A step-by-step risk assessment process for HIPAA Security Rule Compliance. Stay protected against risks and hazards to ePHI security.
All ePHI that covered entities create, receive, maintain, or transmit are subject to the Security Rule. Hence, healthcare businesses must evaluate possible threats and vulnerabilities in their environments and protect against any hazard to the security of ePHI. The foundation element in assuring this requirement is the risk assessment.
Recognizing that all organizations are unique regarding their scope, size, and complexity, the Security Rule does not prescribe any specific risk assessment approach or methodology. Instead, it establishes several objectives that organizations must achieve to reach substantial compliance with the primary standards of the HIPAA Security Rule. Thus, the Security Management Process standard requires organizations to “implement policies and procedures to prevent, detect, contain, and correct security violations,” while the risk analysis is one of the required implementation specifications. More specifically, the Security Rule demands “conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity.” Therefore, the risk assessment is the standard information security process critical to the HIPAA Security Rule compliance since it creates the foundation upon which the entity’s activities are built.
The risk assessment shows organizations whether the implementation specifications or equivalent measures they apply are reasonable and appropriate in the context of their environment. In particular, the risk assessment outcomes are critical for designing relevant personnel screening processes, addressing what data must be authenticated, managing how to use encryption, determining the measures for protecting ePHI transmissions.
Depending on organizations’ characteristics, the risk assessment methods and their subsequent elements may vary. Thus, the covered entities are free to choose their own “best practice” that would satisfy the HIPAA requirements and, at the same time, precisely detect organizations’ needs for data security. A detailed description of frequently applied methodologies is provided in our previous article. The following steps, adapted from the NIST SP 800-30 approach, are the examples the covered entities could apply to their environment. Thus, the example risk assessment steps are:
Although HIPAA risk assessment requirements are flexible, there are several procedures that organizations must meet regardless of the chosen methodology if they want to ensure their compliance with the Security Rule. For instance, organizations must document the necessary steps according to the requirements of the Security Rule Documentation standard or implement risk assessments as part of the Security Management Process Requirements. Although specific actions should be performed, no single way to achieve them exists. Therefore, covered entities are not obligated to meet the requirements only by using the methods, steps, or actions identified in the example approach.
The scope of risk assessment involves the potential risks and vulnerabilities to the security of ePHI held by the covered entity. This, in turn, includes ePHI in all forms of electronic media that might range from a single workstation to complex communication networks. In general, all electronic media may be divided into two main categories:
Electronic storage media – Hard drives, CDs/DVDs, Smart Cards, medial devices, and other removable/transportable digital media.
Transmission media – the Internet, private networks, and the physical movement of removable/transportable electronic storage media.
The electronic media may range from a single workstation to entire communication networks. Therefore, the scope of the risk assessment should include all ePHI regardless of the particular electronic medium, source, or location.
Once the risk assessment scope is identified, the covered entity should gather data on where the ePHI is stored, received, maintained, or transmitted. To perform this step, organizations generally review their past and existing projects; interview subject matter experts; review documentation. Again, the covered entities may generate their own methods of data gathering but they must document all steps of this process.
The Security Rule primarily targets ePHI that organizations hold. Hence, the analysis of the use and disclosure of all PHI is not required, it may be valuable for the risk assessment. At the same time, covered entities must consider that their efforts and resource commitment necessary for data gathering depends directly on their environment and the amount of ePHI. For instance, small providers should be able to identify all PHI by analyzing a single department. Large health plans, in turn, would be required to review multiple physical locations, departments, information systems to identify ePHI.
To comply with the Security Rule, covered entities must identify, categorize, and document reasonably anticipated threats to ePHI. In other words, from the list of all possible threats (human, natural, environmental), only those specific to the circumstances of the organization’s environment must be selected. Organizations must also identify vulnerabilities (technical and non-technical), which, in case of being triggered or exploited by a threat, would create a risk to ePHI. All threats and vulnerabilities identified must be documented.
The likelihood that a threat would exploit a vulnerability is minimal if effective security measures are in place. Thus, the next step in the risk assessment process is evaluating security measures that the organization already has. Generally, there are technical and non-technical measures.
