HIPAA Risk Analysis And Assessment

Risk Management - Arrows Hit in Target.by Michael Menor, Network Technician
The phrases “risk analysis” and “risk assessment” are becoming incredibly commonplace today. They’re littering the blogosphere, popping up in advertisements by newly-announced, so-called experts and being “webinar-ed” to death.

In reality, most people promoting these phrases don’t know what they’re talking about. They don’t know what they’re talking about, I’ve come to discover, because most people don’t understand what risk itself means.

Understand Risk To Conduct Analysis
In today’s increasingly more privacy- and security-minded world, and especially in healthcare, the state of risk management of information is a mess!

This problem comes about for many reasons, including but not limited to the following:

There is little agreement on standard terminology, approach and tools. Key risk-related terms such as assets, threats, vulnerabilities, controls, likelihood and impact are misused and sometimes used interchangeably. One does not find these terms in many other professions. All physicists know what velocity, acceleration, mass, energy, etc. mean. All accountants agree to definitions of basic terms such as debits, credits, balance sheets, assets, liabilities, etc.

Many so-called “experts,” some recently-minted and/or self-proclaimed as such, don’t understand basic risk fundamentals.

Most individuals do not understand that you simply can’t observe risk and that risk is a derived value.

You simply cannot begin to conduct a bona fide risk analysis if you don’t understand what risk is and what risk is not.

There is huge inefficiency and ineffectiveness in protecting the privacy and security of Protected Health Information (PHI) and electronic PHI (ePHI).
As of October 24, 2013 the PHI/ePHI of 26.9 million fellow Americans have been disclosed according to the HHS/OCR “Wall of Shame.” For example, laptops with unencrypted hard drives being stolen from Advocate Medical Group.

Actions To Take
First and foremost, organizations must understand some key, fundamental points about risk before they embark on completing a risk analysis. For example, I present you with five images and ask you to indicate the level of risk (high, medium, low, no risk) you observe in each image.

The images include a bald tire, the same bald tire turned into a tire swing in a backyard, a frayed rope tied to a beam, the tire swing in a tree perched over the edge of a cliff and, finally, a child swinging in the tire swing in a backyard.

What was the greatest amount of risk you observed? I would guess you “saw” high risk in more than one of the images! Some “saw” risk in all the images. 1) You cannot “see” risk; it must be evaluated; and, 2) In reality, there is no risk in any of these images.

Here’s what happens over and over again:

People make assumptions and make things up in risk analysis.

People don’t understand this fundamental truth about risk – you can’t have significant risk without the potential for significant loss or harm.

People tend to relate potential vulnerabilities (e.g., frayed rope, bald tire) with risk.

People forget that one must consider likelihood or probabilities of bad things happening and of impact or harm.

The most important actions organizations must take if they don’t understand risk are to “train up” and/or farm out the work to experts.

And they must remember these truths:

Risk can only possibly exist if three conditions are met: an asset like a laptop with ePHI, a threat to that asset (e.g., a thief may steal it) and a vulnerability (e.g., it is not encrypted) that may be exploited by that threat.

For any single asset (e.g., a laptop with PHI), there may be many different threats and many different vulnerabilities; therefore, there may be many risks to be identified, assigned a value and prioritized.

Controls may already have been implemented or may be implemented to mitigate the likelihood of a certain threat exploiting a certain vulnerability. Controls come in several forms, often categorized as administrative, physical or technical.

Risk has an impact or harm component.

When it comes to health information risk, the adverse impact or harm may come about if the confidentiality and/or the integrity and/or the availability of that information is compromised.

(Image Source: iCLIPART)

How You Can Benefit From An Annual Security Assessment

by Jeremy Miller, Technician
Most companies have an IT service provider or an IT department to take care of all of the IT needs of the company.

These technicians can easily address any issues that arise. Most issues are not addressed until they become known and are reported to the IT service provider either from the person having the issue or monitoring software they have installed.

It is best to have your IT service provider run an assessment once or even better twice a year.

This can make you and your IT provider aware of any security issues that are not easily monitored or would cost too much to monitor.

A security audit can be implemented for a number of reasons.

Some organizations are required to have them if the information they are using needs to be secure based on a compliance standard such as HIPPA or PCI.

Every day new vulnerabilities are discovered and it is too time consuming to test every device on every network for each security risk that is discovered as they are discovered.

This is where the security audit shines; it can be used to check for any known vulnerability on every device on your network.
Even with all of the security software commonly installed on all business computers such as anti-virus, service checks, and patch management there can still be security risks running behind the scenes that can be detrimental to your company.

A security assessment can let you know if any software is using an insecure port to an employee’s malicious actions.

It can show you if an application is using more bandwidth than it should, which may be causing other issues on your network.

Security assessments are the best tools to test for data leakage. Data loss is every businesses problem. Significant data loss causes a business to fail almost 70% of the time.

There are other times beside annually that it is good to get a security assessment. It would be best to get them before and after changing IT providers.

It is good to get one after any large installation or migration. This can be a business application, hardware such as new computers or a new server or even a physical migration such as moving to a new location or building an addition.

Security assessments are increased in effectiveness when you run a baseline security assessment. A baseline security assessment is when you run an assessment before you do any changes to your current IT setup.

This will let you know where you are before any changes are made. You can then have a comparison to verify that your security is improving.

A baseline security assessment will also let you know what vulnerabilities you need to address. Some of these vulnerability issues can be quite costly to repair and are great to plan for.

The sooner you get an assessment the sooner you will be able to make informed decisions based on your actual network risks security requirements.

Everyone’s security needs are different; we can assist you with any questions or concerns that you may have about security assessments.