How to Start a HIPAA Risk Analysis
A step-by-step process and template to help you start along your risk analysis journey.
CISSP, CISA, QSA, PA-QSA
A risk analysis is the first step in an organization’s Security Rule compliance efforts. It’s the “physical” check-up that ensures all security aspects are running smoothly, and any weaknesses are addressed. And contrary to popular belief, a HIPAA risk analysis is not optional. HIPAA risk analysis is not optional.
The HHS issued guidance for risk analysis requirements that explains in additional detail the purpose of a risk analysis.
“Conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule. Therefore, a risk analysis is foundational…”
A risk analysis is foundational to your security. You can’t be HIPAA compliant without one.
What is a HIPAA risk analysis?A risk analysis is a way to assess the potential vulnerabilities, threats, and risks to protected health information (PHI) at your organization. Though the HHS did not specify an exact risk analysis methodology, they do require certain elements be present in a risk analysis, which we’ll talk about later, namely:
- Scope analysis
- Data collection
- Vulnerabilities/threat identification
- Assessment of current security measures
- Likelihood of threat occurrence
- Potential impact of threat
- Risk level
- Periodic review/update as needed
Risk Analysis MethodologyThere are a variety of methods to conduct a HIPAA risk analysis, but I’ve described the method I’ve found to work best below. This is a condensed version of the method I use during the HIPAA onsite Risk Analysis that I conduct.
Please understand, conducting a complete and thorough risk analysis is extremely difficult to do yourself. I recommend contracting with a HIPAA auditor to help you. The problem is, most people just simply don’t know where to look, or bypass things because they don’t understand data security. If the Risk Analysis is foundational to your security, then you don’t want to overlook key Risk Analysis elements. (Learn the pros and cons of a HIPAA audit)
So let’s dive a little deeper into the methodology of how to conduct a risk analysis.
Step 1: Define scope by defining PHI flow in your environmentTo identify your scope ("scope" meaning: the areas of your organization you need to secure), you have to understand how patient data flows within your organization. If you know all the places your organization houses, transmits, and stores PHI, you'll be able to better safeguard those potential vulnerable places.
There are four main parts to consider when defining your scope.
- Where PHI starts or enters your entity
- What happens to it in your system
- Where PHI leaves your environment
- Where potential or existing leaks are
In the PHI lifecycle, it’s important to identify all PHI inputs. By doing this, you can make sure you identify exactly where security should begin at your organization.
When considering the origination of PHI, think of both new and existing patient records. PHI can begin from patients filling out their own information on physical paper, to business associates faxing you asking for more information about a current or former patient.
Here’s a list of places to get you started in the documentation of where PHI enters your environment.
- Email: How many computers do you have, and who can log on to each computer?
- Texts: How many mobile devices do you have, and who owns them?
- EHR entries: How many staff members do you have entering in data?
- Faxes: How many fax machines do you have?
- USPS: How is incoming mail handled?
- New patient papers: How many papers are patients required to fill out, and where? Front desk? In the examination room?
- Business associate communications: How do business associates communicate to you?
- Databases: Do you receive marketing databases of potential patients to reach out to?
What happens to PHI in your environment, including where it is stored
It’s not just enough to know where PHI begins. You must know exactly what happens to it once it enters your environment. Does it go directly to accounting? Is it automatically stored in your EHR? If it is emailed, is it encrypted?
To adequately understand what happens to PHI in your environment, you must record all hardware, software, devices, systems, and data storage locations that touch PHI in any way.
Here’s a list of places to get you started.
- Filing cabinets
- Mobile devices
- EHR/EMR systems
- Calendar software
- Networked medical devices
- Operating systems
- Encryption software
A lot of workforce members forget that they must protect PHI throughout its entire lifecycle. And that includes when it leaves your hands. If PHI leaves your organization, it is your job to ensure it is transmitted or destroyed in the most secure way possible. You, along with your business associate, are responsible for how the business associate handles your PHI.
Here are some things to consider when PHI leaves your environment.
- Business associates
- Encrypted transmission
- Minimum necessary
- Lifecycle with the BA
- Recycling companies
- Trash bins on computers
Where does PHI leak?
Now that you are the expert on what happens during the PHI lifecycle, it’s time to find the gaps. These gaps in security and environment weaknesses are the whole reason we define scope. Weaknesses provide the ability for unsecured PHI to leak in or outside your environment.
The best way to find all possible leaks is by creating a PHI flow diagram. Essentially, a PHI flow diagram documents all the information you found above, and lays it out in a graphical format. It’s a lot easier to understand PHI trails when looking at a diagram.
We’ll discuss environment weaknesses further in Step 2.
