Making a risk Assessment, or Risk Analysis, is the first step in the Security Rule compliance.
So you know you need to get compliant with HIPAA’s Security Rule, but you have one question in mind: where do you start? This is where the Risk Assessment comes into play.
Making a risk Assessment, or Risk Analysis, is a process that assesses your organization’s potential vulnerabilities, threats, and risks to PHI. It’s the first step in the Security Rule compliance.
If you get audited by HHS, and you don’t have these plans, you could be subjected to some major fines.
Many organizations aren’t sure where to start when it comes to creating a Risk Assessment, but it’s easier than they may think. Here are 5 steps to create your own Risk Assessment and Risk Management Plan.
See also: SecurityMetrics NIST 800-30 Risk Assessment
See also: SecurityMetrics HIPAA Guide
You can’t protect your PHI if you don’t know where it’s located. You need to know where your PHI is housed, transmitted, and stored. To do this, you should map out and create a diagram of your PHI flow. Some things to consider while doing this are:
See also: PHI: It’s Literally Everywhere [Infographic]
See also: Incident Response Plan White Paper
You need to find problems that exist within your organization, specifically vulnerabilities, threats, and risks.
Vulnerabilities are holes in your security that could result in a security incident. Some examples of vulnerabilities include:
A threat is the potential for a person or thing to cause a vulnerability. Types of threats can range from human to environmental. Here are some examples of threats:
Risks are the probability that a threat will take advantage of a vulnerability and result in a security breach. According to HHS “risk is not a single factor or event, but rather it is a combination of factors or events (threats and vulnerabilities) that, if they occur, may have an adverse impact on the organization.”
You need to figure out what risks could impact your organization. By prioritizing these risks, you can determine what needs the most attention in your organization. When analyzing your risk level, consider the following:
Each vulnerability and threat should be given a risk level, such as high, medium, and low. This helps you create a prioritized list of security issues.
You now have a list of potential risks to your company. Now you need to decide how to address these risks. This process consists of three main steps:
By creating a Risk Management Plan, you show how you are handling these potential risks, and how you’re addressing security.
See also: How Much Does a HIPAA Risk Management Plan Cost?
This is the most important part of your Risk Assessment. If you don’t document these steps, you can’t prove to the HHS that you’ve done a Risk Assessment. Make sure you document these steps and the regular progress on addressing the risks you’ve identified.
Making a Risk Assessment is a process, but it’s worth it to protect your organization. It’s the first step in securing your company, so make sure you do it right.
.svg)
