HIPAA states that a covered entity or business associate “must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic protected health information held by the covered entity or business associate.” This risk assessment requirement oft becomes a sticky issue for organizations subject to HIPAA.
Because covered entities and business associates don’t know:
- When a risk assessment must be performed.
- How often it should be conducted.
- What procedures, methodologies and guidelines should be followed.
- What IT systems should be subject to the assessment.
- If their vendors must be evaluated during the assessment.
- What to do with the results.
The answer to all these questions is…it depends. The risk assessment requirements of HIPAA’s Security Rule are flexible, and what one organization does may not be appropriate for another. However, there are overarching objectives that should be met during the risk assessment, regardless of the organization. Per the U.S. Department of Health and Human Services’ guidance, the following are exemplar HIPAA risk assessment steps:
- Identify the scope of the analysis.
- Gather data.
- Identify and document potential threats and vulnerabilities.
- Assess current security measures.
- Determine the likelihood of threat occurrence.
- Determine the potential impact of the threat occurrence.
- Determine the level of risk.
- Identify security measure and finalize documentation.
This eight-step framework can be applied to the vast majority of organizations, and tweaked according to the organization’s size, complexity, security maturity, HIPAA maturity and related variables.
Now, let’s discuss each of the steps.
Identify the Scope of the Analysis
What elements will be part of the assessment? The best way to determine the scope is to map the path of ePHI, finding everywhere it’s stored, transmitted, created and/or received. Every device, media, network or workstation that ePHI touches will thus represent the scope of the assessment. As you can imagine, a risk assessment for an international health insurance company is a much more complex endeavor than for a single-doctor medical practice.
After determining the scope, specific ePHI data needs to be collected. Doing this will indicate the true amount of data in play, the type of ePHI that is part of the scope: full medical records, partial medical records, inclusion of SSNs, financial information, etc. Essentially, this phase is a focused continuation of scope identification as it further defines the nature, type, location and use of the data.
Identify and Document Potential Threats and Vulnerabilities
At this point, you’ve created your assessment boundary and analyzed the characteristics of the ePHI that resides in it. You have a pretty good idea of what data is really stored, transmitted or maintained on your network(s). So the next step is to find out the extent how vulnerable the data is to loss or compromise. An organization can accomplish this by identifying existent threats to data, and then identifying corresponding vulnerabilities that can adversely act on the threats.
Threats to data manifest themselves in myriad ways and are generally categorized as human risks (user error, lack of training, malicious activity, corporate espionage), natural risks (earthquakes, floods, tornadoes, tsunamis, hurricanes, landslides) and environmental risks (power failures, water leaks, chemical leaks, HVAC outages). Which threats can reasonably effect ePHI given the specifics of your organization? Is your organization located in an earthquake-prone locale? Does your organization handle large amounts of data and become an attractive target for hackers? How robust is your organization’s information security and HIPAA training? These are the types of questions that need to be answered to help you identify vulnerabilities.
Vulnerabilities refer to flaws or weaknesses in an IT system, applicable policies and procedure, IT design, and other instances that can lead to a security breach if manipulated. In other words, a vulnerability is something that may be triggered by a threat which could lead to a loss of ePHI. For example, an organization’s data center may not have back up generators. This is a vulnerability that can be triggered if the threat of power failure occurs. Another example is if a user sends ePHI in an unencrypted email. This vulnerability can be triggered by the threat of ID thieves looking to intercept sensitive information. Of course, much more complex technical vulnerabilities exist but these can often be addressed in part by automated vulnerability scanning tools.
Assess Current Security Measures
Armed with ePHI threat and vulnerability knowledge, a prudent HIPAA risk assessor should evaluate the organization’s existing security controls. In an ideal world, the security controls in place will mitigate the risk created by the organization-specific threats and vulnerabilities identified in the previous step. In practice, though, 100% security is unreachable. HIPAA’s security controls include administrative safeguards (policies, procedures, training, accountability, rules of behavior), physical safeguards (surveillance cameras, door locks, biometric access controls, screen protectors) and technical safeguards (encryption, logical access controls, identification, authentication, firewalls, hashing, auditing).
For this step, an organization should take a look at its security posture, determine any gaps, ensure proper configurations and ensure proper implementation. The more gaps, the more risk.
Determine the Likelihood of Threat Occurrence
The likelihood of threat occurrence refers to the probability that a threat will trigger a vulnerability. This step is concerned with assigning that probability given the results of the organization’s assessment thus far. For example, the likelihood of ePHI compromise is low when gauging the risk to data of an ice storm in San Diego. However, the likelihood would be high if the threat of hackers is apparent in an unencrypted environment. High, medium and low are commonly used when assigning likelihood categories, and will help the organization identify its priority risks.
Determine the Potential Impact of the Threat Occurrence
What will be the result of an exploited vulnerability? If an unencrypted email is intercepted, what will happen to the ePHI? If a flood hits your area and your servers are drowned, how can emergency access be obtained to ePHI? In the context of HIPAA, results of exploited vulnerabilities usually include compromise to ePHI, loss of ePHI, unauthorized use and disclosure of ePHI and resultant loss of capital.
As with the previous step, this one helps the organization determine high-priority risks and understand the consequences of threat occurrences.
Determine the Level of Risk
Determining the level of risk is really the whole purpose of these HIPPA risk assessment steps. Risk is the probability that an existing threat will be exploited or triggered by an existing vulnerability, and as a result cause damage to the organization. Determining risk necessarily requires integrating the evaluation of the likelihood of threat occurrence (step 5) with determining the potential impact of the threat (step 6). A high-level threat coupled with a high-level impact will lead to a high-level risk. Many companies uses risk matrixes to visually represent risk level and risk assignment.
Identify Security Measures and Finalize Documentation
With risks documented, an organization can develop the strategies to manage and reduce the risk level. From there, it can create and/or execute its risk management plan. The risk management plan formally states what security capabilities will be implemented to lessen risk to acceptable levels. The plan should identify security measures to be taken, create a timeline for their implementation, provide an explanation for risks left as-is, clearly call out roles and responsibilities and state when the plan will be reviewed and/or updated.
The HIPAA risk assessment process isn’t unique in its methodology or approach. Many organizations across industry and government use the eight-step approach, which is also outlined in NIST 800-30. What is unique to HIPAA is the types of data you have to identify and track, and the federally required security requirements that must be implemented. HIPAA’s Security Rule does not require a specific risk assessment method. The method described here is a tried-and-true guide that should be used as the foundation for your HIPAA risk assessment activities, notwithstanding the size of your organization.