The Security Risk Assessment
From HIPAA Safe Issue 14
The HIPAA Security program requirement to “…conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity,
and availability…” of ePHI leaves many organizations and other consulting companies wrestling to provide a reasonable and appropriate risk analysis from this descriptive
guidance. But a risk assessment doesn’t have to be intimidating or result in an unrealistic workload.
Start your risk assessment with the methodology recognized by the federal government found in NIST Special Publication 800-30, Guide for Conducting Risk Assessments, or Inter-agency Report 7621, Small Business Information Security. Plan a procedure that defines your process, risk model and risk measurement.
To summarize the NIST material quoted, include:
a scope that defines the people, places, systems and processes
all ePHI repositories
identifying all threats and vulnerabilities
assessing your current security controls
determining the likelihood of an event happening
determining the impact of an event happening, and
use these parameters to calculate risk.
A risk may include theft, unauthorized disclosure, fraud, or a number of other events that threaten ePHI security. Risk needs to be quantified (e.g. on a point system) or differentiated
(e.g. high, medium, low).
There are many more details involved conducting a proper HIPAA based security risk assessment and managing the security risk assessment lifecycle. Luckily, there are many
quality companies providing guidance for those CE or BA that prefer to conduct their
own assessment.
