HIPAA Risk Analysis Fundamentals: Industry Tested, OCR Approved
Published On April 2, 2021
Blog Post by Bethany Page Ishii, Director at Meditology Services
Risk analysis is one of four required implementation specifications in the Security Management Process section of the HIPAA Security Rule. The rule requires covered entities to “[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”
Too often, we see healthcare organizations missing the mark on aligning with the Risk Analysis requirements as defined in the HIPAA Security Rule and running afoul of OCR and regulators in the process. Common missteps for healthcare entities conducting risk analyses include:
- Mistaking a HIPAA Security Rule gap assessments against the regulatory provisions with a formal risk analysis as defined in the rule (more on that below)
- Improperly scoping the risk analysis and missing critical locations and systems where ePHI and PHI resides
- Failing to conduct an analysis with sufficient frequency in relation to changes to the business or risk profile of the organization
- Failure to track ongoing risks as they crop up throughout the year along with associated remediation action plans (e.g. maintaining a risk register)
- Lacking documentation on business justification for risk decisions, particularly as it applies to required and addressable implementation specifications in the HIPAA Security Rule
- Failing to calculate and document risk in alignment with the standards and approaches outlined below in this article
Why does this matter? Perhaps some quick stats can help shed light on the financial and business risk exposure that healthcare entities face when failing to conduct a proper Risk Analysis.
- 67% of OCR HIPAA security fines in 2020 cite insufficient risk analysis 
- $15.3m fines levied by OCR in 2019-2020 
- $7.13m average cost of a breach for healthcare entities 
- 24% of all breaches in 2020 were in healthcare (highest of all industries) 
Getting the HIPAA Security Rule Risk Analysis methodology and process wrong can result in compounded fines and penalties for every year that the process was done incorrectly.
Conducting a Proper HIPAA Risk Analysis
The Security Rule does not prescribe any specific methodology for conducting a risk analysis, but HHS has issued guidance that provides definitions and refers to applicable standards such as NIST 800-66 and NIST 800-30.
Based on Meditology’s experience having conducting hundreds of risk analyses for healthcare providers aligned with HIPAA regulatory requirements and expectations, a risk analysis should address the following considerations at a minimum:
- Patient information discovery: where is our patient information?
This first stage of the assessment should seek to identify all locations and functions where patient information is created, received, maintained, or transmitted by the organization. This includes internal applications and systems, devices, paper records, and patient information shared with third party organizations. The scope of the assessment should consider all assets and locations where patient information resides. Note: standard sampling methodologies are often used to assess a representative sample of assets and applications in order to assess the effectiveness of security controls applied across the enterprise rather than conducting exhaustive risk assessments of each and every piece of equipment in the organization that stores or transmits patient information.
Organizations that fail to identify and assess all locations where ePHI resides can introduce blind spots for risk exposures and significantly increase the probability of breach events. A risk analysis that only considers a subset of facilities and assets provides an incomplete view of organizational risk, making it difficult, if not impossible, to effectively safeguard patient information throughout the enterprise. See our related infographic, Check Your Blind Spots with Security & Privacy Risk Assessments.
- Threats actors: who are the bad guys and how likely are they to interact with our environment?
A risk analysis should identify potential threat actors and rank the likelihood that those actors or groups of actors will expose or impact patient information.
For example, a large healthcare provider organization that maintains a robust Electronic Health Records system and large network of laptops and servers may be more likely to be a target of international cybercrime syndicates’ ransomware attacks than would a single physician practice servicing a local population.
Organizations should stay up to speed with industry security and breach trends that may provide indications of threat actors that may be motivated or active in the healthcare sector.
- Threat vectors: what are the bad things that can happen and how likely are they to occur?
A threat vector is a path or means by which an individual or event can gain access to an organization’s information environment to disrupt operations or obtain patient information maintained by the organization. Common threat vectors include lost or stolen equipment (e.g. laptops or USB flash drives), ransomware attacks, hacking attacks, phishing attacks, information technology equipment failure, environmental impacts (e.g. tornados, floods, power failures, hurricanes), computer viruses, accidental misconfigurations of systems, and unintended disclosures. Threat vectors should be reviewed and assigned likelihood ratings to identify which vectors are more likely to occur than others.
- Vulnerabilities: how exposed are we and what weaknesses or security holes exist in our environment?
NIST defines a vulnerability as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy”. Some of the most common vulnerabilities in healthcare provider environments include unencrypted laptops and portable media (e.g. USB flash drives), missing security patches, weak passwords, inadequate security protections provided by third party vendors, medical device security weaknesses, missing or incomplete deployment of antivirus software, deployment of outdated and unsupported technology, improperly configured wireless networks, and excessive administrative access rights.
Organizations should establish and maintain robust vulnerability management programs that include ongoing identification of security weaknesses through activities such as deploying vulnerability scanning tools, ethical hacking and penetration tests, organizational and application risk assessments, and implementing routine security patching cycles.
- Impact Analysis: if we have a bad day, how bad of a day will it be?
NIST indicates “[t]he level of impact from a threat event is the magnitude of harm that can be expected to result from the consequences of unauthorized disclosure of information, unauthorized modification of information, unauthorized destruction of information, or loss of information or information system availability.” Not all breaches are alike in scope, scale, or impact. Security incidents and breach events can inflict operational, financial, regulatory, patient safety, and other damages to healthcare organizations and patients. Breach types and thresholds should be assigned to categorize and approximate the potential impact of breach events.
- Risk determination: what are the most pressing areas we need to address?
Risk ratings help the entity to prioritize which security controls and assets need more attention and investment to protect than others. Risk ratings and assignments should consider the factors referenced above including a combination of threat actors, threat vectors, vulnerabilities, breach impacts, and the likelihood of occurrence for each.
- Corrective action planning: how do we fix what we found?
A primary output and objective of the risk analysis is to identify areas that pose the greatest security and compliance risks to the organization and prioritize remediation and corrective actions accordingly.
This prioritization of risks and planning of related remediation serves as the transition point from risk analysis to risk management processes. A corrective action plan should be developed and implemented to support risk management processes that includes a discrete set of projects or initiatives, mapped to the highest risk areas identified in the risk analysis, and indicates owners, timelines, costs, resources, and executive approval and signoff for each area. Corrective action plans should be reviewed and updated on an ongoing basis to track and report progress to organizational stakeholders and leadership.
- Assessment methodology: how do we go about conducting a risk analysis?
Data collection for conducting a risk analysis is typically acquired through a combination of interviews, surveys, technical assessments, physical inspection or walk throughs of facilities, and the collection and review of supporting evidence and documentation. Standard audit methodologies should be employed using a “trust but verify” mentality to validate that assumptions about the state of security controls implementation are supported with evidence and documentation. Many healthcare organizations commonly hire third-party assessment firms like Meditology to conduct risk analyses, though some organizations use internal resources to conduct the risk analysis process.
If you are not sure if your risk analysis process and reporting passes muster, then be sure to reach out to our team who can help advise on the process in more detail for your organization.
 US Department of Health and Human Services
 US Department of Health and Human Services
 2020 IBM / Ponemon Cost of a Data Breach Report
 Tenable Research 2020 Threat Landscape Retrospective