Conducting Your Risk Analysis

by Sarah Harvey / March 3rd, 2017

How to Conduct a HIPAA Risk Analysis

In this webinar, Mark Hinely will teach the process of determining risks that are common for HIPAA risk considerations.

It’s important that your organization understands the terms related to risk analysis:

  • Vulnerability: flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.
  • Threat: the potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.
  • Risk: risk can be understood as a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.

We must understand the subjective nature of risk. When considering the risk of a bald tire, the significance of the risk must be obvious, right? Driving with bald tires is dangerous. But what if the bald tire was on a tire swing? It is still dangerous? Not really, the tire strength doesn’t significantly affect the function. What if the rope that’s holding the tire swing is frayed? Your risk level changes again. You wouldn’t put your child on that tire swing. But what if there’s a trampoline under the rope swing with the frayed rope? The risk lessens. What if that trampoline is sitting over the Grand Canyon? Again, your risk level changes. Until you have all of the information about the assets that you are trying to protect, the threats and risk, and your controls, you do not have a full understanding of the risk in your environment.

The key elements that this webinar outlines, regardless of the risk analysis method, are:

  • Identify potential threats and vulnerabilities
  • Determine the likelihood of threat occurrence
  • Determine the potential impact of threat occurrence
  • Evaluate current controls
  • Determine the level of risk
  • Finalize documentation

Listen to the full webinar for details on those key elements, hear examples, and listen to the Q&A portion. Contact us today to learn more.