A risk analysis is a critical element of any computer and technology security program and is the starting point of the HIPAA security regulations. It will be necessary to conduct this analysis, either internally or through contract with your vendor. If the analysis is conducted internally, the following persons should be considered for involvement:
- The Privacy Officer and the Security Officer;
- Information services staff;
- Medical records staff;
- Management representatives;
- Compliance and legal staff; and
- Representatives of important user groups (i.e., coding, billing, human resources, etc.).
STEP ONE: Determining the Assets to be Protected
Inventory the information assets of the organization. This will include both hardware and software; as well as the type of information maintained on the system. You should determine whether you will only identify assets related to electronic protected health information or all electronic data assets.
STEP TWO: Determining the Potential Threats to the Assets
Inventory the potential threats to the identified assets. These potential threats include loss of confidentiality of all information, especially electronic protected health information, if your system is vulnerable to unauthorized access; loss of integrity if information, especially electronic protected health information is vulnerable to being changed or deleted by unauthorized access; and loss of availability if information, especially electronic protected health information, can be blocked, modified, or deleted by unauthorized access.
STEP THREE: Determining the Vulnerabilities of the Assets
Assess how likely the potential threats are to and the potential magnitude of the treat, that is, how much damage could be done if any of the potential threats materialized? Damage can range from low to high. Any potential threats to electronic protected health information should be considered high. An example of a threat assessment is below:
The organization would suffer major disruption and legal or financial loss if the computerized medical or billing records are attacked. Without the computerized medical or billing records, the organization would be sufficiently damaged as to no longer be able to fulfill its mission.
The organization would suffer minor disruption and legal or financial loss if the organization’s website is attacked. Without the website, the organization would still be able to fulfill its mission, but in a diminished capacity.
The organization would suffer no disruption, legal or financial loss if the internal computerized employee bulletin board is attacked. The organization would be able to completely fulfill its mission without this trivial asset.
STEP FOUR: Determining What Safeguards to Implement
In light of the vulnerabilities and potential threats, determine what safeguards are needed to minimize the vulnerabilities and the major or dangerous threats. Various safeguards will be included as you move through the Security Compliance Guide. Some standard and appropriate safeguards include firewalls, secure systems through passwords, removing access to those who do not require it or have left the organization, installation of virus patches and security holes, education of users, and monitoring for system intrusion and attacks.