The purpose of a risk analysis is to identify your risks and create a plan of action to mitigate them. A well-documented and thorough risk analysis is the critical first step towards protecting sensitive data. It identifies your information assets, threats, and vulnerabilities.
Risk = Asset * Threat * Vunerability
The “information assets” are the sensitive data at risk. “Threats” are the ways in which the information assets can be compromised either accidentally or intentionally. And “vulnerabilities” represent your exposure to those threats. We can think of a simple math equation: Risk = Asset * Threat * Vulnerability. The risk analysis produces a list of risks resulting from the various combinations of those three components.
We can further analyze the list of risks and calculate a risk rating for each one. The risk rating is a function of “likelihood of occurrence” (i.e. the bad thing happening) and the “impact” (i.e. the damage caused by the bad thing happening). Another simple math equation: Risk Rating = Likelihood * Impact. Sorting our risks by risk rating leads us to a prioritized list of risks.
Plan of Attack
Finally, we look at each prioritized risk and determine what we can do to mitigate the risk. Some risks can be negated by eliminating one of the necessary components (asset, threat, or liability). With others, we can mitigate the risk by reducing either the likelihood or impact through the implementation of controls to protect the assets from the threats/vulnerabilities. Collectively, these measures make up our remediation plan.
A written Security Risk Analysis is required under Federal Law. The HIPAA Final Security Rule specifies safeguards to protect the confidentiality, integrity, and availability of patient data (Protected Health Information or PHI). The SRA is the first document you are asked to produce in an audit by the Department of Health & Human Services Office for Civil Rights (HHS OCR), which is the watchdog for HIPAA.
The National Institute of Standards and Technology (NIST) produced a Guide for Conducting Risk Assessments (Special Publication 800-30 Rev. 1) which is considered a model for best practices in data security. This NIST framework was used, in part, in the development of the HIPAA Final Security Rule.
The primary tool we use for conducting a HIPAA Security Risk Analysis is from HIPAA One. It helps us document the information assets, threats, and vulnerabilities so we can analyze the risks and develop an appropriate remediation plan. The HIPAA Security Risk Analysis includes a vulnerability scan of your Internet-facing devices.
Security Risk Analysis Report
The end result of our HIPAA Security Risk Analysis is a 20-30 page final report. It provides written documentation of the SRA, which is important for demonstrating regulatory compliance. The final report also serves as a guide for your risk mitigation efforts and makes the task of updating your risk analysis easier in the future. An outline is shown above.
How We Can Help
We offer three different HIPAA Security Risk Analysis engagement models to match your needs, goals, and budget. For those interested in conducting a self-assessment, we’ll provide the tools and some guidance to get you started. For others, we can conduct a Remote Risk Analysis or come on-site to do it.