The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Performing a security risk analysis is the first step in identifying and implementing these safeguards. A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This article focuses on the fourth step of the security risk analysis, which consists of determining the likelihood of threat occurrence.
What are the Elements of a Security Risk Analysis?
The security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Once steps 1 through 3 of the security risk analysis have been completed, step 4, “Determining the Likelihood of Threat Occurrence,” can be addressed.
What Does “The Likelihood of Threat Occurrence” Mean?
“The likelihood of threat occurrence,” as that term relates to the HIPAA Security Rule, is the probability that a threat will trigger or exploit a specific vulnerability.
Covered entities should consider each potential threat and vulnerability combination (as a reminder, Identification and Documentation of Potential Threats and Vulnerabilities is step 2 of the security risk analysis) and rate them by likelihood (or probability) that the combination would occur.
How Do I Classify the Likelihood of Occurrence?
Ratings such as high, medium, and low, or numeric representations of probability (i.e., a scale of 1 to 10, with one being “very unlikely” and 10 being “extremely likely”) may be used to express the likelihood of occurrence. The ratings used will depend on the covered entity’s approach.
If a covered entity uses the “high, medium, and low” rating system, it could define each category as follows:
A high probability exists that a threat will trigger or exploit one or more vulnerabilities. This might be due to the existence of multiple organizational deficiencies, such as the absence, inadequacy or improper configuration of security controls, or due to geographic location (such as, within a flood zone, or in a region where atmospheric conditions encourage hurricane formation).
A moderate probability exists that a threat will trigger or exploit one or more vulnerabilities. The probability exists due to, for example, the existence of a single organizational deficiency, such as the lack of security measures, or to the fact that a few (as opposed to numerous) organizational deficiencies exist, but have yet to be remedied.
A low probability exists that a threat will trigger or exploit a single vulnerability. The low probability can be attributed to, for example, the existence of one, single organizational deficiency or inadequate security measure, such as improper configuration of security controls.
The output of this step should be documentation of all threat and vulnerability combinations with associated likelihood ratings that may impact the confidentiality, availability, and integrity of ePHI of a covered entity. The documentation should be included as part of the finished security risk analysis product.