A Look at Risk Analysis—9 Steps for Getting it Right

Understanding the Drivers for a HIPAA-Compliant Risk Analysis

A lot of healthcare organizations today struggle with effectively meeting HIPAA Security Rule requirements because they don’t understand which assessments they need to do or how to conduct them.

In general, there are three types of required assessments based on the HIPAA Security Rule:

• Technical evaluation (testing and audit)
• Non-technical (compliance assessment)
• Risk analysis (security)

While some organizations feel like they’ve got a handle on technical and non-technical evaluations, we’ve seen from Office for Civil Rights (OCR) audits that quite a few healthcare organizations and their business associates struggle with HIPAA-compliant risk analysis.

Based on 45 C.F.R. §164.308(a)(1)(i) Standard: Security Management Process, these risk analyses should assess “the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by the covered entity.”

Still many organizations struggle with this HIPAA component because the requirements are ambiguous and not prescriptive enough. While this may be true, it’s important to note the value of having some of that leeway because organizations vary in complexity, objectives, size, scope, and the types and ways they handle data.

Risk Analysis Matters Far Beyond OCR Enforcement

It’s easy to focus on the penalties of inadequate risk analysis as regulatory requirements often serve as the catalyst for many cybersecurity and HIPAA compliance initiatives, but as Lisa Pino, Director of OCR wrote about recently, risk analysis is a key component of good cyber hygiene. While regulatory requirements provide a level of motivation and accountability, protecting ePHI is about protecting patients, care delivery, and the organization. And as Pino reminds us, risk analysis that’s limited to the EHR isn’t enough. As outlined below, true risk analysis does the most good when it identifies assets and risks across the enterprise.

Risk Analysis Audits

Should you find your organization in a OCR audit related to risk analysis, here are some of the things auditors are looking for and their expectations for meeting HIPAA standards.

In general, based on OCR’s 2018 Audit Protocol, auditors want to know if your organization:

• Has policies and procedures to conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits.
• Has conducted an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of all the ePHI it creates, receives, maintains, or transmits.
• Included oversight and governance from executive leadership in the risk analysis process

Auditors will also want to review your risk analysis policies and procedures, including the documents detailing your risk analysis, also noting if they’ve been updated or not based on periodic reviews. That documentation should demonstrate that your risk analysis has:

• A defined scope that identifies all of its systems that create, transmit, maintain, or transmit ePHI
• Details of identified threats and vulnerabilities
• Assessment of current security measures
• Impact and likelihood analysis
• Risk rating

Conducting a HIPAA-Compliant Risk Analysis

Even with these audit expectations, many organizations struggle to ensure they have a comprehensive scope for their risk analysis-they are unsure how to document information for their asset inventory correctly and they might not conduct periodic reviews and updates.

Many organizations also struggle because there are millions of combinations of issues that can arise and that need attention. For example:

• What are the assets and media?
• What are the threat agent types?
• What are the potential threat actions?
• What are the vulnerabilities?
• Which controls should be implemented?

An effective risk analysis helps you answer the above questions, and many more, based on your organization’s unique environment and needs.

While each organization may choose its own risk analysis methodology, here are nine recommendations to ensure you’re conducting a HIPAA-compliant risk analysis:

1. Ensure Comprehensive Scope of the Analysis

First, before your risk analysis gets underway, it’s important to understand the scope and intent of the analysis. You’ll want to ensure you’re taking into consideration your most critical assets, processes, and services. You’ll want to know where your greatest risks are for each so you can make plans to mitigate and remediate those issues before a real-world incident takes place. It might be helpful to review your data recovery policies, as these usually outline what some of those most mission critical components may be. Your goal here is to gain an understanding of what’s happening across your enterprise.

How do you know if your scope is sufficient? Based on HIPAA guidelines, you want to ensure you’re taking a look at all of your systems that create, manage, store, or transmit ePHI.

From there, you’ll want to establish reasonable and achievable milestones that will measure your progress and performance for the analysis. Think of this as your project plan, one that you will use to establish timelines and track your progress.

This is also a great time to involve your key stakeholders and executives. You’ll need their support and feedback along the way, especially when you set your risk threshold and determine who maintains responsibility for decisions when risks exceed your organization’s risk appetite.

2. Document Information Asset Inventory

Next, document all your assets. This is challenging for many organizations as many are unaware of all the assets across the organization, where they’re located, and who uses them for what. However, to be HIPAA compliant, if any of those assets create, manage, store, or transmit ePHI, they need to be a part of that inventory.

You’ll also want to note applications and devices that access your ePHI-you need a clear understanding of where all your ePHI lives.

Once you’ve established your asset inventory, you can use that for your risk registry. Remember, you can’t manage or protect what you don’t know exists within your environment.

3. Identify and Document Potential Threats and Vulnerabilities

After you’ve developed your asset inventory, now is the time to identify and document all of the threats and vulnerabilities that exist for each of those assets. To do this effectively, consider using a risk management solution that will help you track those assets and then do a vulnerability and threat analysis down to a granular detail for each. How do these threats and vulnerabilities align to your organization’s risk threshold? All of this should be documented as part of your risk analysis.