SEE ALSO: PIIscan: Find and Secure Unencrypted Personal Data
Step 2: Identify Vulnerabilities, Threats, and Risks to Your Patient Data
Now that you know how PHI flows in your organization, and can better understand your scope, you have to find the problems within that scope. For each of the identified areas above, you must identify:
- What vulnerabilities exist in the system, application, process or people
- What threats, internal, external, environmental and physical, exist for each of those vulnerabilities
- What is the probability of each threat triggering a specific vulnerability? This is the risk.
- Digital: (e.g., setting a weak password on an EHR system)
- Physical: (e.g., not shredding PHI, inaccessibility of facility)
- Internal: (e.g., employee checks personal email and downloads malware)
- External: (e.g., hacker trying to breach your remote access software)
- Environmental: (e.g., fire destroys the building your backups are kept in)
- Negligent: (e.g., employee accidentally leaving patient data visible in an examination room computer)
- Willful: (e.g., employee snooping on celebrity, ex-spouse/companion, or family member)
What are your vulnerabilities?A vulnerability is a flaw in components, procedures, design, implementation, or internal controls. Vulnerabilities can be fixed.
The HHS explains further, “Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as inappropriate access to or disclosure of ePHI. Vulnerabilities may be grouped into two general categories, technical and nontechnical. Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.”
Examples of vulnerabilities I’ve seen while conducting a HIPAA risk analysis:
- Unpatched operating system software
- Website coded incorrectly
- No office security policies
- Misconfigured or no firewall
- Computer screens in view of public patient waiting areas
A threat is the potential for a person or thing to trigger a vulnerability. Generally, it’s difficult for threats to be controlled. Even though most remain out of your control to change, they must be identified in order to assess the risk. Physical location, organization size, and systems all have the potential to be a threat.
According to the HHS, “There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental.
Examples of threats I’ve seen while conducting a HIPAA risk analysis
- Geological threats, such as landslides, earthquakes, and floods
- Hackers downloading malware onto a system
- Inadvertent data entry or deletion of data
- Power failures
- Chemical leakage
- Workforce members
- Business associates
Risks are the probability that a particular threat will exercise a particular vulnerability, and the resulting impact on your organization.
Let me explain with an example.
In a system that allows weak passwords, the vulnerability is the fact that the password is vulnerable to attack. The threat is that a hacker could crack the password and break into the system. The risk is the unprotected PHI in your system.
According to the HHS, “risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.”
Examples of risks I’ve seen while conducting a HIPAA risk analysis
- Remote access to a PHI system with a weak password. There is an extremely high probability (“high” risk) that an external hacker will brute force the password and gain access to the system.
- Windows XP machine with access to the Internet. There is an extremely high probability (“high” risk) that an external hacker will exploit security flaws (there is no longer support for WinXP) using malicious software and gain access PHI.
Step 3: Analyze HIPAA Risk Level and Potential ImpactNow that you’ve identified any possible security problems in your organization (and there should be a lot), you need to bring that list back to reality. It’s time to decide what risks could and will impact your organization. This risk and impact prioritization is a crucial part of your risk analysis that will eventually translate to your risk management plan.
To analyze your risk level, you must first consider the following:
- Likelihood of occurrence:Just because you are threatened by something, doesn’t necessarily mean it will have an impact on you. For example, an organization in Texas and an organization in Vermont technically could both be struck by a tornado. However, the likelihood of a tornado striking Texas is a lot higher than Vermont. So, the Texas-based organization’s tornado risk level will be a lot higher than the Vermont-based organization.
- Potential impact:What is the effect the particular risk you are analyzing would have on your organization? For example, while a computer screen might accidentally show PHI to a patient in the waiting room, it probably won’t have as big of an impact as a hacker attacking your unsecured Wi-Fi and stealing all your patient data.
Download this risk analysis template worksheet to help you start documenting your risks.
Step 4: Identify Top Security Measures Based on Top HIPAA RisksNow that you have a prioritized list of all your security problems, it’s time to start mitigating them! Starting with the top-ranked risks first, identify the security measure that fixes that problem.
For example, if your risk is employees throwing PHI in the trash, your security measure could be quarterly employee security training and replacing trashcans with shredders.
Technically, once you’ve documented all the steps you’ll take, you’re done with the Risk Analysis! The implementation phase of fixing your security problems is actually part of your risk management plan (another crucial step towards HIPAA compliance.)
Step 5: Rinse, RepeatA risk analysis is truly a rinse and repeat process. One of the most important parts of your risk analysis is documentation. If you don’t document steps 1-4, you can’t prove to the HHS that you’ve done a complete and thorough risk analysis. They will want to see documentation, your risk management plan, and monthly progress on addressing the items identified in that risk management plan.
There is a lot to do, and it can be overwhelming. Don’t try to do it all at once, but start now and schedule time each week or at least once per month to work on your HIPAA compliance.
George Mateaki (CISSP, CISA, QSA, PA-QSA) is a Security Analyst at SecurityMetrics with an extensive background in Information Security and 20+ years in IT.