In the sixth step within the security rules of HIPAA we have risk analysis and risk management, where the health establishment must create and implement procedures that prevent, detect, contain and correct violations in the safety of the clinics, for this an analysis of the risks and its management must be done.
For the risk analysis to take place, the health establishment must conduct in a complete and accurate manner all possible risks and vulnerabilities to which the patients' private health information is subject in the electronic means used by the health establishment and its employees, directly or outsourced.
Risk management, on the other hand, says that sufficient security measures should be implemented to reduce risks and vulnerabilities to an acceptable level. The safety rule does not establish a way to conduct and create these measures, being free to create them according to the needs of each health establishment.
To better understand the above processes, it is necessary to understand a little more about what is vulnerability, threats, and risks, and the relationship between these terms:
- Vulnerability: it is a flaw or weak point that may be the security system, procedure, design, implementation or internal controllers, which may be accidentally caused or not, and results in a compromised security system or a breach of any of the security guidelines. This vulnerability can be technical or non-technical, the technical involve a system or software directly and non-techniques those that involve procedures, internal policies, guidelines or the lack of them.
- Threats: are the potentials for a person or something to exploit and use a vulnerability, whether intentionally or not. Threats can be natural as well, such as floods, gales, tornadoes, etc. Human threats can include intentional threats like viruses, malware, and improper access to health information. Unintentional ones can be considered as adding erroneous information to the system used or deleting and changing them. The threats in the environment refer to power outages, pollution, chemicals and even leaks.
- Risks: the definition of risk becomes clearer after we define vulnerabilities and threats. The risk being the junction of a vulnerability being used by a threat.
Some examples of steps to be taken in risk analysis are: identifying the scope of the analysis, conducting a data survey and then identifying and documenting potential threats.
Identify and document threats and vulnerabilities
The health facility should focus on listing foreseeable threats, for example, the location of the clinic will determine the existing threats that may constitute a risk, a hurricane is a threat, but if the clinic is located in a region where this type of weather event is not common, this threat should not be on the list of foreseeable threats.
For most health establishments, human threats are the most worrying, as human threats can be exploited frequently and at any time, human threats are current employees and former employees, hackers, competitors, criminals, even patients and visitors. Anyone who has access, knowledge or motivation to cause harm, can be considered a threat.
While the health facility identifies potential threats, it must also survey and document the vulnerabilities, which, when exploited, turn into risks. Like threats, vulnerabilities can be both technical and non-technical, associated with patients' electronic medical records.
A common solution is to develop an assessment and security test for both workstations and used servers.
Assess current security measures
The objective of this step is to analyze the security systems and procedures implemented to maintain the safety of patient records and records. For example, the vulnerability is less likely to be exploited by a threat if effective security systems are in place.
Determine the likelihood of a threat occurring
When the above analysis steps are completed, the health facility has all the information to determine:
- The chances of a threat occurring and being exploited, as well as a vulnerability;
- The resulting impact if the worst case scenario occurs, which is that a threat and vulnerability is successfully exploited.
The assessment of these topics is at the discretion of each health establishment, but a suggested way is to classify them into high risk, medium risk and low risk. Since the probability is high, where there are several ways a vulnerability can be used, and can be caused by a number of security deficiencies, the average risk is considered to be moderate when there is at least one security deficiency condition, and the low risk can be considered when the security deficiency is simple and quick to be corrected, such as a system configuration.
Determine the potential impact of the threats occurring
If a vulnerability occurs to be successfully exploited by a threat, this will have negative consequences for patients and the health establishment. Trying to measure the impact of these actions should help to prevent them, and the suggested way is to classify them using qualitative and quantitative methods. The results must also be documented with all potential impacts and assessments in case a threat materializes, damaging patient information in any way.
Determine the level of risk
The next step then is to determine the levels of existing risks. The ideal here is to build a risk matrix, using the values and information obtained from impacts and threats. This matrix can also contain a division of high, medium and low, where combined risks can change classification. For example, a risk rated "high" if combined with one rated "low" can then be placed as a "medium" risk.
Identify security measures and finalize documentation
Here, all safety measures of the health establishment that are used to minimize risks to what is considered an acceptable and appropriate level will be identified. It is necessary to observe the existing legislation or regulations that must be complied with, the effectiveness of the security system, the requirements of the organization, its policies and privacy. Documenting this entire process is necessary, but HIPAA regulations do not require a specific format.
The steps for risk management can be summarized in:
- Develop and implement a risk management plan;
- Implement security measures;
- Assess and maintain security measures.
Source: HHS - Risk Assessment