Conducting an effective Risk Assessment is a daunting task no matter how often you may have done it. However, if it's your first time then your anxiety level is likely to be an order of magnitude higher. Although what we are going to discuss in the article is not a magic elixir for reducing your anxiety, it may help you to put things in proper perspective. The silver bullet in a nutshell is that there is "no such thing as a perfect Risk Assessment" and there is no compliance requirement for one. The objective is not perfection, but rather the objective is to establish a baseline that you can continue to improve on over time.
A Risk Assessment is not something that you perform once and then forget. Because the threat landscape changes on a daily basis, it is inconceivable that you could perform a rigorous "full blown" Risk Assessment less than once a year. Further, it is more likely that once a quarter should be what you strive for. Now the HIPAA Rules do not mandate the frequency of Risk Assessments, rather the Rules require that you perform a Risk Assessment whenever your operational environment, or the law, changes in a material way. That said, a couple of points need to be noted: (1) given the amount of change occurring in the healthcare industry (now and in the foreseeable further) operational environments are going to be changing quite often; and (2) if your objective is to manage risk then performing a Risk Assessment once a year is simply not a "reasonable and appropriate" thing to do.
Remember that the Security Rule uses words such as "reasonable and appropriate" ("weasel words") to give HHS the most flexibility possible for determining when the frequency of Risk Assessments, and other repeatable tasks, are required.The bottom line is that you are going to learn to love performing Risk Assessments in the same way that a CPA learns to love taxes. That is, because it is mission critical to your business. In this article we are going to cover the basic lingo of Risk Assessments. Performing a Risk Assessment is like learning a foreign language. You first have to learn the basic "grammar" otherwise you will never be able to see the forest for the trees.
Here's some basic risk management vocabulary you must master on your way to performing more effective Risk Assessments:
Adequate Security: Security commensurate with the Risk and magnitude of harm resulting from the loss, misuse, or unauthorized access to or modification of ePHI.
Adversary: Individual, group, organization, or government that conducts or has the intent to conduct detrimental activities.
Asset: An Asset is a thing (tangible or intangible) that accesses, stores, maintains, or transmits ePHI. Examples include networks, PCs, servers, mobile devices, Information Systems, building, etc.
Attack: Any kind of malicious activity that attempts to collect, disrupt, deny, degrade, or destroy Information System resources or the ePHI itself.
Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an Information System.
Availability: Ensuring timely and reliable access to and use of ePHI.
Confidentiality: Preserving authorized restrictions on ePHI access and disclosure, including means for protecting personal privacy and proprietary ePHI.
Impact: The magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of ePHI, unauthorized modification of ePHI, unauthorized destruction of ePHI, or loss of ePHI or ePHI system availability.
Individual: Individual is synonymous with a workforce member.
Information Owner: Official with statutory or operational authority for specified ePHI and responsibility for establishing the controls for its generation, classification, collection, processing, dissemination, and disposal.
Integrity: Guarding against improper ePHI modification or destruction, and includes ensuring ePHI non-repudiation and authenticity.
Likelihood: A weighted factor based on a subjective analysis of the probability that a given threat is capable of exploiting a given Vulnerability or a set of Vulnerabilities.
Operations: Business processes and workflows that interact with ePHI on a day-to-day basis and which would be negatively impacted should ePHI be corrupted, breached, or otherwise compromised.
Operational Controls: The security controls (i.e., safeguards or countermeasures) for an Information System that are primarily implemented and executed by people (as opposed to systems).
Operational Environment: The physical, technical, and organizational setting in which an Information System operates, including but not limited to: missions/business functions; mission/business processes; threat space; vulnerabilities; enterprise and information security architectures; personnel; facilities; supply chain relationships; information technologies; organizational governance and culture; acquisition and procurement processes; organizational policies and procedures; organizational assumptions, constraints, risk tolerance, and priorities/trade-offs.
Risk: The net mission impact considering (1) the probability that a particular Threat will exercise (accidentally trigger or intentionally exploit) a specific Vulnerability and (2) the resulting impact if this should occur.
Risk Assessment: Risk Assessment is a process by which an Organization identifies the following: (1) Threats to the Organizations (i.e., Operations, Assets, or Individuals); (2) Vulnerabilities internal and external to the Organization; (3) The harm (i.e., adverse Impact) that may occur given the potential for Threats exploiting Vulnerabilities; and (4) The likelihood that harm will occur.
Risk Management: Risk Management is a comprehensive global Organizational process that contains the following sub-processes: (1) framing Risk-the purpose of the Risk framing component is to produce a Risk management strategy that addresses how your Organization intends to assess Risk, respond to Risk, and monitor Risk; (2) assessing Risk-See the definition of Risk Assessment; (3) responding to Risk-this component determines how your Organization responds to Risk in accordance with your Risk management strategy by developing, evaluating, selecting, and implementing Risk responses; and (4) monitoring Risk-this component determines how your Organization tracks Risks over time by verifying that "reasonable and appropriate" Risk responses have been implemented and determining ongoing effectiveness of these responses vis-à-vis a changing operational environment.
Risk Mitigation: Prioritizing, evaluating, and implementing the appropriate Risk-reducing controls/countermeasures recommended from the Risk Assessment process-a subset of Risk Response.
Risk Monitoring: Maintaining ongoing awareness of an Organization's Risk environment, Risk Management program, and associated activities to support Risk decisions.
Risk Response: Accepting, avoiding, mitigating, sharing, or transferring Risk to organizational operations (i.e., mission, functions, image, or reputation), organizational assets, individuals, or other organizations.
Security Controls: The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an Information System to protect the confidentiality, integrity, and availability of the system and its ePHI. Security Controls can be both technical and nontechnical. Technical controls include, but are not limited to, parts of Information Systems hardware and software. For Example, technical controls include access controls, identification, authentication, encryption methods, automatic logoff and audit controls.
Single Point of Failure: A potential Risk posed by a design or implementation flaw of a system, or a group of systems, that can compromise operational availability.
Security Objects: Operations, Individuals and Assets that Administrative, Technical and Physical Safeguards are applied to.
Technical Controls: Security Controls (i.e., safeguards or countermeasures) for an Information System that are primarily implemented and executed by the Information System through mechanisms contained in the hardware, software, or firmware components of the system.
Threat: The potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific Vulnerability: (1) natural threats may include floods, earthquakes, tornadoes, and landslides; (2) human threats are enabled or caused by humans and may include intentional (e.g., network and computer based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry deletion and inaccurate data entry) actions; and (3) environmental threats may include power failures, pollution, chemicals, and liquid leakage.
Threat Landscape: A Threat Landscape is a database ("in the wild") of Threats capable of exploiting Vulnerabilities in your Operational Environment. Threats, if exploited, may and usually do, have a negative impact on your Security Objects. Your Security Objects are important elements within your Organization's value chain and any negative affect on them is likely to hinder your ability to deliver products and services to your customers.
Vulnerability: A flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security Breach or a violation of the system's security policy: (1) Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a Security Incident, such as an inappropriate use or disclosure of ePHI; and (2) Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical Vulnerabilities may include: holes, flaws or weaknesses in the development of Information Systems; or incorrectly implemented and/or configured Information Systems.
Of course you are not going to learn a new grammar simply by learning a new vocabulary, BUT that's a good place to start. Tune in to this month's FREE Webinar to learn more about Risk Assessments.
|