Doing a Security Risk Analysis is high on many lists right now. Not only is it the number one thing OCR has defined as not being done properly, but it is also a required element for Meaningful Use attestation. We have been getting a lot of traffic to our Risk Analysis Content page most likely for those two reasons.
Don’t worry about getting it all figured out. Just get started. “We looked at it but weren’t sure where to get started” is a common problem for most small sites. HHS published a nice guide long ago that is still a nice guide for doing your Risk Analysis. Here are a few quick tips for applying the concepts on that guide to your environment to get your process rolling. Just bite the bullet and get it over with sooner rather than later.
The Security Series #6 guide lays out this list as the over all process and one important note it adds:
EXAMPLE RISK ANALYSIS STEPS:
1. Identify the scope of the analysis.
2. Gather data.
3. Identify and document potential threats and vulnerabilities.
4. Assess current security measures.
5. Determine the likelihood of threat occurrence.
6. Determine the potential impact of threat occurrence.
7. Determine the level of risk.
8. Identify security measures and finalize documentation.
CMS is not recommending that all covered entities follow this approach, but rather is providing it as a frame of reference.
- Get started by making a list of all the places you collect, store or share electronic PHI in your business. For a small operation that covers step one pretty quickly. Don’t worry if you have to come back and add more after you get further along, that is also common. If you think something might matter, put it on the list. Don’t leave off anything that comes to mind, put them all down.
- Work from that list to create documentation of the details about each thing you listed in step one concerning how and where it is stored, accessed, shared or moved. Just write it down, don’t worry about what you have to do with it specifically at this point. Create your documentation that you have thought about it and looked at how it is managed.
- Make another list of all the ways your business could be open to a threat or vulnerability that could get access to the data you have identified. Come up with anything that you can imagine could happen to make the ePHI improperly accessed, changed or lost and write it down. Even if you think the likelihood of it happening is tiny, write it down. You need to do your best to think of everything from natural disaster, internal sabotage or failures and criminal elements.
- Go through the lists and figure out what things you need to protect and what could happen to it. Now figure out which one of those things you can assume isn’t going to happen and you don’t need to worry about happening. The rest are your real problems and you document all the things that you need to address in some way.
- Write down what you are doing to prevent the problems and protect from the dangers you have on your lists. Things you don’t have in place to protect and prevent them from being a problem for your ePHI are gaps in your security policies and procedures you need to develop a plan to address.
All those lists combined with the documentation of your decisions you made makes your report.
You really need to have your IT staff or IT vendor help them out with this process when they are reviewing all the current safeguards as well as things they need to implement.
Once you have it done the first time you update it regularly any time something major changes or is added in your business that involves any ePHI or your tech environment that protects it. After the first time, it gets easier so just bite the bullet and get it done.