HIPAA Risk Analysis Tip – What Level of Detail is Adequate?

HIPAA Risk Analysis Tip – What Level of Detail is Adequate?

HIPAA Risk Analysis Tip – What Level of Detail is Adequate?

HIPAA Risk Analysis

Short Answer: Every “asset-threat-vulnerability” combination must be risk-analyzed! 

In order to conduct a thorough and accurate risk analysis, it’s imperative to identify the threat sources, threat events and vulnerabilities that might compromise the confidentiality, availability and/or integrity of the health information entrusted to your care.  That means all the systems, applications, technology solutions, biomedical devices etc that create, receive, maintain and transmit ePHI.

The combinations of assets/media, threat sources, threat events, vulnerabilities and controls is mind-boggling.  Over simplifying, suppose one had address risks associated with 10 assets, 10 different threat sources, 10 threat events, 10 vulnerabilities and 10 controls, the number of combinations is 100,000.  Not possible to keep track of on an excel spreadsheet!  And, our worlds are not that simple.

Does OCR expect us to assess millions of combinations of assets, threats, vulnerabilities and controls.  The answer is yes.  The 2016 Audit Protocol includes these procedures for auditing the risk analysis implementation specification at §164.308(a)(1)(ii)(A): Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate:

  • Has the entity conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits?
  • Obtain and review the written risk analysis or other record(s) that documents that an accurate and thorough assessment of the risks and vulnerabilities to the confidentiality, integrity, and availability of all ePHI was been conducted. Evaluate and determine whether the risk analysis or other documentation contains:
    • A defined scope that identifies all of its systems that create, receive, maintain, or transmit ePHI
    • Details of identified threats and vulnerabilities
    • Assessment of current security measures
    • Impact and likelihood analysis
    • Risk rating

And for the Risk Management Process, the 2016 Audit Protocol includes these procedures for auditing §164.308(a)(1)(ii)(B): Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a):

  • Has the entity implemented security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level?
  • Evaluate and determine if the documents identify how risk will be managed, what is considered an acceptable level of risk based on management approval, the frequency of reviewing ongoing risks, and identify workforce members’ roles in the risk management process.
  • Obtain and review documentation demonstrating the security measures implemented and/or in the process of being implemented as a result of the risk analysis or assessment. Evaluate and determine whether the implemented security measures appropriately respond to the threats and vulnerabilities identified in the risk analysis according to the risk rating and that such security measures are sufficient to mitigate or remediate identified risks to an acceptable level.

We’ve seen time and time again that OCR has not been happy with the accuracy, thoroughness or comprehensiveness of the risk analysis and risk management programs undertaken by organizations they have investigated.  This indeed is a lot of work.  Find a platform that makes this critical endeavor less cumbersome, more constructive and gives OCR exactly what they are looking for.

Now what?

  1. Download the OCR-issued “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” .
  2. Attend our May 3rd “Conversation with Former OCR Director Leon Rodriguez: What OCR Expects in Your HIPAA Risk Analysis”  Learn how to conduct an OCR-quality risk analysis and what to expect from the new administration on HIPAA, among many other things. You may learn more and register here: http://bit.ly/ClearwaterLeonRodriguez
  3. Learn the definition of an information asset.
  4. View a recorded demo of our award-winning software for conducting OCR-quality risk analysis and risk management work products.
  5. Learn how Clearwater may complete a Confidential, Complimentary Review of your current risk analysis, under the direction of outside counsel, and advise you of important actions to take to conduct an OCR-Quality HIPAA Risk Analysis.
Series Navigation<< HIPAA Risk Analysis Tip – How Comprehensive Must Your HIPAA Security Risk Analysis Be?HIPAA Risk Analysis Tip – What Captures OCR’s Attention? >>

Clearwater

Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI).

We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.

Latest posts by Clearwater (see all)

Posted in
Clearwater
Clearwater helps healthcare organizations ensure patient safety and improve the quality of care by safeguarding the confidentiality, integrity and availability of protected health information (PHI). We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Subscribe to our newsletter

Our monthly eNewsletter which includes industry articles and white papers that we’ve gathered for you. We’re confident you’ll find a nugget or two among them!

ocr-quality-stamp-tm-home

Clearwater-provided risk analyses have a 100% acceptance rate when submitted to the Office for Civil Rights.

About Clearwater

Clearwater provides the most complete and trusted, enterprise-class cyber risk management solution available. Designed for healthcare providers and their partners, Clearwater’s IRM|Pro™ platform and experienced professional services team provide insights and actions to address compliance, cyber and patient safety risks. Clearwater is a 2017 Inc. 5000 fastest-growing company, the 2018 Best in KLAS winner in Cybersecurity Advisory Services, the 2017, 2018, and 2019 Black Book Marketing Research winner in Compliance and Risk Management Solutions, and exclusively endorsed by numerous state hospital associations. Clearwater solutions have been deployed within hundreds of hospitals and health systems, Fortune 100 organizations, and federal government institutions. 

Show Buttons
Hide Buttons