This entry is part 5 of 52 in the series HIPAA Security Risk Analysis Tips

In July 2010, HHS and OCR issued  final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.   Security Risk Analysis is not “star wars” technology nor a news flash.  There are many ways to go about it.  OCR frankly doesn’t care what methodology you use as long as your approach incorporates what they identified as nine (9) essential elements in their guidance.  Here’s today’s big tip — Don’t re-invent the wheel!  Follow OCR Guidance and adopt a proven, highly trusted methodology.  Here’s how…

Security Risk Analysis Methodology

The principles behind this methodology are sound, incorporate all of the key essential elements indicated in the HHS/OCR final guidance, draw upon the National Institute of Standards and Technology (NIST) Special Publication 800-30, “Risk Management Guide for Information Technology Systems”  and include industry best practices at the core of quantitative risk analysis approaches.

Our practical approach to conducting and documenting a risk analysis for the HIPAA Security Rule involves these four major phases:

1. Inventory Phase

1.1. Inventory information assets, especially those handling ePHI
1.2. Document their present security controls and criticality of the applications and their data

2. Risk Determination Phase

2.1. Identify threats in the environment
2.2. Identify vulnerabilities that threats could exploit
2.3. Describe the risks based on threat/vulnerability pairings
2.4. Identify existing controls
2.5. Determine the likelihood that a threat could exploit a vulnerability
2.6. Analyze the severity of the impact if the threat were to successfully exploit the vulnerability(s)
2.7 Determine and summarize the risk level

3. Risk Remediation Phase

3.1. Recommend risk mitigation strategies for each risk
3.2. Identify and implement applicable controls to mitigate risk
3.3. Determine residual likelihood that a threat could successfully exploit a vulnerability
3.4. Analyze the residual severity of the impact
3.5. Determine and report residual risk  (based on residual likelihood and residual impact from steps 3.3 and 3.4 above respectively) to senior management

4. Documentation Phase

4.1. Generate HIPAA Risk Analysis Executive Summary (template provided)
4.2. Monitor changes in the environment, information systems, and security technology
4.3. Update the risk analyses and implement any other controls

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Know the RegsHIPAA Security Risk Analysis Tips – How to Get Started >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.