4. Assess Current Security Measures

It’s time to look at your current security profile. Which existing controls do you have in place? Are you following specific frameworks? Where are you in implementing controls for each?

It may be time to toss out spreadsheets if that’s how you’re tracking this important information; instead, keep it maintained within a risk analysis software tool that makes it easy to record and update as needed. Your auditors will want to see this documentation, and you’ll need it should you face an OCR review.

Your current security profile is also a great baseline for evaluating the maturity of your program so you can make plans to mature your security posture over time.

5. Determine the Likelihood of Threat Occurrence

By assessing your current security measures, you’ll be able to make plans to mitigate your threats and reduce risk, while taking into consideration risk likelihood and impact. When addressing likelihood of a threat occurrence, you’re asking, “what’s the chance this threat may actually occur?”

You could use a risk scoring framework here, for example, from NIST SP 800-30, that takes into consideration likelihood within the next 12 months, ranging from “not applicable” and “rare” all the way up to “almost certain.”

This stage may also be a good time to touch base with your governance committee to address questions such as:

• What is our definition of “likelihood”?
• What are examples we might want to use or the percent of likelihood to consider?

If you’re struggling with getting a handle on quantifying likelihood, this might be a good time to consider working with a third-party consultant who specializes in HIPAA Risk Analysis.

6. Determine the Potential Impact of Threat Occurrence

Similar to determining the likelihood of a threat happening, you’ll also want insight into the potential impact on your ePHI should a threat occur. What harm might happen? What’s the worst case scenario? How would it affect the confidentiality, integrity, and availability of your ePHI?

This is a good place to call on NIST SP 800-30 for help with risk impact scoring. NIST 800-30 establishes a six-level scoring system based on “not applicable” going up to the most severe, which could cause a multi-day interruption and/or a major exposure of your ePHI.

Again, consider working with your governance committee at this juncture. They’ll be the ones who determine exactly what a “severe” impact might look like to your organization. You may also benefit from using a risk analysis software solution that can help you by establishing an automated, predicted value for those threat impacts.

7. Determine the Level of Risk

Now that you know your assets, their risks, how likely a threat might occur and how it could impact your organization, you’ll need to establish your risk threshold for those risks. This is the actual risk analysis process.

Like the two previous recommended steps, it’s also important to engage with your executives and key stakeholders here. Those responsible for establishing and maintaining governance are responsible for establishing the risk threshold. What is the level of risk your organization will generally accept? What are the risks you should generally avoid, mitigate, or transfer?

Your level of risk is based on your asset/media type, as well as the threat type, how likely that threat might occur, and their impact level. It’s like a simple math equation for the data you’ve already documented in previous steps. Some organizations condense the outcome of this to a three point scale; others use a five point scale. It’s all about what makes most sense for your organization and gives you the best insight so you can prioritize risk mitigation. You’ll need to do this at a granular level for every asset that accesses your ePHI.

8. Finalize Documentation

Once you’ve conducted your risk analysis, it’s time to ensure you’ve appropriately documented all of your findings, from your scope, through your analysis, including your mitigation and remediation plans.

It’s important to note here that you’re not going to be able to mitigate every risk your organization faces. So this is the time to establish and detail which risk types you’ll avoid, mitigate, or transfer and which you’ll generally accept.

9. Periodic Review and Updates to the Risk Analysis

A HIPAA-compliant risk analysis isn’t a one-and-done checklist. To ensure you’re meeting OCR expectations and be prepared should you meet with an auditor, you’ll need to routinely review and make updates to your risk assessment. Consider doing so at least annually, but more frequently as your organization and environment changes.

This step is not only required, it’s important because it will help you understand your ongoing risks, especially when you have changes within your environment. Should you face an audit and your documentation has not been updated, you’ll likely get a ding from the auditor. Even worse, if you have known issues and don’t make plans to remediate them, you could be at risk of being noted as willful neglect of that deficiency, which could result in greater penalties from OCR. Keep track of all your iterations of those updates with a version history. You never know how many years of documentation your auditor may request.

You Don’t Have to Go it Alone

There’s a lot of help available to hospitals, health systems, provider groups and other healthcare organizations looking to get risk analysis right. Finding a partner to help you thoroughly execute the steps outlined above in a by-the-book process means you can rest easy knowing you’re diligently protecting patient data and the ability to deliver care and that you’ll be favorably positioned should you find yourself in an OCR investigation or audit. A great partner also means a better, more efficient risk analysis process and one that can be more easily scaled and sustained over time.

Need help conducting a HIPAA compliant risk analysis or want to know more about how you can mature your risk analysis practices? Check out our on-demand webinar, “Getting Risk Analysis Right: How to Meet HIPAA Security Requirements and Protect Your Organization,” or contact a Clearwater advisor for help.