Road to HIPAA Compliance: Risk Analysis and Risk Management
Risk Management for HIPAA Compliance
Continuing down the Road to HIPAA Compliance, we will discuss what a risk assessment is, what that looks like according to HIPAA requirements, and how to analyze and manage risk.
What is a Risk Assessment?
Why should you care about risk assessments? You must protect your assets, and to do that, we believe you need a formalized risk assessment. A risk assessment is a systematic process for evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. Our five steps to a risk assessment include:
- Conduct Risk Assessment Survey
- Identify Risks
- Assess Risk Importance and Risk Likelihood
- Create Risk Management Action Plan
- Implement Risk Management Plan
What is a Risk Analysis?
A risk analysis identifies the threats and analyzes the vulnerabilities of an organization. This is a very factual process that includes asset characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control remediation, and results documentation. At the end of a risk analysis, you want to have a list of what critical assets you’re trying to protect, the risks your organization is facing, and what your organization is doing to limit vulnerabilities. Our nine steps to a risk analysis include:
- Asset Characterization: Identify and define the asset.
- Threat Identification: A threat is an event that can result in non-desirable performance of critical assets. This could be man-made or natural events that take advantage of an asset’s flaw results in loss of asset integrity, availability, and confidentiality.
- Vulnerability Identification: A known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality.
- Control Analysis: What is being done to mitigate potential threats or vulnerabilities from having a negative effect on the asset? Is a control in place? Is a future control in place?
- Likelihood Determination: What is the likelihood of an event having a negative effect on the asset?
- Impact Analysis: What is the potential impact on business? Time? Monetary? Intangible?
- Risk Determination: Look at current analysis and determine material or non-material risks.
- Control Remediation: Document status of the protection of the asset – acceptable or non-acceptable?
- Results Documentation: Are there constraints on remediation?
For more resources, check out these common risk management methodologies:
- HHS Security Risk Assessment (SRA) tool
- NIST – National Institute of Standards and Technology Methodology
- OCTAVE – by Software Engineering Institute (SEI) Carnegie Mellon University
- FRAP – Facility Risk Assessment Process (Peltier)
- COBRA – Consultative Objective and Bi-functional Risk Analysis by C&A Systems Security LTD
Still have questions about risk management? For more information on how we can help, contact us today.