Making a risk assessment is the first step to getting HIPAA compliant
Download the latest guide to HIPAA ComplianceDownload now
What is a Risk Assessment?Making a risk Assessment, or Risk Analysis, is a process that assesses your organization’s potential vulnerabilities, threats, and risks to PHI. It’s the first step in the Security Rule compliance.
Many organizations aren’t sure where to start when it comes to creating a Risk Assessment, but it’s easier than they may think. Here are 5 steps to create your own Risk Assessment and Risk Management Plan. SEE ALSO: SecurityMetrics NIST 800-30 Risk Assessment
Making a risk assessment
1. Map out your PHI flow
You can’t protect your PHI if you don’t know where it’s located. You need to know where your PHI is housed, transmitted, and stored. To do this, you should map out and create a diagram of your PHI flow. Some things to consider while doing this are:
- Where PHI enters your entity
- What happens to PHI in your system
- Where PHI leaves your environment
- Where potential leaks may be
SEE ALSO: PHI: It’s Literally Everywhere [Infographic]
2. Identify vulnerabilities, threats, and risks
You need to find problems that exist within your organization, specifically vulnerabilities, threats, and risks.
Vulnerabilities are holes in your security that could result in a security incident. Some examples of vulnerabilities include:
- Unpatched operating system software
- No office security policies
- Misconfigured firewalls
- Website coded incorrectly
A threat is the potential for a person or thing to cause a vulnerability. Types of threats can range from human to environmental. Here are some examples of threats:
- Hackers downloading malware onto a system
- Power failures
- Workforce members
- Business associates
- Chemical leakage
Risks are the probability that a threat will take advantage of a vulnerability and result in a security breach. According to HHS “risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.”
3. Analyze your risk level
- Likelihood of happening: How much will this risk impact you? For example, a hurricane is less likely to impact organizations in Colorado versus organizations in Florida.
- Potential Impact: How would this risk affect your organization? For example, a computer screen accidently showing PHI may have less impact than malware attacking your WiFi.
4. Create your Risk Management PlanYou now have a list of potential risks to your company. Now you need to decide how to address these risks. This process consists of three main steps:
- Plan how to evaluate, prioritize, and implement security controls
- Implement security to address the greatest areas of risk first
- Test the security controls you’ve implemented, and watch out for new risks.
By creating a Risk Management Plan, you show how you are handling these potential risks, and how you’re addressing security.
SEE ALSO: How Much Does a HIPAA Risk Management Plan Cost?
5. HIPAA DocumentationThis is the most important part of your Risk Assessment. If you don’t document these steps, you can’t prove to the HHS that you’ve done a Risk Assessment. Make sure you document these steps and the regular progress on addressing the risks you’ve identified.
SEE ALSO: How to Meet HIPAA Documentation Requirements
Making a Risk Assessment is a process, but it’s worth it to protect your organization. It’s the first step in securing your company, so make sure you do it right.