Elements of Security Risk Analysis
29 September, 2014
HealthPOINT at Dakota State University
Daniel Friedrich, CISSPExecutive DirectorCenter for the Advancement of Health Information Technology Dakota State University
Holly Arends, CHTS-CP, CHSPClinical Program Manager
HealthPOINTDakota State University
Today’s Focus
• HIPAA Requirements
• Elements of a Security Risk Analysis (SRA)
• Evidence of requirement fulfillment
Requirement
• HIPAA Security Rule 45 CFR 164.302-318
• Security Management Process 164.308(a)(1)
• Conduct Risk Analysis 164.308(a)(1)(ii)(A)
• Accurate and thorough assessment
• Maintain integrity, confidentiality, availability of ePHI
• Create Risk Management Program 164.308(a)(1)(ii)(B)
• Implement security measures to reduce risks and vulnerabilities to reasonable and appropriate level
HHS Guidance on Risk Analysis Requirements Under HIPAA Security Rule
HHS Guidance Document
• Scope of Analysis
• Data Collection
• Identify and Document Potential Threats and Vulnerabilities
• Assess Current Security Measures
• Determine the Likelihood of Threat Occurrence
• Determine Potential Impact of Threat Occurrence
• Determine Level of Risk
• Finalize Documentation
• Periodic Review and Updates to Risk Assessment
Foundational Work
• Risk Management
• Holistic
• Tied to Organizational Mission
• Risk Assessment is fundamental to Risk Management
Culture of Compliance
Risk Assessmen
t
Risk Manageme
nt Plan
Policies and
Procedures
Training
Culture of Compliance
Conduct Risk Assessment
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the (organization).
• No specific methodology outlined
Heart of Analysis
Asset
Threat
VulnerabilityMitigation
Elements of Risk Assessment-Interview
• Based on OCR Audit Protocol
• Potentially Hundreds of questions
Elements of Risk assessment- Asset Inventory
• Create an Inventory of Relevant Information Systems
• What type of PHI
• Who has access
• Location- onsite, offsite
• Hardware/Software
• Vulnerabilities
• Threats
• Criticality
• Security Controls in place
• Likelihood and Impact
• Update as needed, new or changing systems
Elements of Risk Assessment-On Site Walk Through
• Physical view of safeguards in place and how they function in real life
Where’s the Evidence?
Final Documentation
• Report
• Dated and Identify the organization
• Identifies Risks
• Outlines risks categorically
• Aid in prioritization
What if the Final Report has not been created?
• Ask for a Draft report that may have been sent to the client
• Contact the SRA Vendor to verify dates of SRA
• Vendor to provide a letter of confirmation
Periodic Review and Update
• Changes or Annually
• Date of Review
• Progress OR Lack of Progress made on Previously Identified Risks
• New Identified Risks
Asset or PHI Inventory
• Scope is identified in this document
• Lists Information Systems
• Identifies
• Vulnerabilities
• Safeguards in place
• The likelihood and impact if a vulnerability is exploited
• Risk Rating Score/Urgency Score
Sample Asset Inventory
PHI INVENTORYItem Name
Type (Hardware, Software,
etc.)Contains ePHI? Assignee
Probability (P)
(Likelihood)(0-3)**
Impact (I)Impact Score
Risk Rating (P
x I)
Vulnerability ** Administrative (0-
3)
Administrative
safeguards in
place?
Safeguard Score
Vulnerability ** Physical (0-3)
Physical safeguard
s in place?
Safeguard Score
Vulnerability **
Technical (0-
3)
Technical safeguard
s in place?
Safeguard Score
Remediation
Urgency
EHR System product Name EHR Located at
vendor facility Vendor () 2
Loss of some,all patient
data
3 6 2 Partial 1 2 Partial 1 2 Partial 1
36
Network Product Name
Dell LAN server
Local Area Network server located on-site in server room
Leanne / Stephanie 2
HIPAA Breach,Fi
nes6 12 0 Yes 3 2 Partial 1 0 Yes 3
24
Risk Rating Score
• Threat
• Vulnerability
• Likelihood
• Impact
Asset
Threat
VulnerabilityMitigation
Risk Management Plan
• Identified Risks
• Action Plan
• Responsible Person(s)
• Actions Taken
• Goal dates
• Resolved Dates
Sample Risk Management Plan
Risk Identified Level of risk Date identified Responsible Party Mitigation Strategy Goal date Actions- what has been done, what
planning has been done, etc. Resolved Date
No policies or procedures present that require a risk
assessment to be done, the scope, nature, and frequency. high 07/04/05
Administration- Risk Manager/Quality
ManagerRisk Manager to write policy and
procedure 12/01/13
5/3/2013- Risk Manager has drafted a policy and is being reviewed by medical
staff in June 2013 meeting. 6/27/2013- Medical staff have reviewed and have requested changes. 10/1/2013- Risk
Manager has made changes to policy and will be reviewed at november medical staff.
The Risk Web
SRA
Communications
Policy Changes
Training Events
Personnel Files
Tangible Changes
Update/review of SRA
Wrap Up
• Comprehensive and Thorough
• Finalized Documentation
• Review/Update no less than annually
Thank you!
www.healthpoint.dsu.edu
605.256.5555
Top Related