The first step towards compliance with the HIPAA Security Rule is to perform a risk assessment on your system.   You aren’t required to do this yourself- you may choose to hire a consultant- but you will be expected to understand the assessment findings.  So what are ‘risks’, and how are they measured?  Let’s start by defining some terms as they appear in the Rule.

Section 164.308(a)(1) requires covered entities to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of EPHI held by the covered entity.”  In this statement:

“EPHI” stands for Electronic Personal Health Information.  This includes all medical information related to patients in your care.   

“Vulnerabilities” are weaknesses in the way your system handles information.   This can mean anything from inadequate physical security at your office (such as locks and alarms), to employing out-of-date software, to failing to employ the security features included in your software (not creating passwords, etc.).

Threats are forces that will exploit vulnerabilities.  This can mean people, such as disgruntled employees, burglars and hackers, or it can mean things like fires, floods, earthquakes and tornadoes. 

“Risk”, therefore, is a calculation of two things:  first, the probability that a given threat will exploit vulnerabilities in your system, and second, an estimate of how much damage would be caused by that exploitation.  Risk is hard to assess; the factors involved are often subjective.  Just because an event has a low probability level doesn’t mean it can’t or won’t happen…and highly probable events with risk assigned might not impact your system security at all.

For instance:  a viral infection on a computer in your system is highly probable, but the likelihood that the infection would lead to a system failure or security breach is small…therefore it would be considered a low-risk scenario.   If a burglar, however, were to break into your office and steal all of your equipment, there is a 100% chance that your data will become unavailable to you and a good chance it may end up in malicious hands.  Even if the crime rate is low in your neighborhood, this would be considered a high-risk scenario.

No matter what your assessment finds, when you address the vulnerabilities of your system and (where possible) eliminate threats, you reduce your overall risk levels- this is the best way to ensure you’ll be in compliance with the Rule. 

Join us next week for some tips on how to conduct your risk analysis. 

Ryan Ricks
Security Officer