We have talked a good deal in our newsletters and blogs about risk assessments and how they are critical to comply with meaningful use and the HIPAA security rule. I wanted to take this time to explain a little more about what is involved in a risk assessment. Whether you choose to do your own risk assessment, or contract with a third party, you should keep this information in mind.
First and foremost, the HIPAA Security Rule (45 C.F.R. §§ 164.302 – 318) requires covered entities to conduct and review a risk assessment at least annually (§ 164.308(a)(1)(ii)(A)). The risk assessment is the foundation of compliance and security. It helps covered entities identify and implement safeguards necessary for security and compliance. It is also required to qualify for meaningful use stage one.
There are a few terms associated with risk assessments that you should understand. A vulnerability is “a flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised… and result in a security breach…” (NIST SP 800-30). A threat is “the potential for a person or thing to exercise… a specific vulnerability” (NIST SP 800-30). Finally, risk is the “…impact considering (1) the probability that a particular threat will exercise a particular vulnerability and (2) the resulting impact if this should occur” (NIST SP 800-30).
Risks come from legal liability or the inability to continue business operations due to: (1) “unauthorized disclosure, modification, or destruction of information; (2) unintentional errors and omissions; (3) IT disruptions due to natural or man-made disasters; (4) failure to exercise due care and diligence in the implementation and operation of the IT system” (NIST SP 800-30).
A risk assessment should have nine basic steps: (1) Determine the scope of your system; (2) identify potential threats; (3) identify potential vulnerabilities; (4) analyze your current controls; (5) determine the probability a threat will exploit a vulnerability; (6) analyze the impact of a successful vulnerability exploit; (7) determine risk based on probability and impact; (8) recommend controls to reduce risk; and (9) document the results.
Note that it is not enough to conduct a risk assessment and forget about it. Your risk assessment needs to be periodically reviewed and updated at least annually. Once your assessment is complete, you need to formulate a plan of action to reduce your risks and achieve compliance, beginning with highest-risk items. Finally, be sure to document your plan and update it regularly, each time you complete a project.
Please contact us if you have any questions about risk assessments, or how the relate to the HIPAA security rule or meaningful use. We host weekly webinars addressing risk assessments. You can sign up on the web at www.xlemr.com.