Conducting a risk analysis is one of the initial steps healthcare entities must complete for HIPAA Security Rule compliance. The Security Rule was published by the U.S. Department of Health and Human Services (HHS) and establishes national standards for protecting electronic protected health information (ePHI). HHS has also issued guidance to assist entities in conducting healthcare risk analysis.
Conducting a Basic Healthcare Risk Analysis
The guidance issued by HHS on implementing the policies and procedures specified in the HIPAA Security Rule follows a linear, step-by-step process to help every entity conduct a healthcare risk analysis:
- Determine the scope of your risk analysis and collect data
- Identify and document all of your potential threats and vulnerabilities
- Assess your current security measures
- Determine the likelihood and potential impact of threat occurrences
- Assign risk levels and finalize documentation
- Periodically reassess your cybersecurity efforts
Note that the Security Rule does not specify how each step must be carried out, allowing different entities some flexibility when deciding the best methods for achieving the standards.
1. Determine the Scope of Your Risk Analysis and Collect Data
The first step healthcare entities must take when conducting their risk analysis is to ascertain what ePHI data exists in their environment and where it’s located. The scope of your risk analysis must encompass all ePHI and the potential risks and vulnerabilities that must be accounted for when securing it regardless of the electronic medium on which it’s stored.
Your risk assessment must account for on-premises network storage, cloud storage, and all endpoints. You must also document your organization’s data collection processes.
The challenge of locating and collecting ePHI becomes much simpler with the proper scanning tools. For example, a cybersecurity and compliance expert, such as RSI Security, can scan your IT environment for personally identifiable information (PII) and other sensitive data, such as credit card primary account numbers (PAN).
Defining ePHI—What Data Must be Protected?
The HHS states that “all ePHI created, received, maintained, or transmitted is subject to the Security Rule.” Essentially, healthcare entities must protect all individuals’ health data regardless of where it originated, where it’s stored, or how it’s used.
How Does the Security Rule Define Risk?
The Security Rule adopts the definition and assessment of risk from the National Institute of Standards and Technology’s (NIST) Special Publication 800-30.
NIST SP 800-30 defines risk as the combination of factors that contribute to the likelihood a given vulnerability is exercised (i.e., accidentally triggered or intentionally exploited) and the resulting impact.
Risk arises from:
- Unauthorized disclosure, modification, or deletion of data (whether intentional or accidental)
- Errors and omissions
- Any IT service disruptions caused by natural or manufactured incidents
- Failure to exercise due diligence and appropriate considerations
2. Identify and Document all Potential Threats and Vulnerabilities
The Security Rule specifies that healthcare entities must safeguard ePHI against “reasonably anticipated threats.” Therefore, the second step for your risk analysis requires identifying all threats and vulnerabilities that may result in inappropriate access to or disclosure of ePHI—including those that may be unique to our organization’s IT environment.
3. Assess Your Current Security Measures
The third step to conducting a healthcare security risk analysis is identifying and assessing your organization’s current security measures that safeguard ePHI. You must document all administrative, physical, and technical security measures protecting ePHI’s confidentiality, integrity, and availability.
4. Determine the Likelihood and Potential Impact of Threats
According to HHS’ guidance, determining your organization’s “reasonably anticipated threats” relies on a documented understanding of those most likely to occur and most damaging. Your organization may employ qualitative or quantitative measurements or a collection of both.
5. Assign Risk Levels and Finalize Documentation
Your analysis efforts conducted prior to this step will be used to assign risk levels to the identified combinations of threats and vulnerabilities. The greater the likelihood of a given threat’s occurrence and the more vulnerable your organization is to it results in higher risk levels.
The output of your healthcare risk analysis includes the assigned levels and comprehensive documentation of ePHI, potential threats and vulnerabilities, and existing security measures. While the Security Rule requires your organization to document all efforts and assessment steps, it doesn’t require a specific format.
6. Periodically Conduct a New Risk Analysis
The Security Rule’s risk analysis requirement isn’t a “one-and-done” compliance effort. Instead, your organization must periodically reassess and update its risk profile to account for security changes over time.
Again, the Security Rule doesn’t specify reassessment frequency. However, larger healthcare entities should conduct new risk analyses according to shorter intervals due to their ePHI quantities and increased security complexities and challenges.
One of the best risk analysis practices an organization can adopt is to reassess risk during the planning stages of any wide-reaching technical implementations or operations overhauls. This allows organizations to identify and preemptively account for risk rather than rushing through corrective measures after the fact.
Rethink and Simplify Your Healthcare Risk Analysis
Choosing the right cybersecurity and compliance partner will help simplify your healthcare risk analysis efforts. For over a decade, RSI Security has provided entities with consultative expertise spanning both fields.
RSI Security not only advises partners on risk analysis strategy in healthcare but offers scanning and testing services—such as penetration testing and patch management—to identify and mitigate vulnerabilities.
Contact RSI Security today to find out how easy your next risk analysis can be.