FacebookTwitterLinkedInEmailPrint
This entry is part 19 of 48 in the series HIPAA Security Risk Analysis Tips

After completing an Information Asset Inventory, the second step in a Risk Analysis is to determine the risks and exposures associated each information asset.  Here’s today’s big tip – Learn how to determine risk!  …here’s how…

 

Risk Determination Phase

This second step continues on with multiple steps for each Information Asset identified in Step 1: (the Asset Inventory Phase) still using a “Risk Determination and Remediation” worksheet.

In plain English, determining risk is identifying what bad things might happen to information assets (e.g., lost or stolen mobile devices, hacking, natural disaster, etc) and assessing the likelihood of those bad things AND the impact were those bad things to happen.  Risk is often described as a function of Likelihood and Impact.  Likelihood is often described as a function of threats, vulnerabilities and current controls in place.

The steps are:

2.1. Identify threats in the environment
2.2. Identify vulnerabilities that threats could exploit
2.3. Describe the risks based on threat/vulnerability pairings
2.4. Identify existing controls
2.5. Determine the likelihood that a threat could exploit a vulnerability (e.g., unlikely to almost certain)
2.6. Analyze the impact if the threat were to successfully exploit the vulnerability(s) (e.g., insgnificant to disasterous)
2.7  Determine and summarize the risk level

Read: HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals for more on completing a HIPAA Security Risk Analysis.  This document provides background about and specific requirements regarding a HIPAA Risk Analysis. It describes our Security Risk Analysis and Management Methodology and the rationale behind our approach.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Check out the Clearwater HIPAA Security Risk Analysis ToolKit™ to jump-start your program.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

More HIPAA HITECH Resources:

The complete HIPAA Privacy, Security and Breach regulations are here.

Join our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
Follow us on Twitter
Subscribe to our eNewsletter
Attend a live educational webinar.

Series Navigation<< HIPAA Security Risk Analysis Tips – What’s a Vulnerability?HIPAA Security Risk Analysis Tips – NIST Updates >>

Bob Chaput

CEO at Clearwater Compliance
Bob is the CEO and Founder of Clearwater Compliance. He has 25 years of experience in the Healthcare industry, and his experience includes managing some of the world’s largest HR, benefits and healthcare databases, requiring the highest levels of security and privacy. Mr. Chaput continues to expand and update his knowledge base on HIPAA-HITECH compliance through postgraduate study, earning professional certifications and participating in professional healthcare and other organizations.
 
FacebookTwitterLinkedInEmailPrint