How Are Vulnerabilities, Threats, and Risks Defined?
The Department of Health and Human Services (HHS) refers to the National Institute of Standards and Technology (NIST) when it comes to cybersecurity.
NIST Special Publication (SP) 800-30 defines:
- Vulnerability as “[a] flaw or weakness in system security procedures, design, implementation, or internal controls that could be exercised (accidentally triggered or intentionally exploited) and result in a security breach or a violation of the system’s security policy.”
- Threat as “[t]he potential for a person or thing to exercise (accidentally trigger or intentionally exploit) a specific vulnerability.”
- Risk as “The net mission impact considering (1) the probability that a particular [threat] will exercise (accidentally trigger or intentionally exploit) a particular [vulnerability] and (2) the resulting impact if this should occur . . . . [R]isks arise from legal liability or mission loss due to—
- Unauthorized (malicious or accidental) disclosure, modification, or destruction of information
- Unintentional errors and omissions
- IT disruptions due to natural or man- made disasters
- Failure to exercise due care and diligence in the implementation and operation of the IT system.”
When Is the Best Time to Conduct Your Annual HIPAA Risk Assessment?
The ideal time to perform an annual HIPAA risk assessment is at the end of the calendar year. The end of the year is when strategic planning takes place for the following year. Strategic planning involves considerations such as new technology adoption, personnel changes, and budgeting, among others – that trigger the obligation to complete a security risk assessment (SRA). By conducting an SRA before the end of the calendar year, an organization will have an excellent idea of what its security posture is before making operational changes that take effect the following year. Also, Medicare and Medicaid require completion of the MIPS Security Risk Assessment by the end of the calendar year. By completing the SRA at the end of the year, you have satisfied both your HIPAA and MACRA/MIPS obligations.