HIPAA Risk Analysis And Assessment

Risk Management - Arrows Hit in Target.by Michael Menor, Network Technician
The phrases “risk analysis” and “risk assessment” are becoming incredibly commonplace today. They’re littering the blogosphere, popping up in advertisements by newly-announced, so-called experts and being “webinar-ed” to death.

In reality, most people promoting these phrases don’t know what they’re talking about. They don’t know what they’re talking about, I’ve come to discover, because most people don’t understand what risk itself means.

Understand Risk To Conduct Analysis
In today’s increasingly more privacy- and security-minded world, and especially in healthcare, the state of risk management of information is a mess!

This problem comes about for many reasons, including but not limited to the following:

There is little agreement on standard terminology, approach and tools. Key risk-related terms such as assets, threats, vulnerabilities, controls, likelihood and impact are misused and sometimes used interchangeably. One does not find these terms in many other professions. All physicists know what velocity, acceleration, mass, energy, etc. mean. All accountants agree to definitions of basic terms such as debits, credits, balance sheets, assets, liabilities, etc.

Many so-called “experts,” some recently-minted and/or self-proclaimed as such, don’t understand basic risk fundamentals.

Most individuals do not understand that you simply can’t observe risk and that risk is a derived value.

You simply cannot begin to conduct a bona fide risk analysis if you don’t understand what risk is and what risk is not.

There is huge inefficiency and ineffectiveness in protecting the privacy and security of Protected Health Information (PHI) and electronic PHI (ePHI).
As of October 24, 2013 the PHI/ePHI of 26.9 million fellow Americans have been disclosed according to the HHS/OCR “Wall of Shame.” For example, laptops with unencrypted hard drives being stolen from Advocate Medical Group.

Actions To Take
First and foremost, organizations must understand some key, fundamental points about risk before they embark on completing a risk analysis. For example, I present you with five images and ask you to indicate the level of risk (high, medium, low, no risk) you observe in each image.

The images include a bald tire, the same bald tire turned into a tire swing in a backyard, a frayed rope tied to a beam, the tire swing in a tree perched over the edge of a cliff and, finally, a child swinging in the tire swing in a backyard.

What was the greatest amount of risk you observed? I would guess you “saw” high risk in more than one of the images! Some “saw” risk in all the images. 1) You cannot “see” risk; it must be evaluated; and, 2) In reality, there is no risk in any of these images.

Here’s what happens over and over again:

People make assumptions and make things up in risk analysis.

People don’t understand this fundamental truth about risk – you can’t have significant risk without the potential for significant loss or harm.

People tend to relate potential vulnerabilities (e.g., frayed rope, bald tire) with risk.

People forget that one must consider likelihood or probabilities of bad things happening and of impact or harm.

The most important actions organizations must take if they don’t understand risk are to “train up” and/or farm out the work to experts.

And they must remember these truths:

Risk can only possibly exist if three conditions are met: an asset like a laptop with ePHI, a threat to that asset (e.g., a thief may steal it) and a vulnerability (e.g., it is not encrypted) that may be exploited by that threat.

For any single asset (e.g., a laptop with PHI), there may be many different threats and many different vulnerabilities; therefore, there may be many risks to be identified, assigned a value and prioritized.

Controls may already have been implemented or may be implemented to mitigate the likelihood of a certain threat exploiting a certain vulnerability. Controls come in several forms, often categorized as administrative, physical or technical.

Risk has an impact or harm component.

When it comes to health information risk, the adverse impact or harm may come about if the confidentiality and/or the integrity and/or the availability of that information is compromised.

(Image Source: iCLIPART)