The term "risk assessment" often means different things to different people, and is a source of great debate in healthcare organizations and among security professionals. It's the first thing regulators will ask for when they're auditing or investigating a breach. So, let's look at the critical elements of a risk assessment, as well as some risk assessment best practices.
Identify risks. In order to be considered a risk assessment, the process must be able to identify risks to the security and privacy of protected health information. This is where a risk assessment differs from an audit. An audit will look at a set of rules, usually an organization's policies, then test the system for compliance with the set of rules. A good risk assessment will identify all foreseeable security risks.
Quantify risks. Once a risk is identified, it needs to be quantified. A common measure of risk is a simplified equation where risk = value × threat × probability. "Value" is the potential costs associated with a particular loss or event. It can include replacement costs for assets, fines, civil penalties, notification costs, litigation costs, reputation loss and revenue loss. "Threat" is the existence of a vulnerable asset combined with the existence of a mechanism capable of exploiting the vulnerability. "Probability" is the likelihood that the threat will exploit the vulnerability. This is the part of the equation that leads to the most debate, as there isn't a great deal of data out there to base probability on.
Be reasonable. "Reasonable" is the term loved by attorneys because it typically means "debate" and "litigate." Oftentimes, it's measured by comparing one action to a typical action that an organization or individual performs given the same or similar circumstances. A risk assessment best practice here would be to base your assessment on a commonly accepted framework like the HITRUST Alliance's Common Security Framework, or CSF; ISO's 31000 standards; the National Institute of Standards and Technology's (NIST's) Risk Management Framework; and the IT Governance Institute's Control Objectives for Information and Related Technology, or COBIT. These are widely deployed, comprehensive frameworks that can be considered "reasonable" de facto.
Audits and risk assessments across healthcare
Prepare your social media policy for an audit
Omnibus rule and stage 2 challenge compliance
Prioritize risk. Risks need to be prioritized after they have been identified and quantified. They typically are organized into the categories of high, moderate and low. Rules for this categorization need to be defined up front based on your organization's risk tolerance. Keep in mind that the NIST 800 series defines a method for determining high-, moderate- and low-risk rankings, and you should consider using it because it's the process the government uses. It would be hard to take issue with your rankings if you follow this process. It might be administratively expedient and cost-effective in the short run to make your own rules, but it can increase the cost of a breach investigation.
Corrective action plans. All risks need to have a corrective action plan (CAP) associated with them. Even if the CAP is to accept the risk, the plan should be clearly documented and acted on. The documentation should include reasons for accepting the risk. NIST indicates that all high risks should be addressed immediately and moderate risks should be addressed within a reasonable timeframe. "Immediately" has generally meant within a year, and "reasonable" has meant from 18 months to 24 months. NIST allows acceptance of only those risks that have been rated as low.
Don't go it alone. Whatever you do, don't go it alone. Professional security firms are in a good position to help identify and quantify risks. It is their full-time job, and they see risks every day. There is comfort in numbers, and risk assessments are no different. However, remember that your numbers are the universe in which you operate. If you are connected to the Internet, your universe is open to threats from anywhere in the world. Numbers are global. Your response should be based on the threat, not your industry. What matters is how computers can defend themselves against a threat. Servers and network equipment function the same way in healthcare as they do in finance.
Document, document, document. This cannot be stressed enough. Every step of the way, every decision that is made needs to be thoroughly documented. This is your suit of armor. Wear it well and polish it often!