We sometimes refer to a real HIPAA Security Risk Analysis as getting into the “trees and weeds”. With a rigorous Security Risk Analysis and Management Methodology, it is easy to be swallowed up in these details. Here’s today’s big tip – Keep an eye on the Big Picture. Don’t lose sight of your business risk management goals. Here’s how…
Remember the “problem you’re trying to solve”: What are my exposures? (i.e., what bad things can happen?) AND, what must I do to mitigate or eliminate them?
A good Security Risk Analysis and Management Methodology can be used by organizations of all sizes and should be purposefully designed to be able to be able to be used by the largest CEs and BAs (e.g., hospitals, insurers, long term care facilities, care management firms, etc) to the smallest CEs and BAs (e.g., small medical practices, clinics, dental offices, medical billing companies, etc.).
Risk management is not about drumming up a 100 reasons to spend a $1million on security! Real risk management is about facilitating informed decision making so that leaders and executives can choose to either: 1) spend money to mitigate the risks; 2) transfer the risks by way of insurance or, in some cases, outsourcing; or, 3) accepting risk.
From a very practical perspective, what one ultimately seeks to develop by completing a risk analysis is a prioritized list of security risks or exposures that need will facilitate informed decision-making. The classic formula for calculating the level of risk is:
Risk = Impact * Likelihood
While terms like risk, impact, likelihood, threats, vulnerabilities and many others come into play, a classic categorization of risks is shown in the following matrix. A good risk analysis process helps you determine your risks, categorize them as Low, Medium, High or Critical and then develop a risk remediation action plan to address those risks in priority order… or accept them.
A HIPAA Risk Analysis is not to be confused with a HIPAA Security Evaluation (45 C.F.R. § 164.308(a)(8))! We explained the difference in a prior post.
In addition to an express requirement to conduct a risk analysis, the Rule indicates that risk analysis is a necessary tool in reaching substantial compliance with many other standards and implementation specifications. We have assembled many useful documents, tools and resources related to Risk Analysis on our site at: https://clearwatercompliance.com/hipaa-hitech-resources/hipaa-risk-analysis-resources/ Please feel free to use and enjoy them!
If you’d like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016