posted Oct 5, 2014, by Ron Gault

From a series of 'Ask the Expert' columns for a HIPAA Compliance website: Why Does HIPAA Require a Risk Assessment?

The HIPAA Security Rules are based on the National Institute of Standards (NIST) guidelines, which stress risk assessment as one of the critical processes of managing any system.  The results of a risk assessment are then available for use in risk management, the effort of minimizing the likelihood of identified undesirable event(s) taking place. The HIPAA Security Rules define some specific, mandatory information security measures, but they also require each entity to identify which of a set of addressable information security measures are needed and to incorporate them only if the risk requires it, a very logical and commonly used way to approach making cost-conscious business decisions.

The risk assessment process endorsed by NIST/HIPAA is a systematic, comprehensive, repeatable and defendable process to determine what the vulnerabilities are of the information system under investigation.  After determining vulnerabilities, the process identifies the risk by combining the vulnerabilities with the consequences of the vulnerabilities either being inadvertently or deliberately exploited (threats).  With this data, it is also possible to identify and evaluate effective means of mitigating any unacceptable risks to an acceptable level. Via the risk assessment, an entity determines which of the HIPAA addressable processes, procedures, and technical measures are required and then defends the sufficiency of their own specific implementation of these.

How would I do a Risk Assessment for my Medical Clinic?

Risk assessment has three major parts: defining the system, identifying the threats, and calculating the risk of individual threats.

Risk assessment starts by identifying the system under consideration and then determining the causes of undesirable event(s), or threats, which could occur in the system. Viewed as a system, the typical small clinic has the physical components of waiting room, exam rooms, physicians’ offices, administration office, laboratory/equipment room, etc.  Within this system, certain assets, such as EMRs and other information processing equipment, form the subsystem of interest for risk assessment. If you look at how information system components interact with each other and where the assets of concern reside/are accessible, then you can evaluate how the undesirable consequences can happen (scenarios) and the likelihood of them happening. 

The major undesirable event of concern for HIPAA (and, therefore, the small clinic) is the compromise of patient information. Included in this area of concern, and probably the more immediate concern for a small clinic, is the loss of the ability to conduct business due to non-operational information systems. For example, an information system could be rendered non-operational by an attack from a virus that has compromised key applications. 

Once the system under analysis is defined and the major threats identified, the causes of the threats can be evaluated for their likelihood of occurrence in the system.  You can then calculate the risk by taking the product of the likelihood of occurrence and the consequence of each undesirable event.  Let’s look at a real-world example.

The typical clinic has numerous computer workstations that allow for access to patient information.  Risk assessment asks: Are the workstations protected from unauthorized use by the casual passerby, or from the covert (i.e., burglar or internet hacker)thief?  For example, do the workstations automatically log off if the authorized user forgets to log off, and are complex passwords required to log on?  Such a risk assessment does not need to be done at a mathematically complex level; it can be done effectively at the top level shown in the table and be successful. 

In this example, let’s assume that you have reviewed your clinic and determined that the likelihood of anyone gaining access to patient data via your workstations is a medium likelihood based on your current configuration and protection measures.  And let’s assume you recently digitized all your old paper files, invested in a non-water fire suppression system, and established a backup copy at a secure remote site.  The likelihood of losing this data is now very low (1).  While the consequence of losing a small amount of patient data through an unprotected workstation is smaller than losing all the data contained in your paper files (5 vs. 7), the likelihood is now much greater for someone gaining patient data via a workstation than the likelihood of a fire causing you to lose all that data (5 vs. 1).  Therefore, the information system risk from the unprotected workstation can be computed to be greater (5 x 5 = 25) than that from a fire in your office (7 x 1 = 7).  If additional resources were to be expended for security, they would best be focused on reducing the risk from unprotected workstations rather than on additional fire protection or data backup.

HIPPA requires you to do a similar analysis on your entire enterprise and show that the information security measures you have in place result in a risk profile (list of all identified risks) that is acceptable.  It doesn’t need to be any more complex than the example given above, and for the small clinic, the effort can be conducted and documented in a short amount of time.  Chances are you have already reviewed some of these issues as part of establishing and setting up your information systems.  We’ll address commonly used information security ‘best practices’ in a future posting.  Right now, it’s time to evaluate and document what your risk profile is and see where you stand!