The HHS / OCR final guidance on completing a HIPAA Security Risk Analysis is based on the NIST Special Publication 800-30 which covers the subject of Risk Management. As the guidance states, “Organizations must identify and document reasonably anticipated threats to ePHI.” Here’s today’s big tip – Better know what a threat is!… learn more…
In security, therefore, a threat is anything that could harm information or systems creating, receiving, maintaining or transmitting that information by exercising a vulnerability.
There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:
Natural threats such as floods, earthquakes, tornadoes, and landslides.
Human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.
Environmental threats such as power failures, pollution, chemicals, and liquid leakage.
It is in In the Risk Determination of a Risk Analysis where threats and vulnerabilities must be considered. You should focus on reasonably likely threats to ePHI and the risks they create without compromising the ultimate outcome of the Risk Analysis process. Your goal is to determine risks to information assets that create, receive, maintain and transmit ePHI, then prioritize those risks from highest-to-lowest and, ultimately, make risk management decisions that include implementing additional reasonable and appropriate safeguards.
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Wanna be even more hip on HIPAA? Learn more…
The complete HIPAA Privacy, Security and Breach regulations are here.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017