HIPAA Security Risk Analysis Tips – How to Conduct a BONA FIDE Risk Analysis

In Chapter 3 of the relatively new National Institutes of Standards and Technology (NIST) Special Publication (SP) 800-30, a description the process of assessing information security risk is provided.   Read on to learn what a real risk analysis comprises.  Here’s today’s big tip – Complete a Bona Fide HIPAA Security Risk Analysis – Follow the Guidance.  

business associate risk - weak link in chain

HIPAA Security Risk Analysis Tips – How to Conduct a BONA FIDE Risk Analysis

(continued…)

There’s a fair amount of confusion about what constitutes a legitimate risk analysis and, sadly, there are number of charlatans in the marketplace declaring certain things to be risk analyses when they are not.  The NIST Risk Analysis process is illustrated on the right.

A bona fide HHS/OCR Risk Analysis is NOT:

  • A network vulnerability scan
  • A penetration test
  • A social engineering test
  • A configuration audit
  • A network diagram review
  • A questionnaire
  • Information system activity review

Although all of the items above a place and use in managing information security, they do not, alone, constitute a legitimate risk analysis.  Sadly, some organizations have been led to believe otherwise and have completed their initial Meaningful Use attestations based on “bad advice”.

The HHS / OCR “Guidance on Risk Analysis Requirements under the HIPAA Security Rule” relies on the NIST Security framework and specifically NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments – DRAFT.  According to both documents and NIST SP800-30,

“A Risk Analysis is the process of identifying, prioritizing, and estimating risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, other organizations, …, resulting from the operation of an information system.  Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. “

Bottom Line:  if you have not or are not embracing a robust methodology that follows, HHS/OCR and NIST guidance, you may be in big trouble with both OCR (Security, Privacy and Breach Rule enforcers) AND CMS which operates the Meaningful Use EHR Incentive Program and will perform audits on attestations.

Get informed about a bona fide risk analysis and do it right!

To learn how to complete your Risk Analysis according to HHS/OCR and underlying NIST guidance, view Clearwater HIPAA Risk Analysis Video Overview.

Wanna be even more hip on HIPAA? Learn more…

The complete HIPAA Privacy, Security and Breach regulations are here.

If you’d like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):

Share

No comments yet.

Leave a Reply