Looking for a step-by-step approach to performing a HIPAA Risk Analysis? This series takes a detailed look at planning, conducting, and using your risk analysis.

Using Your Risk Analysis

What To Do With Your Completed Risk Analysis

Completing a comprehensive HIPAA risk analysis is a big achievement and puts you in rare company…but you’re not done yet. Once you’ve completed your HIPAA risk analysis, your organization should be asking: What are we doing to do with this risk? Has management reviewed this and agreed? How can we use this information to improve? A mature risk management program doesn’t ask, “Do we have to do this again?” Instead, your risk management program should incorporate an ongoing, integrated risk analysis process. In this webinar, Mark Hinely will discuss five steps to take in using your your risk analysis: internal reporting, management responsibilities, corrective actions, monitoring, and auditing.

Internal Reporting

Once you have completed the identification of your threats and vulnerabilities, the potential impact, the likelihood of occurrence, the controls in place, and your recommendations – all of the foundations of a comprehensive risk analysis – you may wonder what to do with that information. Internal reporting is the next step to take. Your report should include a high-level summary of the risk analysis process, the top findings, your recommendations, and any appendices. The audience for this report should be senior-level management, operational units, or external auditors.

  1. High-Level Summary: The summary in your report should communicate to internal and external stakeholders what you did, and how you did it, in a way that could be independently verified. You want to frame what can be a very complex and confusing collection of information in way that’s understandable.
  2. Top Findings: Your top findings and/or a heat map provide a visual representation of risk. Instead of giving all of the threat-level details that the risk analysis will include, a heat map will scale that information back to only portray the likelihood of occurrence and potential impact of a particular risk. A heat map is also beneficial because sometimes risk is only fully understood in comparison to other risks, threats, or vulnerabilities.
  3. Recommendations: These recommendations should be enterprise/project-level recommendations, not threat/vulnerability-level.
  4. Appendices: Include any type of supplemental, explanatory information that would be useful to internal or external stakeholders’ understanding of your risk analysis.

These four items will be separate from your actual HIPAA risk analysis. In addition to your internal report, you want to include your risk analysis. Sometimes individuals will also include an asset list, threat list, or policy list.

Management Responsibilities

After you’ve completed your risk analysis and documented the results in a report, now you have a chance to provide the results to management. The guiding standard for responding to risk is “reasonable risk,” specifically § 164.308(a)(1)(ii)(B) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

When management reviews and evaluates risk, they can respond in one of four ways:

  1. Accept: If cost-benefit analysis determines the cost to mitigate risk is unreasonable, then the best and compliant response is to accept and continually monitor the risk. But, there are two kinds of acceptance – passive and active. Passive acceptance takes no action to resolve or manage the risk. Active acceptance takes action to manage the impact.
  2. Transfer: The best response to activities with a low probability of occurring, but with a large financial impact, is to transfer a portion, or all, of the risk to a third party.
  3. Mitigate: The best response to activities with a high likelihood of occurring, but with a small financial impact, is to use management control systems to reduce the risk of potential loss.
  4. Avoid: The best response to activities with a high likelihood of loss and large financial impact. Instead of doing the activity but putting controls in place to reduce the risk, this option says “We just won’t do that anymore.”

You want to document management’s review of the risk analysis. We recommend using standards like, “Our organization’s internal standard to accept risk that have an overall risk value of medium or low.” You also want to document management’s approval of the internal risk analysis report. This approval means they’ve thoroughly reviewed the report and deem it a fair representation of the risk environment. An appendix at the end of the management documentation should have names, titles, dates, and a statement that says that management has reviewed the information and agrees with it.

Corrective Action

A risk analysis is a great tool for creating a HIPAA compliance roadmap. It tells you where you have the most exposure, what steps you can take to reduce the areas of greatest exposure, and it can assist in helping you with budget requirements. From a best practices perspective, you want to get to a point where you can categorize your control recommendations from a cost perspective, benefit perspective, and implementation perspective. The corrective actions take the things that need to be done to reduce risk to an appropriate and reasonable level, and do it.

Monitoring

Once you’ve completed the corrective action stage, you can begin to create a risk-based management control system, rather than a resource-based management control system. If it’s feasible, areas of greater risk receive increased monitoring – increased in frequency and intensity. You can monitor activity through diagnostic controls, boundary controls, or belief systems.

