Completing a HIPAA Security Risk Analysis well requires executive team engagement and support and a cross functional business team. Here’s today’s big tip – Don’t throw the project over the transom to the CIO or CISO. It’s a much bigger business risk management program and not an “IT project”. Assemble the right cross-functional team and set business risk management goals at the onset. Here’s how…
Risk analysis and risk management are two of the required implementation specifications within the security management process standard. The Security Rule does not specify exactly how a risk analysis should be conducted, but it does reference the National Institute of Standards and Technology (NIST) Special Publication 800-30, “Risk Management Guide for Information Technology Systems.”
The NIST publication offers a comprehensive approach to incorporating risk management into the system or project development life cycle. Threats in the environment are identified, and then vulnerabilities in information systems are assessed. Threats are then matched to vulnerabilities to describe risk.
The NIST document includes a description of the roles of various persons in risk analysis and management. It emphasizes the key role senior management plays in understanding security risk, establishing direction, and supplying resources. HIPAA requires assigning responsibility to the security official for the development and implementation of security policies and procedures. This individual may lead the team that actually performs the risk analysis, do much of the policy and procedure writing, and recommend or even select many of the controls.
Name the Cross Functional Team
The fact that NIST identifies the chief information officer, system and information owners, business and functional managers, information technology (IT) security analysts, and trainers recognizes the importance of a team that extends beyond IT and encompasses users. In a clinical setting, users of information systems not only can assist in providing application and data criticality information, but must also be involved in determining which mitigation strategies will work.
Because many small clinics, medical practices or business associates do not have a full-time information technology person not to mention a Chief Information Officer, system and information owners, business and functional managers, information technology (IT) security analysts, etc., the risk analysis should be completed by a combination of outside HIPAA-HITECH Security specialists, practice management staff, the clinical staff and business leaders and managers.
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017