Road to HIPAA Compliance: Risk Analysis and Risk Management

by KirkpatrickPrice / January 27th, 2016

Risk Management for HIPAA Compliance

Continuing down the Road to HIPAA Compliance, we will discuss what a risk assessment is, what that looks like according to HIPAA requirements, and how to analyze and manage risk.

What is a Risk Assessment?

Why should you care about risk assessments? You must protect your assets, and to do that, we believe you need a formalized risk assessment. A risk assessment is a systematic process for evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. Our five steps to a risk assessment include:

1. Conduct Risk Assessment Survey
2. Identify Risks
3. Assess Risk Importance and Risk Likelihood
4. Create Risk Management Action Plan
5. Implement Risk Management Plan

What is a Risk Analysis?

A risk analysis identifies the threats and analyzes the vulnerabilities of an organization. This is a very factual process that includes asset characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control remediation, and results documentation. At the end of a risk analysis, you want to have a list of what critical assets you’re trying to protect, the risks your organization is facing, and what your organization is doing to limit vulnerabilities. Our nine steps to a risk analysis include:

1. Asset Characterization: Identify and define the asset.
2. Threat Identification: A threat is an event that can result in non-desirable performance of critical assets. This could be man-made or natural events that take advantage of an asset’s flaw results in loss of asset integrity, availability, and confidentiality.
3. Vulnerability Identification: A known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality.
4. Control Analysis: What is being done to mitigate potential threats or vulnerabilities from having a negative effect on the asset? Is a control in place? Is a future control in place?
5. Likelihood Determination: What is the likelihood of an event having a negative effect on the asset?
6. Impact Analysis: What is the potential impact on business? Time? Monetary? Intangible?
7. Risk Determination: Look at current analysis and determine material or non-material risks.
8. Control Remediation: Document status of the protection of the asset – acceptable or non-acceptable?
9. Results Documentation: Are there constraints on remediation?

For more resources, check out these common risk management methodologies:

• HHS Security Risk Assessment (SRA) tool
• NIST – National Institute of Standards and Technology Methodology
• OCTAVE – by Software Engineering Institute (SEI) Carnegie Mellon University
• FRAP – Facility Risk Assessment Process (Peltier)
• COBRA – Consultative Objective and Bi-functional Risk Analysis by C&A Systems Security LTD

Still have questions about risk management? For more information on how we can help, contact us today.