HIPAA Training: All You Need to Know About Information Security Risk Analysis Process


HIPAA violations begin at $10,000 minimum and go up from there. Learn how to develop procedures and policies that can help prevent security problems -- and make recovery from incidents easier and less painful with this expert HIPAA compliance article.

NIST is the National Institute of Standards and Technologies – used to be known as the National Bureau of Standards – these are the guys who define what is mayonnaise or what are egg noodles or, you know, what is a 2x4 or, you know, what is fiber glass installation R-13 supposed to be, all these kinds of things.

And they also provide a lot of guidance in information security and the HIPAA security rule points to Special Publication 800-30 and there's a web address where you can go find 800-30 – that describes their HIPAA risk assessment process that is recommended in the HIPAA security rule. And the nice thing about this is you don't have to go to 12 decimal places of detail and do of, you know, a lot of financial number crunching. They use a high-medium-low kind of stratification to help sort this out.

And what their process is first of all, you have to go through a system characterization that's where the information flow analysis comes from. Understand what your threats and vulnerabilities are and what are the controls that you have in place.

These first four steps here, this is your research phase. Understand what are the system’s threats and vulnerabilities and controls that you have now, following the HIPAA security rules. And then five, six and seven that's really your analysis and decision making phase, that's where you understand, “Well, okay for these various risks that we've identified, what is the likelihood it's going to be a problem and what's the potential impact?

Is it going to be, you know, something that affects a few people or lots of people and do we think this is going to happen. Is this something that’s happened to anybody else like us before? Has it happened to us before? Has it never happened before? You can use - the likelihood and impact – these are the areas where you decide just the high, medium and low likelihood and impact. And that's enough to be able to go through and decide what are the issues to deal with first in most situations.

That what your risk determination process is – where you go through that analysis and then make some recommendations to what controls you need to have in place and document your results. So now your information flow analysis, the ideas, you want to, you know, look at all your information flows and vulnerabilities, how is information conveyed? How do they get up there? What communication method? What do they do with it?

Simple things as, you know, if that's information your sending off to somebody else by Federal Express, how do you get that information to them? You just, you know, drop it in a drop box somewhere or are they going to pick up and when client has it, “Oh yes, we have some information that goes up by FedEx. We just leave it on the window outside, and he picks it up on his way by.”

Well, the point - that's kind of a security risk there and they don't do that anymore. But you really need to understand, you know, what's going on? What are all the details? You need to have a business associate agreement which covers transactions or, you know - this is your time to ask a lot of annoying questions. Like, you know, the way that - you may have a three-year old that says, “Why? Why?” and „Why?” to everything. Well that’s you happening to be that annoying three-year old and say “Why? What do you do with it? Where does it go?”

Basically all these things you have to look at and decide, “Is this done being securely? And what are the risk issues we need to face?” So how do we go about doing this? The idea is you want to start with interviews of the people that you know. You have to start with an interview. Find out, you know, what is the story here? You know, what are all the information flows? Not just the formal ones but the informal ones as well.

So for instance, where does somebody store information that you may not be considering. So you may keep a copy of information on a floppy disk or on another computer, something like that that you weren’t aware of. So you want to make sure you know where all the information flows are, you know, how do people receive information, keep it or access and how they send it out? Where does it go?

HIPAA Training Tip: You have to go through a (pre-detailed) inventory. And the idea is to talk with everybody who knows about this stuff. Not just the manager for a department, there's usually the managers that you want to talk with, yes but there's also somebody who really knows what's going on in each department, that's the person you want to talk to. The person who has been there the longest and knows all details of, you know, where are all those skeletons in the closets. That's the person to talk with. And let them tell you a story about how it works. Just have them tell you what's going on.

What you want to do is organize all these systems and flows for all the various departments you've been talking to in the categories to make it easier to look at. You can just put them all in a big list if you want, but you wind up with a list of, you know, 500 things if you're at a hospital. And that kind of makes it hard to analyze things. So, what you want to do is to group things together as much as possible.

And the kind of groupings that is used these days that have to do with access to services. In other words, how somebody accesses the systems either remotely or on site or whatever. And then, what are the internally hosted systems in your connections and the externally hosted systems internet connections. The externally hosted systems are the things like internet-based services or, you know, maybe you're providing information to a state registry or something like that that maybe hosted on the internet.

And we also have internal systems and databases that are, you know, it might seem the same thing as the internally hosted systems and internet connections but the systems internet connections, those are the kinds of things the are more like, you know, health information system whereas an internal system database, that's more of a smaller thing, like maybe just a small access database or something like that.

Then you also have office systems things such as, you know, your fax machines and copiers and all that kind of (center) stuff. And other kinds of physical security issues that you may have noted in the process of having all these interviews. There's going to be something that is hard to categorize. You don’t have to be perfect about this.

And the idea for each one of these things here is you want to describe the risk issues for each system or flow. And what are the threats to confidentiality, integrity and availability. And really the idea is you want to be able to, you know, group these things together so you can address similar risks together to ensure HIPAA compliance.

Well, consider that same risk issue for all those systems together and that will it make easier. So, you're not dealing with thousands of things, you can start to group things that’s a little bit better. And the risk issues will help identify where you need to do some more technical work or you may have some policy issues that you need to deal with.

Get more HIPAA online training, visit our HIPAA conference page.