Risk analysis involves identifying risks and vulnerabilities in your information systems.
It is a required implementation specification within the Security Management Process. It requires you to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) held by your office. It calls for you to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Perform a Risk Analysis
A risk analysis is a process that you should carry out in your practice in a step-by-step manner. Following is a suggested method of performing your risk analysis:
Inventory – You should begin by conducting a detailed inventory of your ePHI and your information systems that contain ePHI. Information systems can be complex. The inventory should seek to identify all inter-dependencies among these items.
• Information system hardware and software
• Identify the primary users of the information systems and ePHI
• Function and purpose of the ePHI and information system
• Technical controls (hardware or software access control mechanisms)
• Non-technical controls (security policies, employee training)
Threat identification – You should next identify all potential threats to your ePHI and your related information systems.
• Natural – floods, earthquakes, tornadoes, hurricanes, etc.
• Human – Unintentional (incorrect data entry or accidental deletion of data)- or - Intentional (installing malicious hardware, refusing service)
• Environmental – Power failures, hazardous material spill, etc.
Vulnerability Identification – Identify the vulnerabilities of your ePHI and related information systems. A vulnerability is a flaw or weakness in a system’s implementation, security, procedures, design, or internal controls that can be exploited by a threat and result in misuse or abuse of ePHI.
Examine your vulnerable sources by reviewing:
• Information systems
• Audit reports
• Information system test
• Evaluation reports
Security control analysis – You should next analyze the security controls that have you put into place to protect ePHI. There are two types of security controls that need to be assessed:
1. Preventative controls are designed to prevent or restrict the exploitation of vulnerabilities.
• Access control
2. Detective controls detect and report when violations occur.
• Audit trail
Determine risk likelihood – Three determining factors should be considered:
1.) Threat motivation and capability;
2.) Type of vulnerability; and
3.) Existence and availability of security controls.
Below are three risk likelihood levels and their definitions that may be used as examples:
• High likelihood - Threat is highly capable, motivated, or likely and current security controls are ineffective.
• Medium likelihood - Threat is capable, motivated or likely, but there are security controls in place that may prevent the exploitation of the vulnerabilities.
• Low likelihood – Threat is not capable, motivated or likely, or current security controls will likely prevent exploitation of the vulnerabilities.
Analyze the impact –Next, determine the impact that would result if a perceived threat were to actually take place in your practice. You should determine the impact in the following areas (define the impacts as high, medium, or low):
• Confidentiality - ePHI is disclosed or accessed in an unauthorized manner
• Integrity - ePHI is improperly modified
• Availability – ePHI is unavailable to authorized users
Determine the risk - For each vulnerability and its associated possible threat, you should make a risk determination based on:
• The likelihood that a threat will happen or attempt to happen.
• The level of impact to your practice in the event that the threat happens.
• The adequacy of the existing or planned security controls to protect your ePHI.
• High risk – Security controls should be implemented or improved as soon as possible.
• Medium risk – Security controls should be implemented or improved in a reasonable amount of time.
• Low risk – The security controls that are currently in place are probably adequate or the risk is acceptable.
Recommendations for Security Control – By using all of the above information, you should be able to conclude your Security Risk Analysis by implementing security controls that can mitigate or eliminate the unacceptable risks that you have identified. These controls should reduce the level of risk to your ePHI and your related electronic information systems to an acceptable level.
Documentation Requirements – Good documentation generally supports any situation in which an action is called into question. We often hear, “If is not documented, it was not done.” This is also true with security.
No documentation or poor documentation does not mean that you do not have a security risk. In fact, the better the documentation, the more likely it is for an external investigator to believe that an undocumented risk did not previously exist. Your diligence in documenting risks and your decisions relative to them can demonstrate that you made the effort to identify as many risks as reasonable and practical. If one is overlooked, you are much less likely than if your documentation is poor or nonexistent and you attempt to.
This type of Security Risk Analysis should be conducted on an annual basis. Be sure to document the specifics of your audit and its findings.