Covered entities and other health care organizations are required by HIPAA to perform a security risk analysis. The National Coordinator for Health Information Technology (ONC) has published a security risk assessment (SRA) tool, but this tool is targeted at small providers.
There’s no point for creativity in this area, so don’t invent your own template. Use an existing cyber security risk assessment checklist or template to perform your risk analysis.
Feel free to download our security risk assessment template, or someone else’s (we won’t mind!). Just make sure, whichever template you choose, that it contains the general steps in a security risk assessment:
What are the steps for a security risk assessment?
There are 4 steps that any security risk assessment method should have:
The first step in a security risk assessment process is to define the scope. For a HIPAA security risk assessment, this means to catalog all your information assets that store, use, or transmit electronic protected health information (ePHI).
Next, identify the security controls in place. A security control can lower the likelihood of something bad happening (i.e., locking your door), lower the impact of something bad happening (i.e., wearing a seatbelt), or letting you know that something bad has happened (i.e., installing a smoke detector). These are, respectively, preventative, compensating and detective controls. Write down all the controls in place that help secure your ePHI.
Thirdly, identify the threats and vulnerabilities that might affect your ePHI. A threat is a person or an event, such as a hacker or a power outage. Threats take actions. A vulnerability is a weakness that a threat can exploit, such as a missing security patch, a weak password, or a lost computer.
The last security risk assessment step is to determine the risk. Keeping in mind the controls you’ve identified, estimate the likelihood of each threat exploiting each vulnerability, and estimate the impact if it does. Your risk should be the product of the likelihood and the impact of each threat/vulnerability pair. (If your IT security risk assessment template doesn’t say something like “Likelihood x Impact = Risk”, find another template to use).
The fifth step to cyber-security risk assessment – Mitigate the risk. Any security risk assessment checklist is only as good as what you do with its results. Make sure that your assessment produces good recommendations on how to improve your security posture. The end goal is to improve things, not to spin your wheels doing analysis.
A Security Risk Assessment Checklist
Whether you’re using Techumen’s security risk assessment template or someone else’s, there are a few items you should verify to make sure that your assessment will be a good one:
Is the scope defined? What are you assessing, and what aren’t you assessing? This could be certain operations, organizations, physical locations, or groups of people, for instance. Be clear about what’s in-scope and what’s not.
Is there an inventory of all hardware and software that deals with ePHI? It’s what you don’t know that gets you – software that a user installed, a personal device on the network or a cloud service provider that someone is using under the radar.
What risk assessment methodology did you use? Make sure your assessment has everything that the methodology calls for. For example: If you’re using NIST 800-30’s methodology, you should have a list of information security risks that can be prioritized by risk level.
Who did the assessment, and when? For a HIPAA/meaningful-use security risk assessment checklist, the assessment should be reviewed once per year. The report should have a revision history to track this requirement.
Does it list the threats and vulnerabilities you considered? If you do suffer a breach, you’ll want to be able to show that the events of the breach were something you’d previously considered (even in vain). This will minimize both your embarrassment and any fines that may be assessed.
Does it discuss the control environment? Risks can’t be considered outside of the environment that you work in. Often, even reviewing the control environment will highlight some obvious recommendations for improvement.
How does it produce a risk rating? A “High” risk today should be the same as a “High” risk next year, and one person’s “High” should be pretty similar to another’s. Try to make this as quantitative as possible.
What recommendations did the assessment team make? As we mentioned above, the whole point of a security risk assessment is to improve things, by way of good recommendations.
When did management review the assessment? Once the assessment is finished, leadership should review each recommendation and do one of three things: Approve the recommendations, Alter the recommendation and do something else, or Accept the risk. It’s fine to accept risks – some can’t be fixed, some are too expensive to fix, and sometimes the organization has other priorities. But this decision needs to be made deliberately.