  1. Diagnostic Controls: This type of control reports whether activities are happening when they’re supposed to happen and in the way that it was designed to occur. For example, audit logs or penetration tests.
  2. Boundary Controls: This is a type of control that constrains activity. It doesn’t just tell you whether or not the activity is occurring, it actually impacts activities. For example, access control process, encryptions, or sanctions.
  3. Belief Systems: These controls tend to create a culture of compliance. For example, your security awareness training. Employees frequently resist security training, but when you look at enforcement activity, you see activities that should’ve been prohibited in security awareness training, but instead led to breaches.

An effective risk management program will incorporate a healthy balance of diagnostic, boundary, and belief system controls.

Auditing

A HIPAA risk analysis not only provides direction for monitoring activities, but also for auditing activity. So, what’s the difference between monitoring and auditing? Monitoring is a review of information provided by an operational unit. Auditing is an independent assessment of activities performed by someone outside of the business unit. Internal auditing benefits from a comprehensive risk analysis because your risk analysis should inform your auditing program where the greatest risk is. Audits should test risk analysis controls for both existence and effectiveness. Auditing also lays the groundwork for future risk analyses.

Listen to the full webinar to learn detailed steps of internal reporting, management responsibilities, corrective actions, monitoring, and auditing. Contact us today to learn more about HIPAA compliance.

Conducting Your Risk Analysis

How to Conduct a HIPAA Risk Analysis

In this webinar, Mark Hinely will teach the process of determining risks that are common for HIPAA risk considerations.

It’s important that your organization understands the terms related to risk analysis:

  • Vulnerability: flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
  • Threat: the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
  • Risk: risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

We must understand the subjective nature of risk. When considering the risk of a bald tire, the significance of the risk must be obvious, right? Driving with bald tires is dangerous. But what if the bald tire was on a tire swing? It is still dangerous? Not really, the tire strength doesn’t significantly affect the function. What if the rope that’s holding the tire swing is frayed? Your risk level changes again. You wouldn’t put your child on that tire swing. But what if there’s a trampoline under the rope swing with the frayed rope? The risk lessens. What if that trampoline is sitting over the Grand Canyon? Again, your risk level changes. Until you have all of the information about the assets that you are trying to protect, the threats and risk, and your controls, you do not have a full understanding of the risk in your environment.

The key elements that this webinar outlines, regardless of the risk analysis method, are:

  • Identify potential threats and vulnerabilities
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Evaluate current controls
  • Determine the level of risk
  • Finalize documentation

Listen to the full webinar for details on those key elements, hear examples, and listen to the Q&A portion. Contact us today to learn more.

Planning Your Risk Analysis

What Does A Complete Risk Analysis Planning Process Look Like?

Why are we spending time on three separate sessions about risk analysis? A formal risk analysis is required under the Security Rule, it’s something organizations consistently struggle with, and it has benefits beyond meeting the Security Rule requirement. Let’s get started.

In this session, we’ll discuss the five key elements of planning a HIPAA risk analysis.

  1. Goal: There are several goals to have in mind during your organization’s risk analysis. You should aim to create a thorough, complete planning process so that you don’t end with incomplete results. You should also aim to measure risk instead of strict compliance. Our goal for you is to teach the differences between a HIPAA risk analysis and a HIPAA gap analysis. A risk analysis asks, ““How much exposure do we have to unauthorized access or disclosure of ePHI? What else do we need to do to reduce risk?” But a gap analysis asks, “How are we doing compared to what the regulations require?”
  2. Resources: During the planning process, you should assess your resources by asking: Who will lead the project? Do they have proper experience in conducting risk analyses? Do they have leadership support? Have they reviewed past risk analyses?
  3. Scope: Risk Analysis applies to all electronic PHI; created, received, maintained, or transmitted. We believe that when assessing scope, you need to think in terms of ePHI processing as opposed to systems. Where does PHI enter and leave your entity? We also believe that creating an ePHI workflow is key in having a complete risk analysis. The issue with ranking risks and implementing controls without a flow is that you may leave gaps between systems.
  4. Information Gathering: There are many places to look when gathering information: information gathered in ePHI flow research, past and present ePHI projects, information security incidents, interview with key staff, documentation review, etc. It may seem obvious, but we’ll say it anyways: document your information gathering. The OCR has indicated in its security series that entities should document information on ePHI during this information collection phase
  5. Perspectives: When you’ve completed the planning process, you might wonder: How do we ensure that we’ve accurately captured all of the information we need to properly complete a risk analysis? There are two ways to check yourself: internal and external resources. This is an appropriate time to bring in individuals who aren’t leading the project and present your findings to them. Or, you could find a third party who has expertise and who can help you decide whether you’re ready to conduct a risk analysis.

Download the full webinar to hear Mark Hinely’s case study breakdown and the Q&A portion. Contact us today for more information on risk management.