The Health Insurance Portability and Accountability Act (HIPAA) granted the Secretary of Health and Human Services the power to establish regulations for covered entities, including the information security policies of the entity. An important aspect of the security regulations is regularly assessing risks to the entity’s information systems and infrastructure under section 164.308(a)(ii)(1) of the security regulations. For those of you attempting to qualify for meaningful use incentives, risk assessments are a part of the core 15 metrics, making documented risk assessments mandatory.
The regulation specifically requires a covered entity to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” Id. This analytical process is helpful to the organization for several reasons. First, doing an inventory of the information systems in use in the organization helps to categorize the extent of exposure of the organization to security threats. Second, spending time on identifying known problems or vulnerabilities helps to clarify what should be budgeted for mitigating these problems. Third, all risk assessment methodologies require an organization to balance the potential impact of the risk against available mitigations, and to choose a reasonable mitigation (one which costs less than the adjusted risk to the organization of loss).
However, the contents of a risk analysis are not defined with the security regulations, and such an analysis is not self-defining. There are a wide variety of analytical tools available today to help a provider assess risk to his business organization. For example, the Centers for Medicaid and Medicare (CMS) created a risk assessment document that aids a provider in categorizing existing information systems, evaluating what risks exist to those systems, what mitigations are in place to reduce risk, and what risks remain that are sufficiently great that either additional mitigations are required or the business owner must accept them in order to continue to operate the system. See Centers for Medicare & Medicaid Services (CMS) Information Security Business Risk Assessment Methodology, version 2.1 (May 11, 2005).
The CMS methodology also provides a guide to evaluating a specific risk by estimating the likelihood of the risk’s occurrence, and if left unmitigated, what impact the risk would have on business operations. Those risks of a certain risk level or higher are those that require mitigation, helping an organization to prioritize which identified mitigations should be implemented first. Id. For example, risks to a payroll system, while critical to an organization’s efforts to operate, may not be critical as a health record system because the organization may only provide paychecks every other week, whereas the organization’s staff access the health record system for each patient visit on a daily or hourly basis. Alternatively, the data in the payroll system may be at less risk overall (either because the system has fewer vulnerabilities or has less overall data) as compared to an electronic health record system. Following this qualitative methodology helps organizations to reason through their relative risks and identify potential mitigations.
An alternative methodology follows a similar process, but instead utilizes estimates of the value of systems to the business, the likelihood that the risk will be realized, and a calculated value to the organization of potential mitigations of that risk for a particular period (for example, one year). See Shon Harris, All-In-One CISSP, 73 (3rd ed. 2005) McGraw Hill/Osborne. For example, if a the provider operates an electronic health record system, and the value of that system to the organization is 500,000, the provider could then identify various risks that exist to the data in that system and their relative likelihood of occurring, thus calculating the maximum value of an effective mitigation of that risk. For example, if the risk identified is a computer virus, the analyst would take into consideration how many computer viruses are written for the system platform, what kind of damage a typical virus could do to the system, the history of virus infection of the systems in place in the organization, and other factors that impact virus infection. In addition, the analyst would examine what efforts would be required to restore the infected information system to normal operations, and what data could be lost as a result to calculate the percentage of the system’s base value that would be affected by the risk. Multiplying the base value of the system by the likelihood of the threat’s realization and by the scope of the risk’s impact on the base value gives an annualized risk value. “Reasonable” mitigations of this risk should therefore cost less than this annualized risk value.
This quantitative approach is helpful for estimating risk and valuing mitigations, especially where the covered entity can identify the costs of mitigations (such as an anti-virus solution or disaster recovery system). Something very unlikely to happen should usually not be mitigated with a very expensive solution. Need help performing a risk assessment? Give us a call for assistance.