A recent discussion on the topic of Risk Analysis asked the question "why have so many organizations not completed this important task?" The reasons to complete it are numerous, but here are a few:
- Required by HIPAA and the foundation of the Security Rule and Information Security
- OCR has identified Risk Analysis (as they should) as a target area. (We see the fines)
- Meaningful Use Objective 14 or 15 requiring a risk analysis to meet Stage 1.
- (i) Objective. Protect electronic health information created or maintained by the certified EHR technology through the implementation of appropriate technical capabilities.
- (ii) Measure. Conduct or review a security risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process.
Security management process (164.308(a)(1)) – Policies and procedures to prevent, detect, contain, and correct security violations. The following are required:
- Risk analysis (R) – Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- Risk management (R) – Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Completing a risk analysis does not have to be complicated. HHS issued guidance on Risk Analsysis. The first question to ask yourself, is do you know where your data resides?
Brief Description of HOW:
Make a list of all places that ePHI resides. Examples can include laptops, home computers, cell phones, servers, backup tapes, application lists, excel spreadsheets, desktop computers, email and thumb drives. The next step you should ask is WHAT controls are in place to keep someone from accessing that protected data? Thirdly ask youself what the risk to the data is (how likely is it and what would be the impact?), then determine a course of action, create a plan and execute the plan.
HHS has published the following guidance on completing a HIPAA Risk Analysis, every security professional should have this informaiton.