Cybersecurity threats in healthcare have posed serious risks and challenges for years. As a result, the government recognized the need to regulate access to electronic protected health information, or ePHI. The Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health (HITECH) Act were designed and implemented as national standards for the privacy of protected health information, the security of ePHI, and breach notification to consumers. These rules include risk assessment and risk management by covered entities.
To understand risk assessment and risk management, it is important to understand essential terminology. As noted in the Department of Health and Human Services Basics of Risk Analysis and Risk Management document, here are the terms and definitions to know:
- Vulnerability is defined in NIST SP 800-30 as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
- Vulnerabilities, whether accidentally triggered or intentionally exploited, could potentially result in a security incident, such as an inappropriate use or disclosure of ePHI. Vulnerabilities may be grouped into two general categories, technical and non-technical.
- Non-technical vulnerabilities may include ineffective or non-existent policies, procedures, standards or guidelines. Technical vulnerabilities may include: holes, flaws or weaknesses in the development of information systems; or incorrectly implemented and/or configured information systems.
- An adapted definition of threat, from NIST SP 800-30, is “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
- There are several types of threats that may occur within an information system or operating environment. Threats may be grouped into general categories such as natural, human, and environmental. Examples of common threats in each of these general categories include:
- Natural threats may include floods, earthquakes, tornadoes, and landslides.
- Human threats are enabled or caused by humans and may include intentional (e.g., network and computer-based attacks, malicious software upload, and unauthorized access to ePHI) or unintentional (e.g., inadvertent data entry or deletion and inaccurate data entry) actions.
- Environmental threats may include power failures, pollution, chemicals, and liquid leakage.
The definition of risk is clearer once threat and vulnerability are defined. An adapted definition of risk, from NIST SP 800-30, is: “The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur. [R]isks arise from legal liability or mission loss due to:
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man-made disasters
- Failure to exercise due care and diligence in the implementation an operation of the IT system.”
Risk is a function of 1) the likelihood of a given threat triggering or exploiting a particular vulnerability, and 2) the resulting impact on the organization. This means that risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.
NOTE: A Vulnerability triggered or exploited by a Threat equals a Risk.
Starting with Risk Analysis
Before you launch into risk management, it is important to take stock of potential risks posed to your organization.
- Identify and document potential threats and vulnerabilities.
- Assess current security measures.
- Determine the likelihood and risk level of a threat occurrence as well as its potential impact on your organization.
- Identify current and needed security measures and document your findings.
Moving on to Risk Management
After you analyze all potential risks to your organization, it is time to manage those risks:
- Develop and implement a risk management plan.
This step provides structure for the covered entity’s evaluation, prioritization, and implementation of risk-reducing security measures. Involve all the covered entity’s workforce and stakeholders to cover the following:
- What risks are being addressed
- What security measures are being implemented to combat the risk
- Implementation necessities such as required resources, assigned responsibilities/team members, start/completion dates, and maintenance requirements
- Implement security measures.
This step entails the actual implementation of security measures identified in the plan, both technical and non-technical, within the covered entity. This can be done by internal team members, external vendors, or a team that includes both. If outside vendors are used, it is the covered entity’s responsibility to ensure compliance with the Security Rule.
- Evaluate and maintain security measures.
Risk analysis and risk management are not one-time activities. Both are ongoing, dynamic processes that must be periodically reviewed and updated. This third step involves periodically performing risk analysis and risk management steps.
How can ComplyAssistant help?
ComplyAssistant offers a risk register within our Governance, Risk, and Compliance (GRC) software as well as Healthcare Cybersecurity Services to provide the customized level of support you need to keep your organization safe and HIPAA compliant. We can help you every step of the way, from identifying potential risks to implementing safeguards.