As we saw last time, Section 164.308(a)(1) of HIPAA requires you to conduct a risk analysis.  We covered some basic definitions to help you understand what a risk analysis is, and what it involves.  This week, we cover some basic categories of vulnerabilities and threats, which you must identify as part of your risk analysis. 
Identify potential threats – Threats are weaknesses in your computer systems, networking gear, your staff, and your office building.

Access Controls – Check all user accounts for strong passwords.  Make sure your data is protected with file and sharing permissions.  Make sure your staff has access based on the “need to know” concept. 

 Network Security – Make sure you have a firewall on each computer as well as between your network and the internet.  Configure your firewall to deny all connections unless you explicitly approve them.  Make sure your wireless network is protected with maximum strength encryption. 

 Malware Protection – Make sure your computers have anti-virus and anti-adware and spyware software.  Make sure all your machines stay current with Windows updates. 

 Backups and Storage – Make sure you have local and offsite backups.  They should be protected with encryption, file permissions, and other controls.  Also consider purchasing battery backups for your computers and networking gear.  

 Physical Security – Make sure to secure your office against fire and theft by keeping your doors locked and installing security and sprinkler systems.

 Staff Habits – Train your staff to be aware of fraudulent emails, instant messages, and never to give their password out to anyone. 

Identify potential threats – Threats are forces that will exploit your vulnerabilities, and they can be difficult to determine.  Threats can be broken down into four categories:  natural, human, software, and environmental. 

 Natural – Natural threats are things like floods, earthquakes, tornados, and hurricanes.  Unfortunately there is nothing you can do to prevent them.   Adequate offsite backups will reduce the risk posed by these threats.

 Human – Human threats are most commonly your own employees.  They may accidentally delete your data or break your computer systems.  Employees may also maliciously destroy or steal your data or computer systems.  Ex-employees, hackers, patients, and pretty much anyone else could be a potential threat.  Luckily fixing the vulnerabilities listed above will drastically reduce the risk posed by human threats. 

Software – Software threats consists of viruses, worms, Trojan horses, adware, spyware, and any other malicious software.  Adequate anti-virus, anti-spyware and strong firewalls will all but eliminate the risk posed by these threats. 

Environmental – Environmental threats include fire and power outages.  Like natural threats, there is little you can do to prevent these threats.  Making sure your sprinklers, smoke detectors, and fire extinguishers work can help mitigate the risk.  Consider also that most damage from a fire occurs from water sprinkler systems and the fire department.  You may choose to cover your computers with tarps when the fire alarm goes off.  Installing battery backups will help minimize the risk of data loss from power outages. 

Identifying vulnerabilities and threats is key to performing a risk analysis, which you need to do periodically to comply with HIPAA.  Vulnerabilities are the most important.  They affect your computer systems, and luckily there are many controls you can use to fix them.  Threats are almost always outside of your control, and they can be difficult to identify.  Keep these basic vulnerability and threat categories in mind when you begin your risk analysis.

Join us next week for a basic how-to guide for conducting your risk analysis.   
Ryan Ricks
Security Officer