Why you need a Risk Assessment…. NOW!
Risk (noun): exposure to the chance of injury or loss; a hazard or dangerous chance. Risk mitigation is defined as a systematic reduction in the extent of exposure to a risk and/or the likelihood of its occurrence. In any business, there are risks. There are risks in investment, risks in the introduction of new products or services, risks in bringing a new business idea to life, but there are also risks in the everyday operation of running a business.
It would be hard to imagine a large successful business or organization without computers, networks, and electronic data. We rely heavily on technology to improve our processes, expand our knowledge base, and store our business critical data. What would happen to the foundation of your business or organization if an environmental disaster occurred in your area? Would your services be crippled beyond repair if a bad actor disabled one of your primary data servers or exposed data that flows on your network? Are you protected if an employee loses his or her work laptop or mobile device? These are the questions addressed by Risk Management.
Risk Management is the process by which Organizations identify, assess, mitigate, or accept risk in order to prevent losses as well as to comply with legal regulations.
According to HIPAA, 164.308(a)(1)(ii)(B), a covered entity or business associate must implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a) [i], furthermore OCR states that “conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational…”
The results of a risk analysis are what is used in determining a successful Risk Management process. It is the method by which a covered entity or business associate assesses whether an implementation specification is reasonable and appropriate. Risk Analysis methods may vary, depending on the size, complexity and availability of the organization. However, regardless of which framework is chosen, HHS outlines nine mandatory components that must be incorporated into each Risk Analysis.
- Scope – the scope of the organization’s Risk Analysis must include all ePHI that the organization creates, receives, maintains or transmits. This includes all forms electronic media from hard drives (internal and external), CDs, DVDs, floppy disks, memory cards, PDA’s, mobile/smart phones, tablets, workstations, networks, and more. Anywhere ePHI is created, stored, transmitted or received.
- Data Collection – in order to comply with the mandatory scope of a Risk Analysis, the organization must identify and document where and how the ePHI is stored, received, maintained or transmitted.
- Identify and Document Potential threats and vulnerabilities – Identify potential Human, Natural or environmental threats to the confidentiality, availability and integrity of ePHI and the organizations vulnerabilities pertaining to such risks.
- Assess Current Security Measures – review administrative, technical and physical safeguards. Analyze the technical measures such encryption methods, access controls, automatic logoff, and audit controls and non-technical safeguards such as policies, procedures, standards, work instructions and guidelines, accountability and responsibility, as well as the physical and environmental security measures implemented to minimize or eliminate risks to ePHI.
- Determine the likelihood of threat occurrence – Take into account the probability of potential risks to ePHI. This will help determine which threats are “reasonably anticipated” which HIPAA requires the organization to protect against.
- Determine the potential impact of threat occurrence – How will a threat impact the confidentiality, availability and integrity of the organizations ePHI?
- Determine the level of risk – Using components 5 and 6, calculate the level of risk to the confidentiality, integrity and availability of the organization’s ePHI.
- Finalize Documentation– Document the risk analysis, the results and continue to document the ongoing list of corrective actions.
- Periodic review and updates to the risk analysis – Risk Analysis is an ongoing process, in order for the organization to remain compliant, it should conduct continuous risk analysis’ in order to keep track of progress made in addressing current risks as well as documenting and mitigating future risks.
ONC, HHS and OCR, in collaboration, have developed and provided a downloadable Security Risk Assessment Tool to help guide organizations through the process of performing a risk assessment, as well as guidance, and information dispelling the top 10 myths of Security Risk Analysis. Don’t let your organization be caught off guard by vulnerabilities that could have been addressed by a thorough Risk Management Process, and don’t let the daunting task of a Risk Assessment overwhelm you.
[i] 164.306(a) General requirements. Covered entities and business associates must do the following:
(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.
(4) Ensure compliance with this subpart by its workforce
Contact our security experts today to keep your organization and your data safe from the real threats you may face in 2015.