Elements of Security Risk Analysis

29 September, 2014

HealthPOINT at Dakota State University

Daniel Friedrich, CISSPExecutive DirectorCenter for the Advancement of Health Information Technology Dakota State University

Holly Arends, CHTS-CP, CHSPClinical Program Manager

HealthPOINTDakota State University

Today’s Focus

• HIPAA Requirements

• Elements of a Security Risk Analysis (SRA)

• Evidence of requirement fulfillment

Requirement

• HIPAA Security Rule 45 CFR 164.302-318

• Security Management Process 164.308(a)(1)

• Conduct Risk Analysis 164.308(a)(1)(ii)(A)

• Accurate and thorough assessment

• Maintain integrity, confidentiality, availability of ePHI

• Create Risk Management Program 164.308(a)(1)(ii)(B)

• Implement security measures to reduce risks and vulnerabilities to reasonable and appropriate level

HHS Guidance on Risk Analysis Requirements Under HIPAA Security Rule

HHS Guidance Document

• Scope of Analysis

• Data Collection

• Identify and Document Potential Threats and Vulnerabilities

• Assess Current Security Measures

• Determine the Likelihood of Threat Occurrence

• Determine Potential Impact of Threat Occurrence

• Determine Level of Risk

• Finalize Documentation

• Periodic Review and Updates to Risk Assessment

Foundational Work

• Risk Management

• Holistic

• Tied to Organizational Mission

• Risk Assessment is fundamental to Risk Management

Culture of Compliance

Risk Assessmen

t

Risk Manageme

nt Plan

Policies and

Procedures

Training

Culture of Compliance

Conduct Risk Assessment

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the (organization).

• No specific methodology outlined

Heart of Analysis

Asset

Threat

VulnerabilityMitigation

Elements of Risk Assessment-Interview

• Based on OCR Audit Protocol

• Potentially Hundreds of questions

Elements of Risk assessment- Asset Inventory

• Create an Inventory of Relevant Information Systems

• What type of PHI

• Who has access

• Location- onsite, offsite

• Hardware/Software

• Vulnerabilities

• Threats

• Criticality

• Security Controls in place

• Likelihood and Impact

• Update as needed, new or changing systems

Elements of Risk Assessment-On Site Walk Through

• Physical view of safeguards in place and how they function in real life

Where’s the Evidence?

Final Documentation

• Report

• Dated and Identify the organization

• Identifies Risks

• Outlines risks categorically

• Aid in prioritization

What if the Final Report has not been created?

• Ask for a Draft report that may have been sent to the client

• Contact the SRA Vendor to verify dates of SRA

• Vendor to provide a letter of confirmation

Periodic Review and Update

• Changes or Annually

• Date of Review

• Progress OR Lack of Progress made on Previously Identified Risks

• New Identified Risks

Asset or PHI Inventory

• Scope is identified in this document

• Lists Information Systems

• Identifies

• Vulnerabilities

• Safeguards in place

• The likelihood and impact if a vulnerability is exploited

• Risk Rating Score/Urgency Score

Sample Asset Inventory

PHI INVENTORYItem Name

Type (Hardware, Software,

etc.)Contains ePHI? Assignee

Probability (P)

(Likelihood)(0-3)**

Impact (I)Impact Score

Risk Rating (P

x I)

Vulnerability ** Administrative (0-

3)

Administrative

safeguards in

place?

Safeguard Score

Vulnerability ** Physical (0-3)

Physical safeguard

s in place?

Safeguard Score

Vulnerability **

Technical (0-

3)

Technical safeguard

s in place?

Safeguard Score

Remediation

Urgency

EHR System product Name EHR Located at

vendor facility Vendor () 2

Loss of some,all patient

data

3 6 2 Partial 1 2 Partial 1 2 Partial 1

36

Network Product Name

Dell LAN server

Local Area Network server located on-site in server room

Leanne / Stephanie 2

HIPAA Breach,Fi

nes6 12 0 Yes 3 2 Partial 1 0 Yes 3

24

Risk Rating Score

• Threat

• Vulnerability

• Likelihood

• Impact

Asset

Threat

VulnerabilityMitigation

Risk Management Plan

• Identified Risks

• Action Plan

• Responsible Person(s)

• Actions Taken

• Goal dates

• Resolved Dates

Sample Risk Management Plan

Risk Identified Level of risk Date identified Responsible Party Mitigation Strategy Goal date Actions- what has been done, what

planning has been done, etc. Resolved Date

No policies or procedures present that require a risk

assessment to be done, the scope, nature, and frequency. high 07/04/05

Administration- Risk Manager/Quality

ManagerRisk Manager to write policy and

procedure 12/01/13

5/3/2013- Risk Manager has drafted a policy and is being reviewed by medical

staff in June 2013 meeting. 6/27/2013- Medical staff have reviewed and have requested changes. 10/1/2013- Risk

Manager has made changes to policy and will be reviewed at november medical staff.

The Risk Web

SRA

Communications

Policy Changes

Training Events

Personnel Files

Tangible Changes

Update/review of SRA

Wrap Up

• Comprehensive and Thorough

• Finalized Documentation

• Review/Update no less than annually

Thank you!

www.healthpoint.dsu.edu

Dan.Friedrich@dsu.edu

Holly.Arends@dsu.edu

605.256.5555