Conducting an effective Risk Assessment is a daunting task no matter how often you may have done it. However, if it's your first time then your anxiety level is likely to be an order of magnitude higher. Although what we are going to discuss in the article is not a magic elixir for reducing your anxiety, it may help you to put things in proper perspective. The silver bullet in a nutshell is that there is "no such thing as a perfect Risk Assessment" and there is no compliance requirement for one. The objective is not perfection, but rather the objective is to establish a baseline that you can continue to improve on over time.
A Risk Assessment is not something that you perform once and then forget. Because the threat landscape changes on a daily basis, it is inconceivable that you could perform a rigorous "full blown" Risk Assessment less than once a year. Further, it is more likely that once a quarter should be what you strive for. Now the HIPAA Rules do not mandate the frequency of Risk Assessments, rather the Rules require that you perform a Risk Assessment whenever your operational environment, or the law, changes in a material way. That said, a couple of points need to be noted: (1) given the amount of change occurring in the healthcare industry (now and in the foreseeable further) operational environments are going to be changing quite often; and (2) if your objective is to manage risk then performing a Risk Assessment once a year is simply not a "reasonable and appropriate" thing to do.
Remember that the Security Rule uses words such as "reasonable and appropriate" ("weasel words") to give HHS the most flexibility possible for determining when the frequency of Risk Assessments, and other repeatable tasks, are required.The bottom line is that you are going to learn to love performing Risk Assessments in the same way that a CPA learns to love taxes. That is, because it is mission critical to your business. In this article we are going to cover the basic lingo of Risk Assessments. Performing a Risk Assessment is like learning a foreign language. You first have to learn the basic "grammar" otherwise you will never be able to see the forest for the trees.
Here's some basic risk management vocabulary you must master on your way to performing more effective Risk Assessments:
Adequate Security: Security commensurate with the Risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of ePHI.
Adversary: Individual, group, organization, or government that conducts or has the intent
to conduct detrimental activities.
Asset: An Asset is a thing (tangible or intangible) that accesses, stores, maintains, or
transmits ePHI. Examples include networks, PCs, servers, mobile devices, Information
Systems, building, etc.
Attack: Any kind of malicious activity that attempts to collect, disrupt, deny, degrade,
or destroy Information System resources or the ePHI itself.
Authentication: Verifying the identity of a user, process, or device, often as a
prerequisite to allowing access to resources in an Information System.
Availability: Ensuring timely and reliable access to and use of ePHI.
Confidentiality: Preserving authorized restrictions on ePHI access and disclosure,
including means for protecting personal privacy and proprietary ePHI.
Impact: The magnitude of harm that can be expected to result from the consequences of
unauthorized disclosure of ePHI, unauthorized modification of ePHI, unauthorized
destruction of ePHI, or loss of ePHI or ePHI system availability.
Individual: Individual is synonymous with a workforce member.
Information Owner: Official with statutory or operational authority for specified ePHI and
responsibility for establishing the controls for its generation, classification,
collection, processing, dissemination, and disposal.
Integrity: Guarding against improper ePHI modification or destruction, and includes
ensuring ePHI non-repudiation and authenticity.
Likelihood: A weighted factor based on a subjective analysis of the probability that a
given threat is capable of exploiting a given Vulnerability or a set of Vulnerabilities.
Operations: Business processes and workflows that interact with ePHI on a day-to-day basis
and which would be negatively impacted should ePHI be corrupted, breached, or otherwise
Operational Controls: The security controls (i.e., safeguards or countermeasures) for an
Information System that are primarily implemented and executed by people (as opposed to
Operational Environment: The physical, technical, and organizational setting in which an
Information System operates, including but not limited to: missions/business functions;
mission/business processes; threat space; vulnerabilities; enterprise and information
security architectures; personnel; facilities; supply chain relationships; information
technologies; organizational governance and culture; acquisition and procurement
processes; organizational policies and procedures; organizational assumptions,
constraints, risk tolerance, and priorities/trade-offs.
Risk: The net mission impact considering (1) the probability that a particular Threat will
exercise (accidentally trigger or intentionally exploit) a specific Vulnerability and (2)
the resulting impact if this should occur.
