HIPAA Security Risk Analysis Tips – Risk Analysis Methodology

This entry is part 5 of 39 in the series HIPAA Security Risk Analysis Tips

In July 2010, HHS and OCR issued  final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.   Security Risk Analysis is not "star wars" technology nor a news flash.  There are many ways to go about it.  OCR frankly doesn't care what methodology you use as long as your approach incorporates what they identified as nine (9) essential elements in their guidance.  Here's today's big tip – Don't re-invent the wheel!  Follow OCR Guidance and adopt a proven, highly trusted methodology.  Here's how…

HIPAA Security Risk Analysis MethodologySecurity Risk Analysis Methodology

The principles behind this methodology are sound, incorporate all of the key essential elements indicated in the HHS/OCR final guidance, draw upon the National Institute of Standards and Technology (NIST) Special Publication 800-30, “Risk Management Guide for Information Technology Systems”  and include industry best practices at the core of quantitative risk analysis approaches.  

Our practical approach to conducting and documenting a risk analysis for the HIPAA Security Rule involves these four major phases:

1. Inventory Phase

1.1. Inventory information assets, especially those handling ePHI
1.2. Document their present security controls and criticality of the applications and their data

2. Risk Determination Phase

2.1. Identify threats in the environment
2.2. Identify vulnerabilities that threats could exploit
2.3. Describe the risks based on threat/vulnerability pairings
2.4. Identify existing controls
2.5. Determine the likelihood that a threat could exploit a vulnerability
2.6. Analyze the severity of the impact if the threat were to successfully exploit the vulnerability(s)
2.7 Determine and summarize the risk level

3. Risk Remediation Phase

3.1. Recommend risk mitigation strategies for each risk
3.2. Identify and implement applicable controls to mitigate risk
3.3. Determine residual likelihood that a threat could successfully exploit a vulnerability
3.4. Analyze the residual severity of the impact
3.5. Determine and report residual risk  (based on residual likelihood and residual impact from steps 3.3 and 3.4 above respectively) to senior management
 

4. Documentation Phase

4.1. Generate HIPAA Risk Analysis Executive Summary (template provided)
4.2. Monitor changes in the environment, information systems, and security technology
4.3. Update the risk analyses and implement any other controls
 

As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”.  (July 2010).  We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you'd like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Series Navigation<< HIPAA Security Risk Analysis Tips – Know the RegsHIPAA Security Risk Analysis Tips – How to Get Started >>
Share

No comments yet.

Leave a Reply