By Art Gross, President and CEO, HIPAA Secure Now!
Twitter: @HIPAASecureNow
Read other articles by this author
Before you buy a home, an inspection is completed as a way of exposing any potential issues to you as a buyer. This can give you leverage when it comes to purchasing price negotiation since these liabilities can often present risks to you as a resident. Those risks can come in the form of cost or even dangerous situations. You would want to know that the furnace is running efficiently to save you money, that the doors lock to keep you safe, and that the stairs aren’t going to collapse if someone uses them.
Consider your business the same way. You would want to know what gaps exist in your processes so that you can run more efficiently and save money, and you’d want to know if there are broken parts to your network and organization that can be dangerous and allow unlawful entry, right? A security risk assessment is like a home inspection for your business.
High Priority
The Department of Health and Human Services (HHS) has requirements around risk analysis that were designed with the National Institute of Standards and Technology (NIST). These were created to help organizations “better understand the requirements of the HIPAA Security Rule, implement those requirements and assess those implementations in their operational environment.” The HIPAA Security Rule is built on the foundation of doing a risk analysis to achieve compliance. Per this directive, the directions are as follows:
The Security Management Process standard in the Security Rule requires organizations to “[i]mplement policies and procedures to prevent, detect, contain, and correct security violations.” (45 C.F.R. § 164.308(a)(1).) Risk analysis is one of four required implementation specifications that provide instructions to implement the Security Management Process standard. Section 164.308(a)(1)(ii)(A) states:
RISK ANALYSIS (Required).
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].
One Size Doesn’t Fit All
A security risk analysis or risk assessment as it can be called, does not adhere to a series of steps that will fit every business. Depending on your size, complexity, and capabilities, your methodology of conducting one will vary. Additionally, while you aren’t required to perform one at regular intervals, doing so will only increase your security posture against a data breach and we do recommend at the very least, an annual review. Should you introduce a new system or process, it would also be recommended to perform a review at that time to expose any new risks or gaps as well.
As the year winds down, we’ll be taking a deeper dive into security risk assessments, why you should do one, and how we can help to make sure your company is addressing any issues that can make you a more obvious target for cybercriminals.
This article was originally published on HIPAA Secure Now! and is republished here with permission.