What To Do With Your Completed Risk Analysis
Completing a comprehensive HIPAA risk analysis is a big achievement and puts you in rare company…but you’re not done yet. Once you’ve completed your HIPAA risk analysis, your organization should be asking: What are we doing to do with this risk? Has management reviewed this and agreed? How can we use this information to improve? A mature risk management program doesn’t ask, “Do we have to do this again?” Instead, your risk management program should incorporate an ongoing, integrated risk analysis process. In this webinar, Mark Hinely will discuss five steps to take in using your your risk analysis: internal reporting, management responsibilities, corrective actions, monitoring, and auditing.
Once you have completed the identification of your threats and vulnerabilities, the potential impact, the likelihood of occurrence, the controls in place, and your recommendations – all of the foundations of a comprehensive risk analysis – you may wonder what to do with that information. Creating an internal report is the next step to take. Your report should include a high-level summary of the risk analysis process, the top findings, your recommendations, and any appendices. The audience for this report should be senior-level management, operational units, or external auditors.
- High-Level Summary: The summary in your report should communicate to internal and external stakeholders what you did, and how you did it, in a way that could be independently verified. You want to frame what can be a very complex and confusing collection of information in way that’s understandable.
- Top Findings: Your top findings and/or a heat map provide a visual representation of risk. Instead of giving all of the threat-level details that the risk analysis will include, a heat map will scale that information back to only portray the likelihood of occurrence and potential impact of a particular risk. A heat map is also beneficial because sometimes risk is only fully understood in comparison to other risks, threats, or vulnerabilities.
- Recommendations: These recommendations should be enterprise/project-level recommendations, not threat/vulnerability-level.
- Appendices: Include any type of supplemental, explanatory information that would be useful to internal or external stakeholders’ understanding of your risk analysis.
These four items will be separate from your actual HIPAA risk analysis. In addition to your internal report, you want to include your risk analysis. Sometimes individuals will also include an asset list, threat list, or policy list.
After you’ve completed your risk analysis and documented the results in a report, now you have a chance to provide the results to management. The guiding standard for responding to risk is “reasonable risk,” specifically § 164.308(a)(1)(ii)(B) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”
When management reviews and evaluates risk, they can respond in one of four ways:
- Accept: If cost-benefit analysis determines the cost to mitigate risk is unreasonable, then the best and compliant response is to accept and continually monitor the risk. But, there are two kinds of acceptance – passive and active. Passive acceptance takes no action to resolve or manage the risk. Active acceptance takes action to manage the impact.
- Transfer: The best response to activities with a low probability of occurring, but with a large financial impact, is to transfer a portion, or all, of the risk to a third party.
- Mitigate: The best response to activities with a high likelihood of occurring, but with a small financial impact, is to use management control systems to reduce the risk of potential loss.
- Avoid: The best response to activities with a high likelihood of loss and large financial impact. Instead of doing the activity but putting controls in place to reduce the risk, this option says “We just won’t do that anymore.”
You want to document management’s review of the risk analysis. We recommend using standards like, “Our organization’s internal standard to accept risk that have an overall risk value of medium or low.” You also want to document management’s approval of the internal risk analysis report. This approval means they’ve thoroughly reviewed the report and deem it a fair representation of the risk environment. An appendix at the end of the management documentation should have names, titles, dates, and a statement that says that management has reviewed the information and agrees with it.
A risk analysis is a great tool for creating a compliance roadmap. It tells you where you have the most exposure, what steps you can take to reduce the areas of greatest exposure, and it can assist in helping you with budget requirements. From a best practices perspective, you want to get to a point where you can categorize your control recommendations from a cost perspective, benefit perspective, and implementation perspective. The corrective actions take the things that need to be done to reduce risk to an appropriate and reasonable level, and do it.
Once you’ve completed the corrective action stage, you can begin to create a risk-based management control system, rather than a resource-based management control system. If it’s feasible, areas of greater risk receive increased monitoring – increased in frequency and intensity. You can monitor activity through diagnostic controls, boundary controls, or belief systems.
- Diagnostic Controls: This type of control reports whether activities are happening when they’re supposed to happen and in the way that it was designed to occur. For example, audit logs or penetration tests.
- Boundary Controls: This is a type of control that constrains activity. It doesn’t just tell you whether or not the activity is occurring, it actually impacts activities. For example, access control process, encryptions, or sanctions.
- Belief Systems: These controls tend to create a culture of compliance. For example, your security awareness training. Employees frequently resist security training, but when you look at enforcement activity, you see activities that should’ve been prohibited in security awareness training, but instead led to breaches.
An effective risk management program will incorporate a healthy balance of diagnostic, boundary, and belief system controls.
A HIPAA risk analysis not only provides direction for monitoring activities, but also for auditing activity. So, what’s the difference between monitoring and auditing? Monitoring is a review of information provided by an operational unit. Auditing is an independent assessment of activities performed by someone outside of the business unit. Internal auditing benefits from a comprehensive risk analysis because your risk analysis should inform your auditing program where the greatest risk is. Audits should test risk analysis controls for both existence and effectiveness. Auditing also lays the groundwork for future risk analyses.
Listen to the full webinar to learn detailed steps of internal reporting, management responsibilities, corrective actions, monitoring, and auditing. Contact us today to learn more.