Even though there is no one-size fits all blueprint for conducting a risk analysis that fits all healthcare organizations, the HIPAA Security Rule risk analysis methodology is based on the guidance and best practices outlined in these two publications NIST SP 800-30 Rev1: Guide for Conducting Risk Assessments and NIST SP 800-66 Rev1: An Introductory Guide for Implementing HIPAA Security Rule. You can also view this short video http://www.healthit.gov/providers-professionals/video/security-risk-analysis
Understanding how to conduct a proper risk analysis is key to protecting the patient data or electronic protected health information (ePHI) in your practice. The essential steps of the risk analysis process are:
- Identify and document all assets including mobile devices that may create, receive, store or transmit ePHI. This should encompass ePHI on all devices including workstations, servers, mobile devices like laptops smartphones and tablets, and removable media like USB memory sticks, CD’s etc.
- Document what kind of data resides on which device.
- Identify and document potential threats and vulnerabilities to each ePHI repository. For example: the theft or loss of a laptop is a threat, the vulnerability to the data could be lack of strong password or encryption.
- Assess current security measures in place to prevent loss of ePHI.
- Determine the probability or likelihood of the threat occurring. In the case of mobile devices, this threat occurrence is very high.
- Determine the potential impact of the threat occurrence.
- Based on the likelihood of threat occurrence and its potential impact determine the level of risk with each mobile device containing ePHI
- Determine additional security steps that can be taken to lower the risk.
- Document the risk analysis.
- Conduct annual risk analysis reviews and make necessary changes to the existing security measures as required.
It is also important to avoid the following common misconceptions regarding a HIPAA Risk Analysis:
Risk Analysis (RA) is only an IT risk analysis: RA evaluates the impact of loss of EPHI or confidential patient information to the healthcare business. A through risk analysis examines the threats and vulnerabilities the electronic protected health information stored in computer systems( data at rest) of an organization and when it flows within a corporate network or outside it (data in motion). It seeks to determine the level of risk to the data taking in to consideration the likelihood of occurrence of potential threats and their business impact on the organizations. Needless to say, the higher probability of occurrence and impact leads to higher degree of risk to the organization.
RA takes in to account the administrative, physical and technical safeguards that the organization has in place to ensure the security of EPHI. It covers people, policies, processes and technology in place at an organization and helps healthcare organizations identify and address vulnerability gaps in their EPHI security.
Risk Analysis is a one-time event. Organizations change over time. New Technology is constantly updated, people leave, new employees join etc. RA is needed to be conducted /reviewed on a regular basis preferably annually or when major changes occur within an organization. Security measures may need to be updated, new policies implemented and additional security training for staff might be required.
Risk Analysis is the responsibility of the IT department alone. RA should involve not only the IT personnel, but also senior management. One person, preferably in senior management, should be named the Chief Security Officer and be held accountable for all EPHI security and compliance activities
Risk Analysis is optional. RA is a primary implementation specification under the Security Management Standard of the HIPAA security rule and is also a core measure under the meaningful use attestation process.
Based on the findings of the risk analysis, a healthcare/dental practice can develop and implement reasonable and appropriate policies to protect the confidentiality, integrity and availability of ePHI in their organizations.