HIPAA Security Implementation, Version 1.0

4.9 RISK MANAGEMENT & ASSESSMENT

Both rules emphasize the use of Risk Assessments in order to Assess and Manage Risk appropriately. Unless one under stands what the organizations critical assets are (people, applications, data, facilities etc.) and what potential threats / risks that these assets are exposed to one will never be able to define appropriate, cost effective controls to protect these assets.

The security rule recognizes that not all organizations have the same issues, technologies etc. hence the concept of 'Reasonable and Appropriate' safeguards / controls was born.

It should also be noted that Risk Assessments are discoverable documents and should be treated as such. The fact that they are discoverable is not an excuse for not performing a Risk Assessment. A CE can be held liable in a case as it 'should have known' or 'should have taken reasonable and prudent steps to discover'

Good Risk Assessment is an excellent means of demonstrating 'Due Care and Due Diligence' by the CE and is also a structured approach to identifying operational issues specific to one's environment and the prioritization of tasks to comply with the act.

Risk Assessment is not something that an organization does just once, it is an on going process that needs to be done on a regular basis to ensure that an organization's controls are kept updated in a cost effective manner.

Some of the reasons that will require the constant updating of controls through Risk Assessment are that technologies change, the organization changes i.e. through mergers, acquisitions and via natural growth, employees come and go, business models and product offerings change to name some.

A Risk Assessment Process or Methodology would follow the steps listed below:

• Identify Assets (Scope of Assessment)

  • All risk assessment start of with identifying and obtaining a detailed inventory of all the assets that need to be protected.

  • This would include people, systems, data ( especially EPHI and PHI in the case of HIPAA) facilities, internal and external interfaces etc.

  • This process can be very complex and time consuming as it needs to identify a wide range of components, interfaces and processes. Unfortunately most organizations do not have a good handle on what components, interfaces and processes that they have. What usually happens is that components , interfaces and processes evolve over time and are usually never documented. It is critical that the inventory identify all interdependencies between these items.

• Identify Threats

  A threat is defined as 'something or someone that can intentionally or accidentally exploit a vulnerability'.

  Threats generally fall into three categories:

  • Natural: This would include things like floods, earthquakes and tornadoes.

  • Human: Human threats fall into two sub categories i.e. Intentional and unintentional activities

    • 'Intentional activities include the theft of data, the deliberate alteration of data, insertion of back doors in code etc.

    • Unintentional activities include the accidental erasing of data etc.

  • Environmental: This would include power failures, hazardous material spills etc.

• One can obtain detailed information about potential threats from SANS, CERT and the NIPC.

• Identify Vulnerabilities

  • A vulnerability characterizes the absence or weakness of safeguard that could be exploited. An excellence source that lists possible ranges of vulnerabilities is the NIST vulnerability database at http://icat.nist.gov. This database contains in excess of 5,500 vulnerabilities.

• Security Control Gap Analysis

  • The goal here is to identify what controls have been implemented and the manner that they are being implemented. This is then compared with what controls should have been implemented and how they should have been implemented.

• Probability of Risk Occurring

  • The goal is to numerically rank the likelihood that a vulnerability will be exploited by a threat. When doing this exercise one needs to assess three factors, a) Threats, b) Vulnerability and c) The existence and effectiveness of security controls.

• Impact Analysis

  • The entity must determine the impact that exploitation of a vulnerability would have on the organization. This can be expressed in terms of High, Medium or Low or in terms of dollars.

• Determination of Risk

  • Risk is a composition of three elements:

    • The likelihood of a threat exploiting a vulnerability

    • The impact on the organization if the vulnerability was exploited

    • The adequacy of planned or existing controls

• Recommendation of Upgrades to Security Controls

  • Finally as all the information from the previous steps is synthesized one develops a sequenced plan to reduce the level of risk to known acceptable levels. This is an important concept. Risk can never be eliminated, it can just be reduced to known and acceptable levels, in other words management is making an informed decision on how best to reduce risk to acceptable levels.