Completing a HIPAA Security Risk Analysis well requires executive team engagement and support and a cross functional business team.  Here’s today’s big tip – Don’t throw the project over the transom to the CIO or CISO.  It’s a much bigger business risk management program and not an “IT project”.   Assemble the right cross-functional team and set business risk management goals at the onset.  Here’s how…

Risk analysis and risk management are two of the required implementation specifications within the security management process standard. The Security Rule does not specify exactly how a risk analysis should be conducted, but it does reference the National Institute of Standards and Technology (NIST) Special Publication 800-30, Risk Management Guide for Information Technology Systems.”

The NIST publication offers a comprehensive approach to incorporating risk management into the system or project development life cycle. Threats in the environment are identified, and then vulnerabilities in information systems are assessed. Threats are then matched to vulnerabilities to describe risk.

The NIST document includes a description of the roles of various persons in risk analysis and management. It emphasizes the key role senior management plays in understanding security risk, establishing direction, and supplying resources. HIPAA requires assigning responsibility to the security official for the development and implementation of security policies and procedures. This individual may lead the team that actually performs the risk analysis, do much of the policy and procedure writing, and recommend or even select many of the controls.

Name the Cross Functional Team

The fact that NIST identifies the chief information officer, system and information owners, business and functional managers, information technology (IT) security analysts, and trainers recognizes the importance of a team that extends beyond IT and encompasses users.  In a clinical setting, users of information systems not only can assist in providing application and data criticality information, but must also be involved in determining which mitigation strategies will work.

Because many small clinics, medical practices or business associates do not have a full-time information technology person not to mention a Chief Information Officer, system and information owners, business and functional managers, information technology (IT) security analysts, etc., the risk analysis should be completed by a combination of outside HIPAA-HITECH Security specialists, practice management staff, the clinical staff and business leaders and managers.

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Recommended DocumentationHIPAA Security Risk Analysis Tips – 9 Essential Elements >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.