A couple of weeks ago, we posted about the planning process for a HIPAA risk analysis. This process included determining whether the proper resources are available, the importance of defining scope, creating or using ePHI workflows, and compiling asset lists. The next step in the process is to perform the actual risk analysis. Let’s talk about the actual elements for conducting your HIPAA risk analysis and define some common terms we will need to know for this process.
Defining Common Terms for Conducting your HIPAA Risk Analysis
When talking about risk analysis, we often hear the terms threat, vulnerability, and risk. Understanding what these terms mean is important for when you’re ready to conduct your risk analysis. According to NIST 800-30, a vulnerability is a “flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or violation of the system’s security policy”. A threat is the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability (adapted from NIST 800-30). According to HHS guidance for risk analysis, a risk can be understood as a “function of the likelihood of a given threat triggering or exploiting a particular vulnerability, and the resulting impact on the organization”. This means that risk is not a single factor or event, but rather a combination of factors or events that, if they occur, may have an adverse effect on the organization.
The Subjective Nature of Risk
Before we dive into the technical approach of conducting your HIPAA risk analysis, we must make clear that the concept of risk is subjective. When determining risk, we must ask ourselves:
- What is the asset?
- What must we account for?
- What do we need to protect?
- Is there significant risk?
To better understand how risk can be subjective, picture a worn tire, completely smooth in some places. Just considering the tire we can conclude that it is in bad shape, and there is significant risk. However, when you picture the tire connected to a tire swing rather than on your car, the subjective nature changes and the tire is no longer a significant risk. This combination of factors is important to consider when you see an asset and then see how it is used. What if the rope holding the tire swing was frayed? Would you alter and increase your opinion of the nature of risk? In this case, we must consider not only the tire, but also what it is connected to. What if we implement a control here and position a group of people holding a rescue trampoline under the girl on the tire swing with the frayed rope? Have we appropriately reduced the risk? Let’s complicate it more. Now, the rescue team with the trampoline is standing at the edge of a canyon. Does this change our opinion of significant risk again?
When conducting your HIPAA risk analysis, you must have all of the information about the assets that you’re trying to protect in order to fully understand the risk in your environment. Once you can do this, you are ready to move forward and identify risks, threats, vulnerabilities, controls and evaluate all the information about the assets you’re trying to protect in order to come up with a reasonable ranking for your risk. As you start conducting your HIPAA risk analysis it’s important to wait to define your risk until the end of the process.
Choosing a Risk Analysis Method
There are multiple acceptable risk analysis methods out there. The most common are NIST SP 800-30, Mehari, and Magerit. Among these risk analysis methods, NIST is the most common, especially in the healthcare industry. However, all of these risk analysis methods contain the same key elements. The key elements of any risk analysis method are to:
- Identify potential threats and vulnerabilities
- Determine the likelihood of threat occurrence
- Determine the potential impact of threat occurrence
- Evaluate current controls
- Determine the level of risk
- Finalize documentation
Let’s break these elements down and fully define the steps for conducting your HIPAA risk analysis.
Identify Potential Threats and Vulnerabilities
This initial step further emphasizes that the planning part of your HIPAA risk analysis is so important. It’s much easier to identify potential threats and vulnerabilities if you have defined your scope, ePHI workflow, and asset lists so that you know where your potential threats and vulnerabilities exist. Just like the tire illustration, when conducting your HIPAA risk analysis, you must ask yourself the same questions over and over again to exhaust every possibility that could occur in different parts of your environment that contain ePHI.
Determine the Likelihood of Threat Occurrence
This step in conducting your HIPAA risk analysis involves determining the probability that a potential vulnerability is actually exercised. For example, consider a lost or stolen employee laptop. How many laptops do you have? Do they leave your organization’s facility? Do people use their personal laptops to access ePHI? Is ePHI stored on laptops? The best way to do this is to numerically rank the likelihood of each threat and vulnerability you’ve identified. For example, you could rank the likelihood by very unlikely, unlikely, likely, very likely.
Determine the Potential Impact of Threat Occurrence
The next step in the process is determining the potential impact of a threat occurring. Just because something is very likely to occur, doesn’t mean the impact on your organization will be very bad. Also consider the reverse; something may be very unlikely to occur, but if it did would have a devastating impact on the organization. Just like with determining the likelihood, you’ll want to create a key that allows you to numerically rank the adverse impact resulting from a successful threat. Ask yourself, how much ePHI could be accessed? Could this shut down operations? Could this impact other covered entities or business associates? Could this cause a loss of business and harm to our reputation?
Evaluate Current Security Controls
Now that you’ve ranked the likelihood and impact of a threat occurring, it’s time to evaluate all use of assets and any backup measure used to prevent a threat from being exploited. Going back to our example of a stolen employee laptop, let’s list all of the controls that are currently in place to protect ePHI accessible from the laptop. Some example controls would be:
- Unique user ID
- Multi-factor authentication
- Remote wipe
- No ePHI stored on the computer
- Laptop can’t be physically removed from facility
- ePHI can’t be remotely accessed
Just as in the previous steps, create your own rating system to rank each current control. Is what you’re doing insufficient, sufficient, or excellent in terms of preventing a threat or vulnerability from being successfully exploited? Once you’ve completed this step, you may also want to consider what else can you do to mitigate risk.
Determine the Level of Risk
The risk left over after you’ve identified potential threats and vulnerabilities, determined the likelihood and impact of those threats occurring, and evaluated existing security controls, is called residual risk. This gives you the information needed to determine the level of risk. Looking at your residual risk, you must come up with a numerical scoring system to rank these risks (very low, low, moderate, high, very high) to determine and understand where your risk lies. This will be a combination of the likelihood ranking, impact ranking, and existing controls ranking.
If you’d like to take it a step further, you can categorize your risks based on specific aspects of that risk. For example, reputational risk, regulatory compliance risk, operational risk, technical risk, financial risk, etc. Although not necessary, this is a helpful task for conducting a thorough HIPAA risk analysis.
The final step in conducting your HIPAA risk analysis is documenting your risk analysis process. Your documentation can look several different ways, however, the elements that you should ensure are included are each defined asset, threat, vulnerability, likelihood, impact, current controls, control ranking, residual risk, and any control recommendations.
To summarize, start simple. Don’t overwhelm yourself and establish the framework of key elements to get started. Don’t forget about the subjective nature of risk and be sure to always document everything. For more information or free tools and resources to help you complete your HIPAA risk analysis, contact me today at email@example.com