Healthcare Risk Analysis – the Basics

Connect 1:1 with an Expert
Healthcare GRC HIPPA Healthcare Risk Analysis

Risk assessment is one of the fundamental components of an organizational risk management process as described in NIST Special Publication 800-39. Risk assessments are used to identify, estimate, and prioritize risk to organizational operations (i.e., mission, functions, image, and reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation and use of information systems. 

- Source: NIST Special Publication 800-30 Guide for Conducting Risk Assessments

Analysis vs Assessment vs Evaluation

In the worlds of NIST and ISO, the terms analysis and assessment are used as synonyms; in the world of USA Healthcare, they mean different things:

Risk Analysis

“Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity or business associate.” 

- Source: HIPAA §164.308 (a)(1)(ii)(A) Risk Analysis

  • Must identify all electronic protected health information (e-PHI) assets.
  • Must be conducted periodically and be reasonable and appropriate for the specific size, complexity, and capabilities of the entity.
  • Must be consistent and address the Office for Civil Rights (OCR) 9 essential elements of a risk analysis

Risk Assessment

Conducted after a security incident involving potential breach of confidentiality, integrity, or availability of ePHI.

Must consider:

  • The nature and extent of the protected health information involved, including the types of identifiers and the likelihood of re-identification;
  • The unauthorized person who used the protected health information or to whom the disclosure was made;
  • Whether the protected health information was actually acquired or viewed; and
  • The extent to which the risk to the protected health information has been mitigated.

If the incident is determined to be a breach – breach notification protocols must be invoked.

Evaluation

“Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, which establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”

- Source: HIPAA §164.308 (a)(8)

  • Establish a baseline and measure progress & performance.
  • Conformance with Policies and Procedures.

In Summary

Risk Analysis:

  • What is our risk exposure?
  • How do we mitigate unacceptable risk?

Risk Assessment:

  • What was the incident?
  • Did it result in a breach?

Evaluation:

  • Are our controls working?
  • Are we compliant?

Next Steps

  • Selecting an appropriate framework to mitigate the identified risks
  • Contact Coalfire for more information on the healthcare risk services we provide.
  • Healthcare GRC Home Page

Resources

Connect 1:1 with a Healthcare GRC Expert


Our team members undergo extensive training, participate as industry thought leaders, and have earned industry certifications, including CMS Auditor Regulatory and Compliance Standards, CMS FWA, EDE Security and Privacy Audit Standards, EDE Business Audit Standards, CISSP, CCSFP, HCISPP, CCSK, RHIA, CHPS, CIPM, CCSK, AWS CCP, CCSK, HITRUST CCSFP.
Would you like to receive periodic updates regarding cybersecurity and compliance from Coalfire? Coalfire will process your personal data in accordance with our Privacy Policy.