A couple of weeks ago, we posted about the planning process for a HIPAA risk analysis. This process included determining whether the proper resources are available, the importance of defining scope, creating or using ePHI workflows, and compiling asset lists. The next step in the process is to perform the actual risk analysis. Let’s talk about the actual elements for conducting your HIPAA risk analysis and define some common terms we will need to know for this process.

Defining Common Terms for Conducting your HIPAA Risk Analysis

When talking about risk analysis, we often hear the terms threat, vulnerability, and risk. Understanding what these terms mean is important for when you’re ready to conduct your risk analysis. According to NIST 800-30, a vulnerability is a “flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy”. A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability (adapted from NIST 800-30). According to HHS guidance for risk analysis, a risk can be understood as a “function of the likelihood of a given threat triggering or exploiting a particular vulnerability, and the resulting impact on the organization”. This means that risk is not a single factor or event, but rather a combination of factors or events that, if they occur, may have an adverse effect on the organization.

The Subjective Nature of Risk

Before we dive into the technical approach of conducting your HIPAA risk analysis, we must make clear that the concept of risk is subjective. When determining risk, we must ask ourselves:

  • What is the asset?
  • What must we account for?
  • What do we need to protect?
  • Is there significant risk?

To better understand how risk can be subjective, picture a worn tire, completely smooth in some places. Just considering the tire we can conclude that it is in bad shape, and there is significant risk. However, when you picture the tire connected to a tire swing rather than on your car, the subjective nature changes and the tire is no longer a significant risk. This combination of factors is important to consider when you see an asset and then see how it is used. What if the rope holding the tire swing was frayed? Would you alter and increase your opinion of the nature of risk? In this case, we must consider not only the tire, but also what it is connected to. What if we implement a control here and position a group of people holding a rescue trampoline under the girl on the tire swing with the frayed rope? Have we appropriately reduced the risk? Let’s complicate it more. Now, the rescue team with the trampoline is standing at the edge of a canyon. Does this change our opinion of significant risk again?

When conducting your HIPAA risk analysis, you must have all of the information about the assets that you’re trying to protect in order to fully understand the risk in your environment. Once you can do this, you are ready to move forward and identify risks, threats, vulnerabilities, controls and evaluate all the information about the assets you’re trying to protect in order to come up with a reasonable ranking for your risk. As you start conducting your HIPAA risk analysis it’s important to wait to define your risk until the end of the process.

Choosing a Risk Analysis Method

There are multiple acceptable risk analysis methods out there. The most common are NIST SP 800-30, Mehari, and Magerit. Among these risk analysis methods, NIST is the most common, especially in the healthcare industry. However, all of these risk analysis methods contain the same key elements. The key elements of any risk analysis method are to:

  • Identify potential threats and vulnerabilities
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Evaluate current controls
  • Determine the level of risk
  • Finalize documentation

Let’s break these elements down and fully define the steps for conducting your HIPAA risk analysis.

Identify Potential Threats and Vulnerabilities

This initial step further emphasizes that the planning part of your HIPAA risk analysis is so important. It’s much easier to identify potential threats and vulnerabilities if you have defined your scope, ePHI workflow, and asset lists so that you know where your potential threats and vulnerabilities exist. Just like the tire illustration, when conducting your HIPAA risk analysis, you must ask yourself the same questions over and over again to exhaust every possibility that could occur in different parts of your environment that contain ePHI.

Determine the Likelihood of Threat Occurrence

This step in conducting your HIPAA risk analysis involves determining the probability that a potential vulnerability is actually exercised. For example, consider a lost or stolen employee laptop. How many laptops do you have? Do they leave your organization’s facility? Do people use their personal laptops to access ePHI? Is ePHI stored on laptops? The best way to do this is to numerically rank the likelihood of each threat and vulnerability you’ve identified. For example, you could rank the likelihood by very unlikely, unlikely, likely, very likely.

Determine the Potential Impact of Threat Occurrence

The next step in the process is determining the potential impact of a threat occurring. Just because something is very likely to occur, doesn’t mean the impact on your organization will be very bad. Also consider the reverse; something may be very unlikely to occur, but if it did would have a devastating impact on the organization. Just like with determining the likelihood, you’ll want to create a key that allows you to numerically rank the adverse impact resulting from a successful threat. Ask yourself, how much ePHI could be accessed? Could this shut down operations? Could this impact other covered entities or business associates? Could this cause a loss of business and harm to our reputation?

