the Risk
- Confidentiality – Unauthorized access or breach of electronic Protected Health Information (ePHI)
- Integrity – Unauthorized access resulting in modification of ePHI
- Availability – Unauthorized users gaining access to ePHI
HIPAA Security Compliance Official will determine the risk/possible threat for all vulnerabilities.
- Risk that the treat WILL happen
- Risk and level of impact IF the threat happens
- Risk associated if security controls are adequate
Current Security Controls are inadequate and must be updated or implement immediately
Current Security Controls must be updated or implemented in reasonable amount of time
Current Security Controls are most likely adequate
By completing a RISK ANALYSIS, you should be able to identify vulnerabilities and risk areas for protecting ePHI. NOTE: No Risk Assessment is complete without proper documentation. The more documentation you have, the great change an auditor will accept that all security areas have been assessed. When it comes to documentation remember – more is always better.
The HIPAA Security rules requires covered entities to implement security measure sufficient to reduce risk and vulnerabilities to a reasonable and appropriate level. In addition to completing the Risk Analysis, there is a need for on going Risk Management. It may never be possible to completely eliminate all security risks, but an ongoing check of risk levels will reduce the likelihood of a breach.
Established policies and procedures (refer to your HIPAA Security Manual) will assist Compliance Officials in their Risk Management responsibilities. Compliance officials should regularly review written policies and procedures and document any adjustments as they become necessary.
Process of Risk Management
Implement appropriate security measures to reduce risk levels to appropriate levels. Securuity measures should be reasonable and cost effective.
- Prioritize Risk to all Information Systems
- Train all staff members on Security Measures
- Routinely evaluate, modify, or revise Security Measures
- Document all modifications
HIPAA Security Compliance Officials must remember to need to ensure the confidentiality, integrity and availability of Information Systems containing ePHI. There multiple methods that can be employed to appropriately manage risk. They may include: Risk Avoidance, Risk Acceptance, Risk Transference, and Risk Limitation.
Steps for Risk Management
- Document (in writing). Compliance Officials must document in writing information system inventories and security measures for protecting ePHI.
- Prioritize. Risks must be prioritized from high to low, with documentation outlining the impact to systems containing ePHI.
- Methods. Compliance Officials must chose security methods designed to reduce or elimate risks to information systems housing ePHI.
- Cost vs. Benefit. Compliance Officials must correlate the cost of a security measure based upon the benefit such a measure provides in implementing great security.
- Security Method. After assessing any cost verses benefit selection, Compliance officials must determine the most appropriate security measure for minimizing or eliminating any identified security risk.
- Assign Responsibility. Staff members with appropriate experience should be selected and assigned security implementation responsibilities.
- Implementation. Installation of Security Methods.
- Evaluation. Compliance Officials must conduct periodic evaluations and documentation any necessary revisions.