Healthcare organizations need to conduct a comprehensive risk analysis as part of an effective security program. But many fall short, conducting only a HIPAA compliance assessment instead. They don't understand that HIPAA compliance assessments are an important thing to do, but they aren't the same thing as a risk analysis.
Another common mistake is that organizations initiate a risk analysis without having a good understanding of the security controls they already have in place. They basically don't really know what they're doing in security, or they don't have it well-documented.
To determine what constitutes an acceptable level of risk, such as when allocating money from a tight budget for mitigation efforts, organizations must get management together with folks that are in the field and with IT to work together to help set priorities.
A big mistake that healthcare providers make is that they confuse a risk analysis with a HIPAA compliance assessment or a controls assessment. They end up looking for risk analysis and then thinking that it's an evaluation of HIPAA compliance, as opposed to risk analysis as one of the specific requirements from the HIPAA security rule. They don't understand that HIPAA compliance assessments are an important thing to do, but they aren't the same thing as a risk analysis.
We definitely recommend that a practice conduct a risk analysis every year. What we're really looking for providers to do is to do a full enterprise risk analysis every year. But really what they should be doing with the risk analysis is any time there's a change to the organization (if they have an acquisition or they bring in different technologies) they should also be doing a risk analysis. The official guidance from HHS is really marginally based on the risk analysis guidance that comes from NIST.
Here are some simple steps to remember when conducting your risk analysis:
- Scoping activity: the idea there is to gain an understanding of your environment, to document the people, places, and technologies that are involved.
- Map out ePHI and PHI: where the data is that you're trying to protect.
- Identify vulnerabilities: you need to go in and identify vulnerabilities and threats.
- Document: you need to document your control inventory. It turns out that you really do need that controls assessment when you go to do a risk analysis because you need to understand what is the state of your controls.
- Complete risk analysis: conduct the risk analysis to figure out likelihood and impact.
- Develop a remediation plan: you need to develop a remediation plan where needed.
- Repeat: the last point is you need to do a risk analysis again in the future.
Risk analysis can be tough for providers because what can tend to happen is they do this risk analysis activity and they identify a bunch of vulnerabilities, but without any way to prioritize these they end up thinking that they have to do everything that could possibly come up on the list.
One of the other things that practice may do is really go into a risk analysis without having a good understanding of their controls. They basically don't really know what they're doing in security, or they don't have it well-documented. Then they end up actually with a risk analysis that sometimes can end up over-communicating what the risk is because they just simply don't know what they're doing to prevent risk.
Risk analysis can be a confusing issue. Let us help you. We have the tools that make the process a lot easier for your practice.