Introduction

The purpose of risk assessment is to identify threats and vulnerabilities and to develop plans to mitigate the risks identified in the assessment. Like all processes, we can easily or extremely complex and difficult. Planning is the key.

C-I-A triad

The C-I-A triple consists of three elements: the confidentiality, integrity, and availability of data and data systems.

Confidentiality simply means controlling access to those who have a legitimate need to know. Integrity ensures that data is not changed; and availability means that people who need access to the data can access and use the data.

This is a relatively simple concept that has had a profound impact on healthcare and the HIPAA field.

Risk assessment will help managers and compliance personnel identify the risks of their medical practices before they become problematic.

The Department of Health and Human Services requires an annual risk analysis.

Risk analysis and safety rules

The Ministry of Health and Human Services requires an annual risk assessment through its subordinate agencies. This risk assessment is based on the Special Publication 800-66 of the National Institute of Standards and Technology, which provides a description of the risk analysis for the definition of HIPAA security rules.

The results of risk analysis are critical to identifying and mitigating actual and potential vulnerabilities in information systems and workflow practices.

Failure to comply may result in loss of your business due to fines and fines.

Risk analysis process

Like any other process of risk analysis is a process, and your first process may make it look like an overwhelming task. Let us tame this beast.

The first step is to understand the basic information and definitions for conducting a risk assessment.

definition

Have you heard old jokes about how to eat elephants? A: Take a bite at a time.

This whisper may have been explicitly written for risk assessment.

First, we need to know the terminology used in the process. We need to develop a baseline to understand what we are going to do, how we do it, and finally what we will do.

Vulnerability

NIST SP 800-33 defines a vulnerability as… "a defect or weakness in a system security program, design, implementation, or internal control that can be exercised [unexpected or deliberately exploited] and leads to a security breach or violation of system security policy "

No system has no vulnerabilities. Vulnerabilities stem from coding errors, program changes, system or software updates, and changes in threats over time. Analysts must be aware of changing threats and vulnerabilities while actively working to resolve issues that are currently defined.

This process is endless.

Threat

The threat is "someone or thing may [intentionally trigger or deliberately exploit] a particular vulnerability.

A vulnerability is not necessarily an issue until there is a threat that exploits this vulnerability. Common natural threats are fires, floods or tornadoes. Man-made threats are computer hacking, careless control of ePHI or inadvertent data exposure. Environmental threats are like power failures.

risk

The definition of risk is that there are vulnerabilities that can be exploited by appropriate threats. You can't live without another.

The level of risk depends on the degree of expected damage that the vulnerability can be exploited and the likelihood that the vulnerability will be exploited.

Risk = severity of potential damage + likelihood of threat

Elements of risk assessment

By breaking down the risk assessment process into smaller, more manageable parts, we can complete tasks quickly and efficiently. At least efficient.

range

The scope of the risk analysis to understand what the analyst is trying to determine. Different industries have different requirements, so analysts must keep abreast of their processes and procedures.

Within the scope, analysts and business entities clearly define the goals of the project. They determine how to achieve these goals and how to collect the required data in the risk management process.

data collection

Care must be taken during this data collection process not to damage ePHI. Part of the data collection process involves how protected data is stored and should be treated like any other data point.

Identify potential threats and vulnerabilities

When each threat or vulnerability is identified, it must be documented for evaluation. This assessment should include the level of risk at which the threat or vulnerability is exploited.

Analysts can only reduce known risks. This is where the risk assessment team can access the data.

Assess current security and potential measures

All identified risks, threats and vulnerabilities must be evaluated. There are always some risks. Analysts must classify harmful and possible content and then develop security measures to correct perceived risk.

Determine the likelihood of a threat occurring

The likelihood depends on the possibility of exploiting. If the probability is low, it is unlikely to happen. If so, the risk is lower.

Identify potential impacts

Putting everything together allows analysts to determine the potential impact of a particular event. For example, if your area is prone to flooding, what impact will it have on your business?

Determine risk level

Merging all the data you collect into the risk matrix or risk register will help you identify potential damage.

For example, if the risk you determine is low, the likelihood of damage is low and the likelihood of occurrence is low; then your risk will be low. However, if one of these projects has a high or medium impact or likelihood, your potential risk will increase.

The use of a risk register is essential for the correct completion of risk assessments.

Complete documentation and reports

After collecting and analyzing your data, you will need to submit a risk assessment report. The report must be clear and concise, detailing all activities, outcomes and potential risks.

The HHS website provides some tools to assist with this work.

Risk mitigation

Risk mitigation is often the hardest part of completing a risk analysis because it is now necessary to allocate actual resources and funds. It is important to establish a priority list here.

Your goal is to alleviate all negative issues. You may not be able to achieve this goal, but you should try it. At a minimum, you should start the mitigation process first, using the most dangerous processes, and then run them in list order by severity order.

Continually updated

With an annual risk assessment, you can ensure that you meet compliance standards, protect your patients, and minimize the overall risk of your healthcare practice.

in conclusion

Risk assessments are not glamorous or even interesting, but they are necessary to help prevent safety-related issues and meet government regulations.

Creating an outline of the risk analysis plan and breaking it down into smaller pieces will help you complete it with minimal time and frustration. Unfortunately, the more your medical practice, the more complex the risk assessment.

The Health and Human Services department has several tools to help you conduct your own risk assessment. Oh, remember that risk assessment is a must!

Medical risk assessment was originally published on Spring