HIPAA Risk Analysis Tip – What Level of Detail is Adequate?
Short Answer: Every “asset-threat-vulnerability” combination must be risk-analyzed!
In order to conduct a thorough and accurate risk analysis, it’s imperative to identify the threat sources, threat events and vulnerabilities that might compromise the confidentiality, availability and/or integrity of the health information entrusted to your care. That means all the systems, applications, technology solutions, biomedical devices etc that create, receive, maintain and transmit ePHI.
The combinations of assets/media, threat sources, threat events, vulnerabilities and controls is mind-boggling. Over simplifying, suppose one had address risks associated with 10 assets, 10 different threat sources, 10 threat events, 10 vulnerabilities and 10 controls, the number of combinations is 100,000. Not possible to keep track of on an excel spreadsheet! And, our worlds are not that simple.
Does OCR expect us to assess millions of combinations of assets, threats, vulnerabilities and controls. The answer is yes. The 2016 Audit Protocol includes these procedures for auditing the risk analysis implementation specification at §164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate:
- Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?
- Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted. Evaluate and determine whether the risk analysis or other documentation contains:
- A defined scope that identifies all of its systems that create, receive, maintain, or transmit ePHI
- Details of identified threats and vulnerabilities
- Assessment of current security measures
- Impact and likelihood analysis
- Risk rating
And for the Risk Management Process, the 2016 Audit Protocol includes these procedures for auditing §164.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a):
- Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
- Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.
- Obtain and review documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment. Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.
We’ve seen time and time again that OCR has not been happy with the accuracy, thoroughness or comprehensiveness of the risk analysis and risk management programs undertaken by organizations they have investigated. This indeed is a lot of work. Find a platform that makes this critical endeavor less cumbersome, more constructive and gives OCR exactly what they are looking for.
- Download the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” .
- Attend our May 3rd “Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis” Learn how to conduct an OCR-quality risk analysis and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
- Learn the definition of an information asset.
- View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
- Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.