Security Management Process: Risk Analysis-What to Do and How to Do It

Security Management Process is the first administrative standard of the Security Rule, and Risk Analysis is the implementation specification.  Each covered entity is required to conduct a risk analysis or assessment to determine vulnerabilities and threats and to identify and put in place risk mitigation measures for safeguarding electronic protected health information.  Electronic protected health information is the content of the HIPAA Administrative Simplification Standard Transactions and of the expected growing adoption of clinically-based electronic health record systems.

What to do:  Conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

How to do it:  The risk analysis is the foundation of the Security Rule.  The required risk analysis provides the covered entity with the opportunity to formally identify and document its security policies and procedures, evaluate their effectiveness, mitigate known vulnerability and threat risks.  The covered entity must update the risk analysis, as appropriate for circumstances, and retain documentation in written or electronic form for at least six years, in accordance with HIPAA Administrative Simplification documentation requirements.

Remember, under the HIPAA Administrative Simplification Security Rule, risks pertain to electronic protected health information received, sent, or held (“at rest”) by the covered entity. The HIPAA Privacy Rule pertains to safeguarding not only electronic protected health information, but also to protected health information in oral or written form.

The risk analysis provides the covered entity with the basis to develop security policies and procedures.  Periodic review of the risk analysis provides the covered entity to measure effectiveness and update those policies and procedures as necessary to mitigate newly discovered risks.

Reasonableness and scalability are key factors in the covered entity’s determining appropriateness of security methods and measures for implementation.

The risk analysis must focus on risks and vulnerabilities as they relate to “confidentiality, integrity, and availability of electronic protected health information” received, sent, or held by the covered entity.  These terms are the core properties of the Security Rule:

» Confidentiality—Electronic protected health information is “not made available or disclosed to unauthorized persons or processes.”

» Integrity—Electronic protected health information has “not been altered or destroyed in an unauthorized manner.”

» Availability—Electronic protected health information is “accessible and usable upon demand by an authorized person.”

The National Institute of Standards and Technology (NIST), which is an organization in the U.S. Department of Commerce, has established useful guidelines for conducting a Security Rule risk analysis.  NIST’s October 2008 publication:  An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule NIST Special Publication 800-66 Revision 1) is available for download at HIPAA.com.  Of particular interest is Appendix E (pp.E-1-E7), which discusses “How to Conduct the Risk Assessment” in nine steps.  These steps are:

1. Scope the Assessment
2. Gather Information
3. Identify Realistic Threats
4. Identify Potential Vulnerabilities
5. Assess Current Security Controls
6. Determine the Likelihood and the Impact of a Threat Exercising a Vulnerability
7. Determine the Level of Risk
8. Recommend Security Controls
9. Document the Risk Assessment Results.

Here are relevant key terms defined by NIST

» Risk—Potential impact that a threat can have on the confidentiality, integrity, and availability of electronic protected health information by exploiting a vulnerability.

» Threats—Anything that can have a negative impact on electronic protected health information.  Examples include malicious intent, or unintentional events such as a misconfigured server or data entry error.

» Threat sources—Natural (e.g., floods, earthquakes, or storms); human (e.g., intentional, such as identify thieves, hackers; unintentional, such as data entry error or accidental deletion); or environmental (e.g., power surge or spike, hazmat contamination, pollution).

» Vulnerabilities—Flaw or weakness in a system security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat.

» Impact—Negative quantitative or qualitative assessment, or both, of a vulnerability being exercised on the confidentiality, integrity, and availability of electronic protected health information.

The more time and attention that you give to the risk analysis the more the covered entity will benefit in two respects:  (1) minimizing potential business disruptions resulting from a security incident or privacy breach concerning electronic protected health information, and (2) minimizing potential liabilities associated with such occurrences.