Security measures vary among organizations. For instance, some covered entities tend to have fewer controls while possessing fewer variables (i.e. fewer workforce members and information systems) within their environment. The environment of other organizations may demand a whole system of policies, procedures, and accountability mechanisms to keep ePHI safe. The output of this step should involve identifying and documenting the existing security measures and defining whether they are appropriately configured.
The information gathered in the previous steps is then used to define the probability that a threat will trigger or exploit a specific vulnerability. This step aims to assist the covered entity in determining potential threat and vulnerability combinations and rating them by the likelihood that each of the combinations would occur. All ratings used by the covered entity depend on the chosen approach but commonly, organizations rate risks as “high,” “medium,” and “low.” The risk ratings are described in one of our previous articles. All threat and vulnerability combinations and their likelihood ratings must be documented as a result of this step.
The picture of the potential threats to organizations’ ePHI would not be comprehensive without determining their impact. Therefore, the Security Rule requires considering the effect of the potential risk situations on ePHI security. To perform this, covered entities must assess the possible size of the potential impact resulting from a risk ( or vulnerability triggered or exploited by a threat). To measure the impact on the organizations, either qualitative or quantitative methods (or a combination of those) are used. The qualitative method allows organizations to measure tangible and intangible impacts of threat occurrence by rating those impacts using a scale (high, medium, low). The quantitative method measures the tangible impact only by assigning numeric values to the potential losses.
The general examples of the potential impact of threat occurrence are unauthorized access/disclosure of ePHI, loss of ePHI; corruption or unavailability of ePHI; loss of financial cash flow and/or physical assets. As a result, organizations are required to document all potential impacts associated with the threat occurrence that affects the confidentiality, availability, and integrity of ePHI.
The next step in the risk assessment process is determining the level of risk to ePHI. It may be performed by assigning a risk level based on the average of the assigned likelihood and impact.
To simplify the process of risk level determination, a special risk level matrix can be used. The matrix suggests a rating system and helps to determine the risk level within the organization. For instance, a “high” threat likelihood value combined with one of “low” may equal a “medium” risk level. Or a “medium” threat likelihood value combined with a “medium” impact value would likely equal a risk level of “medium.” In general, risk ranking will assist covered entities in prioritizing activities that must be performed.
Each risk level is then labeled with a general action description. These actions are necessary to guide senior management decision-making. For example, a “high” risk level could have an action description requiring immediate implementation of corrective measures to reduce the risk to a reasonable and appropriate level. The primary output of this step involves documented risk levels for all threat and vulnerability combinations identified and a list of corrective actions to be performed to mitigate each risk level.
Once risks and their potential impacts are identified and ranked, the organization is ready to identify the resulting risk management actions. The primary purpose of this step is to identify security measures necessary to reduce risk to a reasonable and appropriate level. Evaluation, prioritization, modification, and implementation of security measures are not necessary for this step because all these actions are implemented as part of the risk management process. While identifying the security measures, organizations should maintain their effectiveness, legislative/regulatory requirements around their implementation, organization’s policies, and procedures.
The final step in the risk assessment process is documentation. Again, although the Security Rule requires documenting the assessment process, it does not provide any specific format for documentation. The main requirement is creating a documented risk assessment report that would identify the output of each step and the initial identification of security measures.
The risk assessment is a continuous and ongoing process. So, it allows organizations to identify when security updates are needed. Although the frequency of the risk assessment is not specified in the Security Rule, organizations should perform it at least annually and at any time when there are changes to business processes, technologies, or threat landscape. For instance, it is reasonable to analyze the potential risks in case of any security incidents, changes in ownership, or turnover in key staff. Thus, performing the risk assessment regularly allows the covered entity to reduce the associated risks to reasonable and appropriate levels.
To sum up, the complexity of the risk assessment process explains its pivotal role in ensuring HIPAA Security Rule compliance. All organizations that create, receive, maintain, or transmit ePHI must pay special attention to all steps and elements of the risk assessment. Recognizing that it may be a difficult task for many organizations, we developed the HIPAA Vitals application. HIPAA Vitals helps organizations understand the requirements under HIPAA and assess their level of compliance.
If you need any help with security risk assessments or other information security and compliance services, we’ll be happy to assist: