Road to HIPAA Compliance: Risk Analysis and Risk Management

by KirkpatrickPrice / January 27th, 2016

Risk Management for HIPAA Compliance

Continuing down the Road to HIPAA Compliance, we will discuss what a risk assessment is, what that looks like according to HIPAA requirements, and how to analyze and manage risk.

What is a Risk Assessment?

Why should you care about risk assessments? You must protect your assets, and to do that, we believe you need a formalized risk assessment. A risk assessment is a systematic process for evaluating existing controls and assessing their adequacy against the potential operational, reputational, and compliance threats identified in a risk analysis. Our five steps to a risk assessment include:

  1. Conduct Risk Assessment Survey
  2. Identify Risks
  3. Assess Risk Importance and Risk Likelihood
  4. Create Risk Management Action Plan
  5. Implement Risk Management Plan

What is a Risk Analysis?

risk analysis identifies the threats and analyzes the vulnerabilities of an organization. This is a very factual process that includes asset characterization, threat identification, vulnerability identification, control analysis, likelihood determination, impact analysis, risk determination, control remediation, and results documentation. At the end of a risk analysis, you want to have a list of what critical assets you’re trying to protect, the risks your organization is facing, and what your organization is doing to limit vulnerabilities. Our nine steps to a risk analysis include:

  1. Asset Characterization: Identify and define the asset.
  2. Threat Identification: A threat is an event that can result in non-desirable performance of critical assets. This could be man-made or natural events that take advantage of an asset’s flaw results in loss of asset integrity, availability, and confidentiality.
  3. Vulnerability Identification: A known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality.
  4. Control Analysis: What is being done to mitigate potential threats or vulnerabilities from having a negative effect on the asset? Is a control in place? Is a future control in place?
  5. Likelihood Determination: What is the likelihood of an event having a negative effect on the asset?
  6. Impact Analysis: What is the potential impact on business? Time? Monetary? Intangible?
  7. Risk Determination: Look at current analysis and determine material or non-material risks.
  8. Control Remediation: Document status of the protection of the asset – acceptable or non-acceptable?
  9. Results Documentation: Are there constraints on remediation?

For more resources, check out these common risk management methodologies:

Still have questions about risk management? For more information on how we can help, contact us today.