Risk Assessment: Risk Assessment is a process by which an Organization identifies the
following: (1) Threats to the Organizations (i.e., Operations, Assets, or Individuals);
(2) Vulnerabilities internal and external to the Organization; (3) The harm (i.e.,
adverse Impact) that may occur given the potential for Threats exploiting Vulnerabilities;
and (4) The likelihood that harm will occur.
Risk Management: Risk Management is a comprehensive global Organizational process that
contains the following sub-processes: (1) framing Risk-the purpose of the Risk framing
component is to produce a Risk management strategy that addresses how your Organization
intends to assess Risk, respond to Risk, and monitor Risk; (2) assessing Risk-See the
definition of Risk Assessment; (3) responding to Risk-this component determines how your
Organization responds to Risk in accordance with your Risk management strategy by
developing, evaluating, selecting, and implementing Risk responses; and
(4) monitoring Risk-this component determines how your Organization tracks Risks over time
by verifying that "reasonable and appropriate" Risk responses have been implemented and
determining ongoing effectiveness of these responses vis-à-vis a changing operational
Risk Mitigation: Prioritizing, evaluating, and implementing the appropriate Risk-reducing
controls/countermeasures recommended from the Risk Assessment process-a subset of Risk
Risk Monitoring: Maintaining ongoing awareness of an Organization's Risk environment, Risk
Management program, and associated activities to support Risk decisions.
Risk Response: Accepting, avoiding, mitigating, sharing, or transferring Risk to
organizational operations (i.e., mission, functions, image, or reputation), organizational
assets, individuals, or other organizations.
Security Controls: The management, operational, and technical controls (i.e., safeguards
or countermeasures) prescribed for an Information System to protect the confidentiality,
integrity, and availability of the system and its ePHI. Security Controls can be both
technical and nontechnical. Technical controls include, but are not limited to, parts of
Information Systems hardware and software. For Example, technical controls include access
controls, identification, authentication, encryption methods, automatic logoff and audit
Single Point of Failure: A potential Risk posed by a design or implementation flaw of a
system, or a group of systems, that can compromise operational availability.
Security Objects: Operations, Individuals and Assets that Administrative, Technical and
Physical Safeguards are applied to.
Technical Controls: Security Controls (i.e., safeguards or countermeasures) for an
Information System that are primarily implemented and executed by the Information System
through mechanisms contained in the hardware, software, or firmware components of the
Threat: The potential for a person or thing to exercise (accidentally trigger or
intentionally exploit) a specific Vulnerability: (1) natural threats may include floods,
earthquakes, tornadoes, and landslides; (2) human threats are enabled or caused by humans
and may include intentional (e.g., network and computer based attacks, malicious software
upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry
deletion and inaccurate data entry) actions; and (3) environmental threats may include
power failures, pollution, chemicals, and liquid leakage.
Threat Landscape: A Threat Landscape is a database ("in the wild") of Threats capable of
exploiting Vulnerabilities in your Operational Environment. Threats, if exploited, may and
usually do, have a negative impact on your Security Objects. Your Security Objects are
important elements within your Organization's value chain and any negative affect on them
is likely to hinder your ability to deliver products and services to your customers.
Vulnerability: A flaw or weakness in system security procedures, design, implementation,
or internal controls that could be exercised (accidentally triggered or intentionally
exploited) and result in a security Breach or a violation of the system's security policy:
(1) Vulnerabilities, whether accidentally triggered or intentionally exploited, could
potentially result in a Security Incident, such as an inappropriate use or disclosure of
ePHI; and (2) Vulnerabilities may be grouped into two general categories, technical and
nontechnical. Non-technical vulnerabilities may include ineffective or non-existent
policies, procedures, standards or guidelines. Technical Vulnerabilities may include:
holes, flaws or weaknesses in the development of Information Systems; or incorrectly
implemented and/or configured Information Systems.
Of course you are not going to learn a new grammar simply by learning a new vocabulary, BUT that's a good place to start. Tune in to this month's FREE Webinar to learn more about Risk Assessments.