When businesses conduct an accurate and thorough risk assessment, they can prepare themselves against potential threats and can more quickly identify and respond to threats, thus minimizing the scope and costs associated with a breach.
How to Conduct an SRA
There are six steps to conducting an accurate a thorough risk assessment:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
How to Address Your Deficiencies
By completing your annual risk assessment, you identify gaps and deficiencies in your HIPAA safeguards. Since HIPAA requires you to ensure the confidentiality, integrity, and availability of protected health information (PHI), you must create remediation plans to address the risks and vulnerabilities to PHI that were uncovered by completing your SRA.
Everything you did to conduct your risk assessment will help you when drafting your remediation plans. For instance, by documenting potential threats and vulnerabilities, determining the likelihood and impact of threat occurrence, and determining the level of risk posed by the vulnerability, you can prioritize which deficiencies should be addressed first. To meet HIPAA requirements, remediation plans must be documented and include how you plan to address deficiencies, and timelines for implementing remediation.