This entry is part 5 of 60 in the series HIPAA Security Risk Analysis Tips

In July 2010, HHS and OCR issued  final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.   Security Risk Analysis is not “star wars” technology nor a news flash.  There are many ways to go about it.  OCR frankly doesn’t care what methodology you use as long as your approach incorporates what they identified as nine (9) essential elements in their guidance.  Here’s today’s big tip — Don’t re-invent the wheel!  Follow OCR Guidance and adopt a proven, highly trusted methodology.  Here’s how…

Security Risk Analysis Methodology

The principles behind this methodology are sound, incorporate all of the key essential elements indicated in the HHS/OCR final guidance, draw upon the National Institute of Standards and Technology (NIST) Special Publication 800-30, “Risk Management Guide for Information Technology Systems”  and include industry best practices at the core of quantitative risk analysis approaches.

Our practical approach to conducting and documenting a risk analysis for the HIPAA Security Rule involves these four major phases:

1. Inventory Phase

1.1. Inventory information assets, especially those handling ePHI
1.2. Document their present security controls and criticality of the applications and their data

2. Risk Determination Phase

2.1. Identify threats in the environment
2.2. Identify vulnerabilities that threats could exploit
2.3. Describe the risks based on threat/vulnerability pairings
2.4. Identify existing controls
2.5. Determine the likelihood that a threat could exploit a vulnerability
2.6. Analyze the severity of the impact if the threat were to successfully exploit the vulnerability(s)
2.7 Determine and summarize the risk level

3. Risk Remediation Phase

3.1. Recommend risk mitigation strategies for each risk
3.2. Identify and implement applicable controls to mitigate risk
3.3. Determine residual likelihood that a threat could successfully exploit a vulnerability
3.4. Analyze the residual severity of the impact
3.5. Determine and report residual risk  (based on residual likelihood and residual impact from steps 3.3 and 3.4 above respectively) to senior management

4. Documentation Phase

4.1. Generate HIPAA Risk Analysis Executive Summary (template provided)
4.2. Monitor changes in the environment, information systems, and security technology
4.3. Update the risk analyses and implement any other controls

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – Know the RegsHIPAA Security Risk Analysis Tips – How to Get Started >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.