Using your HIPAA Risk Analysis

by Sarah Harvey / April 13th, 2017

Congratulations! You’ve completed your initial comprehensive HIPAA risk analysis, no easy task. You’ve gone through the process and planned for and scoped your environment. You’ve identified your risks, threats, and vulnerabilities, and all of the associated requirements necessary to conduct and complete a HIPAA risk analysis. So, now what? Let’s focus on five important steps for using your HIPAA risk analysis; Internal Reporting, Management Responsibilities, Corrective Action, Monitoring, and Auditing.

5 Important Steps for Using your HIPAA Risk Analysis

Internal reporting, management responsibilities, and corrective action are directly related to a risk analysis process, while monitoring and auditing are required for any information security program and indirectly serve you risk analysis process. Let’s take a look at each of these important steps for completing your HIPAA risk analysis.

1. Internal Reporting

Once you’ve completed the process of identifying your threats and vulnerabilities, potential impact, likelihood of occurrence, controls in place, recommendations, and all of the elements necessary for conducting your risk analysis, we need to know what to do with all of that information, specifically the report format. Your report format should include a high-level summary of your Risk Analysis process. This summary should show internal and external stakeholders what you did and how you did it in a way that that can be independently verified. Your report should frame what could be a confusing and complex collection of information in a way that can be easily understood and recreated. This report of information is important to operational units who may be responsible for implementing the recommendations resulting from the risk analysis, and external auditors, both from your clients, a third-party you’ve hired, or the federal government. A high-level report can go a long way in an auditor’s understanding and perspective of whether your risk analysis met the standards required in the HIPAA Security Rule.

A second item that is useful to include in your internal reporting, however not required, is your organization’s top findings. This can give a visual representation of your risks, not including all threat-level detail, but communicating the likelihood and impact of a particular risk and giving a comparative depiction of how a particular risk compares to other risks.

Another item that should be including in your risk analysis report are your recommendations. At this point, we’re discussing enterprise and project-level recommendations, not threat or vulnerability-level recommendations. These recommendations should include next steps, such as management approval, corrective action, auditing, and monitoring, including a description of how those activities should go forward based on your risk analysis.

Additional documentation should include any appendices and reference materials. Any sort of supplemental information that will be useful to internal and external stakeholders in understanding your HIPAA risk analysis. Lastly, be sure to include your actual HIPAA risk analysis and documentation of your threats and vulnerabilities, asset list, threat list, and policy list.

2. Management Responsibilities

The guiding standard for responding to risk is “reasonableness”. Specifically, we are required to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level” to comply with HIPAA laws. As you present your risk analysis and recommendations to management, it’s important to constantly think along the lines of what is reasonable and appropriate. There is always the potential for management to receive a risk analysis and be immediately overwhelmed with the number of things that are being recommended to be HIPAA compliant. Our goal isn’t perfection, it is determining how we can reasonably and appropriately mitigate risk. For example, a recommendation may be to utilize a proprietary software solution to mitigate a particular threat or vulnerability. This software solution costs three times your annual revenue, only reduces risk by 3%, and takes three years to develop and implement. In this instance, this is not a reasonable or appropriate recommendation. Another recommendation may be to implement a quarterly logical access review for an organization comprised of less than 100 employees. This process would take less than 15 hours each year to complete, would reduce risk by 50%, and can be immediately implemented. In this instance, this is an appropriate and reasonable method for reducing risk.

When evaluating and responding to risk, management has four ways of doing so. First, they can accept risk. If a cost-benefit analysis determines that the cost to mitigate a risk is unreasonable and inappropriate, the best response (and a compliant) is to accept and continually monitor the risk. Another way management can respond to a risk is to transfer the risk, for example to a business associate. A risk with a low probability of occurring that may have a large financial, regulatory, or reputational impact on the organization, may be best met by transferring the risk to a third party. A third way that management can respond to risk is to mitigate the risk. This is the best response for activities with a high likelihood of occurrence, but a low impact. Mitigation is going to be the bulk of the recommendations for your risk analysis follow-up. This requires changing or increasing controls. The final way to respond to risk is to avoid the risk altogether. This is most appropriate for activities that have a high likelihood of loss and a high likelihood of occurrence. An example of an activity that can be avoided is the risk of a stolen or lost laptop containing ePHI. This risk can be avoided by deciding that laptops will no longer be used to access ePHI or those devices are no longer able to leave the building. Find an alternative way to provide these services without exposing yourself to a particular risk. At the end of this process, management will go through the documentation review and approval. Management’s approval needs to be thoroughly documented.

3. Corrective Action

A HIPAA risk analysis is a great tool that can serve as a compliance roadmap. It can show you where you have the most exposure, what steps provide the greatest reduction of risk, and can assist in helping with budget requirements. The risk analysis should include control recommendations that are specific and were identified and documented during the analysis phase, and include best practices for categorizing your control recommendations from a cost perspective, benefit perspective, and the time it would take to implement. This step in using your HIPAA risk analysis will be very specific to your unique organization and can be based on a number of factors such as the size of your organization, the services provided, and the amount of ePHI that you have access to. Your corrective actions and control recommendations should prioritize the next steps that should be taken in further maturing your organization’s security posture.

4. Monitoring

Once you’ve completed the corrective action stage, you’ve completed all the steps related to your risk analysis. Using your risk analysis and all the resources that you have created during the process can help you to develop a risk-based security management system. If you’ve already identified your areas of greatest risk, sometimes it makes sense to increase your monitoring activities in order to appropriately address those areas of great risk. Ways you can do this include increasing frequency and the intensity of evaluation. There are certain types of controls you can use to monitor your risks. These include diagnostic controls, boundary controls, and belief systems. A diagnostic control is a reporting tool used to communicate that certain activities are happening when they’re supposed to happen and in the way they were designed to occur. Boundary controls are solutions that constrain certain activities. Not just by alerting you of an activity, but by impacting and influencing activities. These can include role-based access, multi-factor authentication, password management, and encryption sanctions. Lastly, belief systems are a part of the culture of compliance concept. This includes employee security training, an important aspect to ensuring that your responsibilities under HIPAA laws are appropriately taken care of.

5. Auditing

The final step in using your HIPAA risk analysis is your auditing process. There is often confusion between monitoring and auditing. Monitoring is a review of the information provided by an operational unit, whereas, auditing is an independent assessment of activities performed by someone outside the operation. When auditing your risk analysis, you should be testing your risk analysis controls for their existence and their effectiveness. Assess that your controls are in place and that they are appropriate and operating effectively. This independent audit, in turn, can benefit by laying the groundwork for future risk analyses.

Using your HIPAA risk analysis helps you to determine what you are going to do with the risk you have identified. It verifies that management has reviewed and agreed with the risk analysis process, and it also suggests how we can use this information to improve, whether that is through monitoring and auditing. If you need help with your HIPAA risk analysis process or understanding how to use the information established from your HIPAA risk analysis, contact us today.

More Resources

Security Awareness Training Compliance Requirements: SOC 2, PCI, HIPAA, and More

Most Common HIPAA Gaps

Penetration Testing in Support of HIPAA Compliance