164.308(a)(1)(ii)(A) Standard: Security management process – Risk Analysis
(ii) Implementation specifications:
(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Tell Me More:
Risk Analysis is a Required implementation specification and a foundational step for a solid information security program. This means that covered entities will have to implement a formalized approach on how risks are identified, classified, mitigated, and monitored. Interaction and communication between compliance and IT departments as well as experienced project managers should facilitate the implementation of an overall risk management approach that begins with Risk Analysis. HHS/OCR has issued "Guidance on Risk Analysis Requirements under the HIPAA Security Rule".
Best Practices include:
- Usage of qualitative and quantitative risk assessment methodologies as appropriate
- Consideration of access control requirements, separation of duties, need-to-know, and least privilege when conducting risk analyses
- Including relevant inputs (e.g., incident trends, review findings, evaluation results) and outputs (e.g., training and contingency planning modifications, other security control updates) in the risk analysis and management process
A complete set of HIPAA Security Policies and Procedures may be purchased here.
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-30 Risk Management Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-12 chapter 5 An Introduction to Computer Security: The NIST Handbook
- HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals