Risk analysis is a journey, an ongoing progressive process.
As healthcare organizations have focused efforts on COVID19 and the impact it has had on operations, “bad actors” have accelerated efforts to attack healthcare organizations.
Regardless of the size, each organization is required to comply with HITECH and the HIPAA Security Rule risk analysis requirement. The Office for Civil Rights’ (OCR) expectations is to complete a ‘thorough’ risk analysis of all applications that contain, store, transmit or receive ePHI held by the covered entity or business associate, or on behalf of the covered entity or business associate. If you accept credit cards, the Payment Card Industry Data Security Standard also requires a risk analysis.
The effectiveness of your Security Program is based on the quality of your risk analysis. Some consulting firms conduct an evaluation of compliance with the HIPAA Security Rule and call that a “risk analysis.” Our approach is different because tools or approaches aligned solely to HIPAA are not a true risk analysis.
Contact tw-Security to see our risk assessment (risk analysis and compliance) process and examples of our work products and deliverables.
Risk analysis is about anticipating “What if?” based on statistics, experience, and expertise. Now, more than ever, it is critical to anticipate “what if” as our healthcare delivery model is rapidly changing. Understanding organizational risks and managing them to an acceptable level is where expertise matters most.
Our risk analysis documents, submitted by customers during an audit or an investigation, have been accepted by the federal Department of Health and Human Services (HHS) and more than one state as meeting the criteria for risk analysis.
Risk analysis is a snapshot in time. It is not a precise science.
It is important to conduct a “thorough” risk analysis. The Office for Civil Rights’ expectation is to conduct a risk analysis regardless of the particular electronic medium in which it is created, received, maintained or transmitted or the source or location of electronic protected health information (ePHI). A risk analysis is not a one-time event; it needs to be periodically updated as IT technology changes and as new threats and vulnerabilities are uncovered. Our approach to risk analysis is based upon the guidance from the National Institute of Standards and Technology (NIST) and documents created by the Department of Health and Human Services (HHS) and/or the Centers for Medicare and Medicaid (CMS).
Our risk analysis tools evolve as new technology is developed and new threats emerge. The HIPAA Security Rule does not mention such words as hacking, cyber-attack, cybersecurity, ransomware, phishing, cloud, file sharing, smartphones, etc. because the original HIPAA Security Rule was written in August of 1998 – over 20 years ago. Since 1998, there have only been two minor revisions to the HIPAA Security Rule.
We break risk analysis into manageable components.
Your organization’s confidential and proprietary information, ePHI, and Personal Identifiable Information (PII) is your most valuable non-human asset and needs to be protected. Data privacy is more than HIPAA. It includes PII and other information that are rich targets for hackers: credit card data, financial data (bank account numbers), HR/payroll systems, clinical research data, etc. If vulnerabilities exist, the organization, employees, patients, and partners may be at risk and subject to a breach.
Our practical risk analysis solution follows a systematic approach. “Like” components such as applications or classes of general support systems are easier to assess. Then, like a puzzle, the smaller pieces are combined to provide an overall enterprise picture of risks.
The Prioritized Action Plan becomes your “road map.”
The end result of a risk analysis is a prioritization of risks. All businesses and organizations operate at some level of risk. With limited resources, risk analysis assures that resources are being applied where they are most needed.
Risks that are above the organization’s risk tolerance are included in a prioritized action plan. Risk management is the implementation of security safeguards and controls to reduce risk to an acceptable level and to maintain that level of risk. Consistent with the risk management process, the Prioritized Action Plan becomes your “road map” to document the progress toward remediating identified compliance and security deficiencies.
Our Risk Analysis and Risk Management services include:
- Conducting a risk analysis for applications, biomedical devices, and general support systems. Then like a puzzle, the pieces are put together using a comprehensive, yet measured scalable approach to “paint” a picture of risk.
- Creating risk analysis documentation and reports
- Providing an objective assessment of the current security environment
- Providing knowledge transfer and training on the risk analysis and risk management process
- Meeting with key stakeholders to make recommendations, and obtain a commitment for security safeguards
- Facilitating remediation planning to identify specific tasks, resources, and timelines required to address risks
- Providing recurring risk management assistance to support the process of trying to reduce, mitigate, or manage risk to an acceptable level as determined by the business/process owners
- Assessing the risk and compliance prior to acquiring a new entity – part of the due diligence
- Developing an organizational risk analysis/risk management process
- Conducting risk analysis at the enterprise and/or at the entity level
- Maintaining the risk register using any OTC risk tool(s) or assisting in the development