Evaluate Current Security Controls

Now that you’ve ranked the likelihood and impact of a threat occurring, it’s time to evaluate all use of assets and any backup measure used to prevent a threat from being exploited. Going back to our example of a stolen employee laptop, let’s list all of the controls that are currently in place to protect ePHI accessible from the laptop. Some example controls would be:

  • Encryption
  • Unique user ID
  • VPN
  • Multi-factor authentication
  • Remote wipe
  • No ePHI stored on the computer
  • Laptop can’t be physically removed from facility
  • ePHI can’t be remotely accessed

Just as in the previous steps, create your own rating system to rank each current control. Is what you’re doing insufficient, sufficient, or excellent in terms of preventing a threat or vulnerability from being successfully exploited? Once you’ve completed this step, you may also want to consider what else can you do to mitigate risk.

Determine the Level of Risk

The risk left over after you’ve identified potential threats and vulnerabilities, determined the likelihood and impact of those threats occurring, and evaluated existing security controls, is called residual risk. This gives you the information needed to determine the level of risk. Looking at your residual risk, you must come up with a numerical scoring system to rank these risks (very low, low, moderate, high, very high) to determine and understand where your risk lies. This will be a combination of the likelihood ranking, impact ranking, and existing controls ranking.

If you’d like to take it a step further, you can categorize your risks based on specific aspects of that risk. For example, reputational risk, regulatory compliance risk, operational risk, technical risk, financial risk, etc. Although not necessary, this is a helpful task for conducting a thorough HIPAA risk analysis.

Final Documentation

The final step in conducting your HIPAA risk analysis is documenting your risk analysis process. Your documentation can look several different ways, however, the elements that you should ensure are included are each defined asset, threat, vulnerability, likelihood, impact, current controls, control ranking, residual risk, and any control recommendations.

To summarize, start simple. Don’t overwhelm yourself and establish the framework of key elements to get started. Don’t forget about the subjective nature of risk and be sure to always document everything. For more information or free tools and resources to help you complete your HIPAA risk analysis, contact us today.

More Resources

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

Risk Assessment Checklist – 5 Steps You Need to Know

Penetration Testing in Support of HIPAA Compliance

Independent Audit Verifies Transact24’s Internal Controls and Processes

Hong Kong – 28 February 2017 – Transact24 Limited, (“T24”), today announced that it has
completed the SSAE 16 (SOC 1) Type I Audit, for its USA subsidiary, Transact24 LLC (“T24LLC”).
This attestation verifies that T24LLC has the proper internal controls and processes in place to
deliver high quality services to its clients.
KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing
of T24LLC’s controls that may affect its clients’ financial statements. In accordance with SSAE 16
(Statements on Standards for Attestation Engagements), the SOC 1 Type I audit report includes
T24LLC’s description of controls as well as the detailed testing of its controls at a specific point
in time.
“Transact24 is committed to providing efficient payment solutions and is currently pursuing
various key projects and strategies internationally. Completing the SSAE 16 (SOC 1) Type I Audit
for T24LLC, is part of the necessary regulatory framework required to pursue the product and
geographic opportunities identified by T24,” said Philip Meyer, Managing Director of Transact24
Limited.

“Many of T24LLC’s clients rely on them to protect consumer information,” said Joseph
Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, T24LLC has implemented
best practice controls demanded by their customers to address information security and
compliance risks. Our third-party opinion validates these controls and the tests we perform
provide assurance regarding the managed solutions provided by T24LLC.”

SOC 1 Type I is a reporting on the controls at a service organization that was established by the
American Institute of Certified Public Accountants (AICPA). This report is in compliance with
the SSAE 16 auditing standards which focus on the controls of a service organization that are
relevant to an audit of a user entity’s financial statements. The standard demonstrates that an
organization has adequate controls and processes in place. Federal regulations such as
Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability
Act (HIPAA) require corporations to audit the internal controls of their suppliers, including
those that provide technology services.

About T24 (www.transact24.com)
T24 is a Hong Kong-based Payment Services Company, established in 2006, with offices and/or
satellite entities in Australia, Singapore, China, Mauritius, South Africa, Austria, Gibraltar, the
USA and the UK.

T24 is licensed in the following territories: T24 (Mauritius) Ltd. has a Payment Intermediary
Services Licences from the Financial Services Commission Mauritius and T24 (UK) Ltd. has an
Authorized Electronic Money Institution (“AEMI”) licenses from the Financial Conduct Authority
of the United Kingdom.

T24’s payment services products include Chinese Debit Card and Credit Card Acquiring; ACH
processing; and Prepaid Card Program Management. T24 owns the IP for all its processing
technologies and all its systems are PCI DSS Level 1 compliant.
T24 is part of the Net1 Group of companies. Net1 (www.Net1.com) has a primary listing on the
NASDAQ and a secondary listing on the Johannesburg Stock Exchange.

About KirkpatrickPrice (www.kirkpatrickprice.com)
KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more
than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in
information security and compliance assurance by performing assessments, audits, and tests
that strengthen information security and internal controls. KirkpatrickPrice most commonly
provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks.

