This entry is part 40 of 60 in the series HIPAA Security Risk Analysis Tips

The phrases “risk analysis” and “risk assessment” are becoming incredibly commonplace today.  They’re appearing in RFPs, littering the blogosphere, popping up in advertisements by newly-announced, so-called experts and being webinar-ed to death.  In reality, most people espousing these phrases don’t know what they’re talking about.   Here’s today’s big RISK ANALYSIS TIP – You First Need to Understand Risk In order to Conduct a Risk Analysis.  

HIPAA Risk Analysis Tip – You First Need to Understand Risk In Order to Conduct a Risk Analysis

The Real Risk Analysis Problem

Risk Management means first understanding risk

Over the years, we have completed 100s of bona fide HIPAA Risk Analyses for organizations of all sizes across the US.  The phrases “risk analysis” and “risk assessment” are becoming incredibly commonplace today.  They’re appearing in RFPs, littering the blogosphere, popping up in advertisements by newly-announced, so-called experts and being webinar-ed to death.  In reality, most people espousing these phrases don’t know what they’re talking about.  They don’t know what they’re talking about, I’ve come to discover, because most people don’t understand what risk itself means.  You First Need to Understand Risk In order to Conduct a Risk Analysis. 

In today’s increasingly more privacy- and security-minded world, and especially in healthcare, the state of risk management of information is a mess! This problem comes about for many reasons, including but not limited to the following:

  • There is little agreement on standard terminology, approach and tools. Key risk-related terms such as assets, threats, vulnerabilities, controls, likelihood and impact are misused and sometimes used interchangeably! One does not find this in many other professions. All physicists know what velocity, acceleration, mass, energy, etc. mean. All accountants agree to defintions of basic terms such as debits, credits, balance sheets, assets, liabilities, etc.
  • Many so-called “experts”, some recently-minted and/or self-proclaimed as such, don’t understand basic risk fundamentals
  • Most individuals do not understand that you simply can’t observe risk and that risk is a derived value.
  • You simply cannot begin to conduct a bona fide risk analysis if you don’t understand what risk is and what risk is not.

The upshot is that many leaders are being hoodwinked into thinking that their organization has completed a thorough assessment of exposures – a bona fide risk analysis. The balance of leaders realize something’s not right and, therefore, find it difficult to take recommendations from compliance or security staff members seriously. The really sad upshot is that there is huge inefficiency and ineffectiveness in protecting the privacy and security of Protected Health

Harnessing Risk is what executives do!

Information (PHI) and electronic PHI (ePHI). To wit, as of October 24, 2013 the PHI/ePHI of 26.9 million fellow Americans has been impermissibly disclosed according to the HHS/OCR “Wall of Shame”. 682 Covered Entities in “collusion” with 156 Business Associates have accomplished these bad results.

And the beat goes on with the same, sorry, dumb bad things happening over and over again. For example, laptops with unencrypted hard drives being stolen – ask Advocate Medical Group.

At the same time, ironically, risk management is not new to your executive team or your board! They deal with financial, operational, clinical, legal, regulatory, reputational and many other types of risks day-in, day-out.

The Actions Organizations Must Take to Understand Risk and Risk Analysis

First and foremost, organizations must understand some key, fundamental points about risk before they embark on completing a risk analysis.  In an exercise I do with live audiences and in web events, I present five images and ask participants to indicate the level of risk (High, Medium, Low, No Risk) they observe in each image.  The images include a bald tire, the same bald tire turned into a tire swing in a backyard, a frayed rope tied to a beam, the tire swing in a tree perched over the edge of a cliff and, finally, a child swinging in the tire swing in a backyard.

Learn How To Conduct a Bona Fide HIPAA Security Risk Analysis

Recently, in room with 300+ privacy, security and compliance professionals attending the HIMSS Media Privacy and Security Forum, I asked if anyone saw risk in any one of these same five images. Also, very recently in a live web event, I asked a slightly different question: what was the greatest amount of risk you observed? In both cases, everyone “saw” risk. Most “saw” high risk in more than one of the images! Some “saw” risk in all the images! Two “news flashes”: 1) you cannot “see” risk; it must be derived/evaluated; and, 2) In reality, there is no risk in any of these images. Please call me to debate about it!

Here’s what happens over and over again:

  • People make assumptions / make things up (that aren’t true) in risk analysis
  • People don’t understand this fundamental truth about risk – you can’t have significant risk without the potential for significant loss or harm
  • People tend to equate potential vulnerabilities (e.g., frayed rope, bald tire) with risk
  • People don’t realize that risk is a derived value (like speed is derived from distanced divided by time)
  • People forget that one must consider likelihood or probabilities of bad things happening AND of impact or harm

The most important actions organizations must take if they don’t understand risk are to “train up” and/or farm out the work to experts. And they must remember these truths:

  • Risk can only possibly exist if there exists “a triple”: an asset like a laptop with ePHI, a threat to that asset (e.g., a thief may steal it) and a vulnerability (e.g., it is not encrypted) that may be exploited by that threat
  • As stated above and should be repeated, risk is a derived value (like speed = distance / time, is a derived value); one can’t simply see it!
  • Risk is a probability or likelihood issue
  • For any single asset (e.g., a laptop with PHI), there may be many different threats and many different vulnerabilities; therefore, there may be many (e.g., 100s) of risks to be identified, assigned a value and prioritized
  • Good news, controls may already have been implemented or may be implemented to mitigate the likelihood of a certain threat exploiting a certain vulnerability. Controls come in several forms, often categorized as administrative, physical or technical
  • Risk has both a likelihood AND an impact or harm component
  • The fundamental nature of risk is universal; there’s nothing special about health information risk. To assess any risk, whether it is financial, operational, clinical, legal, regulatory, reputational, one must consider what assets that may be harmed, the threats, vulnerabilities, controls, likelihood of a bad thing happening and, were it to happen, the likelihood and amount of harm
  • When it comes to health information risk, the adverse impact or harm may come about if the confidentiality and/or the integrity and/or the availability of that information is compromised

The Results of Really Understanding Risk and Conducting a Bona Fide Risk Analysis

Organizations that work to really understand risk and risk analysis and complete a bona fide risk analysis with either internal or external resources will accrue many benefits including, but not limited to the following:

Raving Fans

  • Most importantly, avoiding Security Incidents and/or Breaches
  • Preparing for the HITECH Mandatory Audits which will resume in 2014
  • Becoming better prepared for a potential OCR Investigation, in which a copy of the organization’s latest risk analysis is always requested
  • Completing the core, foundational first step in any information security program – taking stock of your exposures by completing a risk analysis
  • Gaining a solid education about their information assets and environment, including understanding where all the PHI resides
  • Meeting the explicit HIPAA Security Rule risk analysis requirement at 45 CFR §164.308(a)(1)(ii)(A)
  • Creating a sound basis for risk treatment decisions and for ongoing risk management as also required in the HIPAA Security Rule at 45 CFR §164.308(a)(1)(ii)(B)
  • Developing a complete, prioritized remediation plan

Risk Analysis Resources Are Available to You Now

Clearwater Compliance offers best-in-class HIPAA-HITECH Privacy, Security and Breach Notification software and services. Our years of direct front-line, real-world experience with deep privacy and security skill-sets will help you assess and implement the required people, process and technology controls cost-effectively.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like to keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Risk Analysis Tip – Yes, Risk-Analyze Printers, Copiers and ScannersHIPAA Risk Analysis Tip – Is there Risk? It Depends! >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.