The “algebra” (some would say “calculus”) of Risk Analysis requires the identification of risks. This identification begins with inventorying information assets of value, then considering threats to these assets and vulnerabilities of these assets after consideration of current controls and environmental factors.
Threat identification and vulnerability assessment comprises its own branch of Risk Analysis “algebra” which we’ll not cover in detail here. To keep focused on rating and ranking your risks, we’ll assume an asset-threat-vulnerability “triple” has been created. This “triple” comprises a risk. Here’s today’s big tip – Rate Your Risks; then Rank-Order Your Risks by Examining the Likelihood of “bad things” happening and the Impact to Your Organization were These Bad Things to Happen!
HIPAA Security Risk Analysis Tips – How to Rate and Rank-Order Your Risks
At the end of the day, it’s really all about making informed decisions. Too many information security and privacy decisions are made at budget time, in a somewhat random manner and often based on what’s perceived as current big vulnerabilities “du jour”.
Our focus is on applying a rating to risks discovered in your Risk Analysis process so that we may then rank-order them from most critical to least critical. If we have this rank-ordering, we can then improve the quality of information security investment decisions. Good goal?
To do so requires consideration of Likelihood and Impact. In this post, let’s work with a simple example; let’s say that the Asset is a Laptop with ePHI of over 1,000 patients; the Threat (Agent) is a Burglar stealing (Threat Action) the laptop ; the vulnerabilities include lack of encryption, lack of strong passwords, lack of padlock feature, etc. For our example, the risk (“triple”) is: a laptop containing ePHI may be stolen and because of the lack of encryption may comprise a Breach that requires Notification to Individuals, the Media and HHS/OCR. Whew!
According to NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT, “The overall likelihood of a threat event is a combination of: (i) the likelihood that the event will occur (e.g., due to human error or natural disaster) or be initiated by an adversary; and (ii) the likelihood that the initiation/occurrence will result in adverse impacts.” In our example, the threat event would be the actual theft of the laptop — that’s a bad thing! Considering (i), without getting too far into the weeds, the likelihood in general of laptops being stolen or going missing is statistically quite high — 12,000 per week or 1 every 43 second in the US! Next, considering (ii), were that laptop stolen, might there be “adverse impacts” on the organization? I would argue YES! Taken together, I’d rate this Likelihood on the high side. Let’s call it HIGH.
Once again, according to NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT, “Thelevel of impact from a threat event is the magnitude of harm that can be expected to result from the unauthorized disclosure, modification, disruption, destruction, or loss of information and/or denial of service.” Harm comes in many forms and at many levels in the organization. It may be financial, legal, clinical, regulatory, reputational harm that an organization suffers. At a more information systems security- or ePHI-centric level, we would consider harm or compromise to the Confidentiality and/or Integrity and/or Availability of the ePHI. Loss of an unencrypted laptop containing 1,000+ ePHI records, by pretty much any standard would be considered HIGH.
Bringing It Together
Considering and rating risks by assessing the Likelihood and Impact is a critical task in Risk Analysis and a key part of overall Risk Management because it enables you to rank risks from most critical to least critical. Once completed, you can discuss your “risk appetite” and make higher quality and more informed decisions about information security investments. To complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, visit https://clearwatercompliance.com/shop/clearwater-hipaa-risk-analysis/.
More HIPAA HITECH Resources:
The complete HIPAA Privacy, Security and Breach regulations are here.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.