Making a risk assessment is the first step to getting HIPAA compliant.So you know you need to get compliant with HIPAA’s Security Rule, but you have one question in mind: where do you start? This is where the Risk Assessment comes into play.
What is a Risk Assessment?A Risk Assessment, or Risk Analysis, is a process that assesses your organization’s potential vulnerabilities, threats, and risks to PHI. It’s the first step in the Security Rule compliance.
Contrary to popular belief, a HIPAA Risk Assessment and Risk Management Plan aren’t optional.If you get audited by HHS, and you don’t have these plans, you could be subjected to some major fines.
Many organizations aren’t sure where to start when it comes to creating a Risk Assessment, but it’s easier than they may think. Here are 5 steps to create your own Risk Assessment and Risk Management Plan.
SEE ALSO: SecurityMetrics NIST 800-30 Risk Assessment
1. Map out your PHI flowYou can’t protect your PHI if you don’t know where it’s located. You need to know where your PHI is housed, transmitted, and stored. To do this, you should map out and create a diagram of your PHI flow. Some things to consider while doing this are:
- Where PHI enters your entity
- What happens to PHI in your system
- Where PHI leaves your environment
- Where potential leaks may be
2. Identify vulnerabilities, threats, and risksYou need to find problems that exist within your organization, specifically vulnerabilities, threats, and risks.
Vulnerabilities are holes in your security that could result in a security incident. Some examples of vulnerabilities include:
- Unpatched operating system software
- No office security policies
- Misconfigured firewalls
- Website coded incorrectly
A threat is the potential for a person or thing to cause a vulnerability. Types of threats can range from human to environmental. Here are some examples of threats:
- Hackers downloading malware onto a system
- Power failures
- Workforce members
- Business associates
- Chemical leakage
Risks are the probability that a threat will take advantage of a vulnerability and result in a security breach. According to HHS “risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.”
3. Analyze your risk levelYou need to figure out what risks could impact your organization. By prioritizing these risks, you can determine what needs the most attention in your organization. When analyzing your risk level, consider the following:
- Likelihood of happening: how much will this risk impact you? For example, a hurricane is less likely to impact organizations in Colorado versus organizations in Florida.
- Potential Impact: How would this risk affect your organization? For example, a computer screen accidently showing PHI may have less impact than malware attacking your WiFi.
4. Create your Risk Management PlanYou now have a list of potential risks to your company. Now you need to decide how to address these risks. This process consists of three main steps:
- Plan how to evaluate, prioritize, and implement security controls
- Implement security to address the greatest areas of risk first
- Test the security controls you’ve implemented, and watch out for new risks.
SEE ALSO: How Much Does a HIPAA Risk Management Plan Cost?
5. DocumentationThis is the most important part of your Risk Assessment. If you don’t document these steps, you can’t prove to the HHS that you’ve done a Risk Assessment. Make sure you document these steps and the regular progress on addressing the risks you’ve identified.
SEE ALSO: How to Meet HIPAA Documentation Requirements
Making a Risk Assessment is a process, but it’s worth it to protect your organization. It’s the first step in securing your company, so make sure you do it right.
Need help with creating a Risk Assessment? Talk to one of our experts!