Welcome to part three of our risk analysis discussion. We know that the HIPAA security rule Section 164.308(a)(1) requires all covered entities to periodically conduct a formal risk analysis. Last week, we looked at some general categories of vulnerabilities and threats. This week, we will cover a simple method for conducting your analysis.

Risk Analysis Steps:

Identify the scope – First, you should make a list of all computers, networking equipment, and backup devices. You should include anything that stores, transmits, or processes your data. If your practice uses smart phones, blackberries, palm pilots, or other handheld devices, be sure include those in your list.

Identify and document potential vulnerabilities – Second, you should make a list of potential vulnerabilities in your system. Refer to our last article “Who’s Who – Vulnerabilities and Threats,” for a list of different types of vulnerabilities. You will want to check for these vulnerabilities on each device in your list. Security scanning tools, such as NMAP or NESSUS are invaluable.

Identify and document potential threats – Third, refer to your list of vulnerabilities for each device, and identify potential threats. This step will be the most difficult. Vulnerabilities are concrete, but threats are amorphous and largely outside of your control. Refer to our last article “Who’s Who – Vulnerabilities and Threats,” for a list of different types of threats. Be creative for this step, and don’t forget the possibility of a threat from your staff or patients.

Assess current security measures – Fourth, take a look at the security you have in place now and decide how they affect your vulnerabilities. Do they eliminate vulnerabilities and protect your system? Are the partially effective? Are there any measures in place at all?

Determine the probability of threat occurrence – Fifth, reference your list of vulnerabilities and threats, and try to determine the probability that a threat will exploit one of your vulnerabilities. A simple three-level approach is best. High probability means that there are multiple vulnerabilities and no effective controls. Medium probability implies a single vulnerability and the absence of controls. Low probability means controls are in place, but they might be weak or miss-configured.

Determine the potential impact of threat occurrence – Sixth, review your list of vulnerabilities and threats, and try to determine what would happen if a threat exploits a vulnerability. There are generally five possible outcomes, from best to worst case scenarios: Temporary loss or unavailability of your data; unauthorized access or disclosure of your data; loss of physical assets; permanent loss or corruption of your data; and loss of your revenue. You should decide which of these scenarios apply and rate them as low, medium, or high.

Determine the overall level of risk – Seventh, review the output of steps five and six. Pay attention to the probability and impact you listed for each vulnerability and threat. The impact usually drives the level of risk. However, you must make your own judgment to determine the level or risk for any given scenario.

Identify Security Measures and finalize documentation – Lastly, you should identify new security controls to reduce your overall risk. Start with the high-risk items and work your way down. If you do not already have a comprehensive information security policy, now is a good time to start planning. For more information on security policy, see my article “Security for Healthcare” in the spring edition of EHR Scope, volume 5.

I hope you found this guide useful for understanding risk analysis. It is the first and probably most important step towards complying with the HIPAA security rule. If you hire consultants to conduct your analysis, be sure to ask them about their methods and make sure they cover these points.

Ryan Ricks
Security Officer