How to Conduct a HIPAA Risk Analysis

In this webinar, Mark Hinely will teach the process of determining risks that are common for HIPAA risk considerations.

It’s important that your organization understands the terms related to risk analysis:

  • Vulnerability: flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
  • Threat: the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
  • Risk: risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

We must understand the subjective nature of risk. When considering the risk of a bald tire, the significance of the risk must be obvious, right? Driving with bald tires is dangerous. But what if the bald tire was on a tire swing? It is still dangerous? Not really, the tire strength doesn’t significantly affect the function. What if the rope that’s holding the tire swing is frayed? Your risk level changes again. You wouldn’t put your child on that tire swing. But what if there’s a trampoline under the rope swing with the frayed rope? The risk lessens. What if that trampoline is sitting over the Grand Canyon? Again, your risk level changes. Until you have all of the information about the assets that you are trying to protect, the threats and risk, and your controls, you do not have a full understanding of the risk in your environment.

The key elements that this webinar outlines, regardless of the risk analysis method, are:

  • Identify potential threats and vulnerabilities
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Evaluate current controls
  • Determine the level of risk
  • Finalize documentation

Listen to the full webinar for details on those key elements, hear examples, and listen to the Q&A portion. Contact us today to learn more.

Why the Change from SSAE 16 to SSAE 18?

Convergence with international standards is driving this change. There have been changes on the International Statement on Attestation Engagements (ISAE) side, and in the U.S, the Auditor Standards Board (ASB), desires to converge its standards with the international community’s changes. The corresponding standard to SSAE 18, which is a U.S. only standard, relates to the new ISAE 3000.

In the full webinar, you will also see that the AICPA is striving to simplify the different AT sections into one source, which will be known as SSAE 18. Many of the older sections will be reorganized into SSAE 18.

What are the changes in the new standard?

There will be a stronger focus on risk assessment as a response to the magnitude of data breaches and the increase of risk. As more organizations outsource and use vendors, those organizations are taking more risks because they’re taking on the risks of their vendors. There is new language and focus on the responsibility of management. An auditor’s risk assessment must include:

  • An evaluation of the risk of material misstatement and ask if management identified the risks that threaten the achievement of the control objectives stated in management’s description
  • An understanding of management’s process for identifying and evaluating the risks that threaten the achievement of the control objectives and assessing the completeness and accuracy of management’s identification of those risks
  • An evaluation of the linkage of the controls identified in management’s description of the service organization’s system with those risks and determine that the controls have been implemented

How can KirkpatrickPrice help you make the shift?

Our resources on risk assessments and vendor compliance management can help you prepare your organization. Hire our specialized resources to facilitate a risk assessment with you and your team and perform site visits with your critical vendors, access our webinar recordings for topics dealing with risk assessment and vendor compliance management, access our tools and templates to help you with documenting your own risk assessment, and use the Online Audit Manager to ask questions of your vendors. Contact us today to learn more.

Download the full webinar to learn more details, see examples, and listen to the Q&A portion.

Best Practices for Firewall and Router Management

This webinar is not going to provide you with specific instructions on how to configure your individual devices. However, it will provide you with the individual attributes that you need to consider when developing your router and firewall security program. In this webinar, we will focus on discussing physical devices, running operating systems, and secure traffic rules.

If your goal is to fully develop your security system, you must accept that managing the security of a physical device goes much further than the device itself. Best practices include:

  • Assigned responsibility for the management of physical devices and periodic review of the configurations must be performed
  • Defined acceptable use policies and procedures for your assets, along with acceptable technologies and acceptable locations to place them in
  • In those locations, you must ensure that they are physically secured from unauthorized access; this means that cables connecting in to and out of the devices are secure, there is limited access to directly console into devices, and there is minimal out-of-bound access points to devices

When you’re considering how to securely run operating systems, there are a few logical steps:

  • Limit logical access to only those who require it
  • Maintain a detailed list of hardening standards
  • Configure logging
  • Change all defaults (especially passwords)
  • Ensure strong encryption
  • Keep your operating system updated
  • Establish remote access console timeout
  • Configure NTP
  • Establish log-on banner
  • Disable unused interfaces
  • Ensure that loaded images are authentic
  • Restrict ICMP from untrusted interfaces
  • Enable anti-spoofing rules

When maintaining secure traffic rules, there are a few best practices including:

  • Maintain a list of approved ports and services, which management should oversee
  • Limit inbound traffic from the Internet to the DMZ
  • Limit outbound traffic to only that which is needed
  • Deny all other traffic not required
  • Generally speaking “any ” rules should not be used; rules should be as prescriptive as necessary

Listen to the full webinar to learn more about firewall and router management, listen to the Q&A portion, and view more resources. Contact us today to learn more.