If you are reading this post, it is highly likely that you already know that you are required to do a security risk analysis. You know that HIPAA, Promoting Interoperability Program (PIP) (formerly known as Meaningful Use) and MIPS all require it. You are also probably struggling to understand how to do the risk analysis.
The biggest struggle in healthcare compliance is the completion of the security risk analysis. Organizations of all sizes have been cited for not having an accurate and thorough risk analysis completed. Lack of human resources, internal expertise, time, cost, and access to vendors are all major reasons the healthcare industry is not meeting this requirement.
CMS is working to make this reporting easier. They recently released their SRA Fact Sheet to assist hospitals and critical access hospitals with their risk analysis. If you are not a hospital, this fact sheet is still an extremely useful resource!
CMS and the ONC have also updated their free SRA tool. NIST has also released a free tool designed for healthcare entities to comply with HIPAA. Despite having a free tool available, it is still difficult to complete the entire requirement, as the tool does not identify technical vulnerabilities, including encryption deficiencies. The tools are also both quite lengthy consisting of over 400 questions that are highly technical.
There are some simple steps you can take to get you started on your risk analysis:
- Scope the assessment: Identify what the purpose of your risk analysis is and what areas of your organization will be included in the risk analysis.
- Gather Information: Do a walk-through of your facilities and document any compliance deficiencies observed. Having a checklist will make this easier (contact us if you would like a checklist). You should also review your IT asset list and confirm all IT assets that receive, access, or store protected health information are listed. In this step you should also review all your policies and procedures to make sure they are up to date and meeting all the necessary requirements. You can also use a checklist or questionnaire for this (again contact us if you need this).
- Identify Potential Vulnerabilities: You should look for physical as well as technical vulnerabilities. For physical vulnerabilities, observe any locations that are not as secure as they should be (check locks, windows, exits, storage closets, etc). For technical vulnerabilities, the easiest way to achieve this is by using a vulnerability scanning tool.
- Identify Potential Threats: Using all the information from steps two and three, as well as considering your environmental threats (such as weather or location), list out all the likely threats to your organization. Examples of threats include ransomware, phishing, power outage, internal sabotage, and so on.
- Assess Risk Probability: In this step, you will determine the likelihood of a threat exercising a vulnerability. An example of what this means is: How likely is it that a hacker can send a phishing email and your employees will click on it? You will need to walk through all of your identified threats and vulnerabilities and ask this question.
- Assess Risk Impact: In this step, you will determine what impact (financial, legal, reputational, and process) you will experience if a threat does exercise a vulnerability. For example, if an employee does click on a phishing email and downloads ransomware, how much will that cost your organization to repair; will you have a legal impact; will that hurt your reputation and your ability to retain and attract patients; and will this cause you to have to adopt new policies and train your staff?
- After you complete all this, you will need to create a risk management plan. In this plan you need to prioritize all the identified risks and document a plan for correcting them.
If you have any questions, or if you would like help completing your risk analysis, please contact us today!