This entry is part 41 of 60 in the series HIPAA Security Risk Analysis Tips

Is there risk? Don’t answer that question too quickly.  Risk is a derived value!  You must take into account several key variables before you can judge whether or not there is risk and how much risk there may be.  As a simple example, if there’s not a likelihood of significant harm or future loss, there is not significant risk.  Here’s today’s big RISK ANALYSIS TIP – Is there Risk?  It Depends!  

HIPAA Risk Analysis Tip – Is there Risk?  It Depends!

So is there risk? It depends!

Risk can only exist if certain items are present and there is a likelihood of a bad thing happening AND harm or loss were it to happen.

The key things to remember are:

  1. Risk depends on whether you have an asset. Until there is a possibility of significant loss or harm, risk_analysis_iStock_000010738312XSmall_200x300
    there 
    can be no harm. Therefore, without an asset, there can be no risk. Think about all your personal or business assets. Our concern is about ePHI as the critical asset. We therefore need to know all the places where the ePHI is created, received, maintained (think stored) or transmitted. We need to inventory all of the information assets where ePHI resides. And, we’re trying to ensure the confidentiality, integrity and availability of ePHI to ensure patient safety and timely access to quality care.
  2. Risk depends on whether you have a threat. Threats emanate from four major categories according to the NIST security framework: adversarial, accidental, structural or environmental. There are many, many threats sources within each category. Adversarial threats may come from a disgruntled employee or a hacker from a foreign nation state. Sources of accidental threats may come from a star employee who makes a mistake or the backhoe operator who digs up the fiber optic cable connecting your data center to the internet. Structural threat sources may come from power supply failures, software bugs, or faulty HVAC systems. And, last but not least there are environmental threats such as mudslides, earthquakes or lightning strikes. So threats, as defined in NIST special publication 800-30, may have enough force to exploit a weakness you have. If you have an asset and there are no threats to that asset, you have no risk. Without a threat, there can be no risk. Be careful, there are many possible threats to consider.
  3. Risk depends on whether you have a vulnerability. A vulnerability is a weakness. For example, not using a strong password is a vulnerability. The lack of good data backup is a weakness. The absence of a sign in/sign out process for my data center is a weakness. Vulnerabilities are weaknesses in an information system. Without a vulnerability, there can be no risk. Remember, there are many possible weaknesses in your environment to consider.
  4. Risk depends on a “Triple”. When and only when you have an asset, a threat and a vulnerability, you have a risk that needs to be analyzed. If your analysis shows you have an asset, but no threats; an asset, but no vulnerabilities; threats and/or vulnerabilities, but no assets, STOP, you have no risk to analyze. The tricky part is this: once you have an asset, you must methodically and exhaustively consider all possible threats and all possibly vulnerabilities that may be associated with that asset. Done properly, you will identify hundreds of risks that need to be analyzed.
  5. Risk depends controls or safeguards you may have implemented. Controls are categorized in different ways. For example, there are administrative, physical and technical controls that may be further subdivided in each case into preventive, detective or corrective controls. For example, a firewall would be regarded as a technical, preventive control designed to prevent unauthorized access. The degree to which you have implemented controls will affect the likelihood and impact of risk. Controls are implemented to mitigate or minimize the possibility of a threat exploiting a vulnerability. Rarely do controls totally eliminate that likelihood.
  6. Risk depends on likelihood of a threat exploiting a vulnerability. No matter how many threats to an asset may exist and no matter how many vulnerabilities may exist due to weak controls or the absence of controls, risk is a matter of likelihood. For example, without regard to threats and vulnerabilities, the likelihood of a thieve stealing a laptop is higher than the thieve stealing your Patient Data Warehouse storage area network (SAN) device. Likelihood needs to consider the asset, the threat, the vulnerability.
  7. Risk depends on impact or harm. Without the possibility of significant harm or future loss, there cannot be significant risk. The amount of potential harm will vary, of course. Harm may occur to the individual – a patient, a member, a client, a customer’s patient, etc – or to your organization. The compromise of the confidentiality, integrity or availability of ePHI may cause financial, reputational, legal, operational, clinical or regulatory harm to the individual or to your organization. The amount of harm that might occur directly affects the amount of risk associated with a threat exploiting a vulnerability related to an asset. Without impact or harm, there can be no risk.

Is there Risk? It depends! Risk is a derived value that must consider the key variables above.

Risk Analysis Resources Are Available to You Now

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – You First Need to Understand Risk In order to Conduct a Risk AnalysisHIPAA Risk Analysis Tip – Just A Few Laptop Risks >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.