The Security Risk Assessment

From HIPAA Safe Issue 14

The HIPAA Security program requirement to “…conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity,

and availability…” of ePHI leaves many organizations and other consulting companies wrestling to provide a reasonable and appropriate risk analysis from this descriptive

guidance. But a risk assessment doesn’t have to be intimidating or result in an unrealistic workload.

Start your risk assessment with the methodology recognized by the federal government found in NIST Special Publication 800-30, Guide for Conducting Risk Assessments, or Inter-agency Report 7621, Small Business Information Security. Plan a procedure that defines your process, risk model and risk measurement.

To summarize the NIST material quoted, include:

• a scope that defines the people, places, systems and processes

• all ePHI repositories

• identifying all threats and vulnerabilities

• assessing your current security controls

• determining the likelihood of an event happening

• determining the impact of an event happening, and

• use these parameters to calculate risk.

A risk may include theft, unauthorized disclosure, fraud, or a number of other events that threaten ePHI security. Risk needs to be quantified (e.g. on a point system) or differentiated

(e.g. high, medium, low).

There are many more details involved conducting a proper HIPAA based security risk assessment and managing the security risk assessment lifecycle. Luckily, there are many

quality companies providing guidance for those CE or BA that prefer to conduct their

own assessment.