The HIPAA Security Rule requires that covered entities (health plans, healthcare clearinghouses, and healthcare providers who electronically transmit any health information in connection with a HIPAA related transaction), and business associates, implement security safeguards. These security safeguards must protect the confidentiality, integrity, and availability of electronic protected health information (ePHI). ePHI is any protected health information that is created, stored, transmitted, or received in any electronic format. Performing a security risk analysis is the first step in identifying and implementing these safeguards. A security risk analysis consists of conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. This article focuses on the fifth step of the security risk analysis, which consists of determining the potential impact of a threat occurrence.
What are the Elements of a Security Risk Analysis?
The security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Once steps 1 through 4 of the security risk analysis have been completed, step 5, “Determining the Potential Impact of Threat Occurrence,” can be addressed.
What Does “The Potential Impact of Threat Occurrence” Mean?
Step 2 of the security risk analysis consists of identification and documentation of potential threats and vulnerabilities. Step 4 of the security risk analysis consists of determining the likelihood of threat occurrence.
The output of Step 4 of the security risk analysis is documentation of all threat and vulnerability combinations, with associated likelihood (i.e., possibility that the threat may occur) ratings that may impact the confidentiality, availability, and integrity of ePHI.
Step 5 of the security risk analysis requires that an entity address the potential impact of the threat to the entity’s operation. A threat, if realized, can result in a variety of negative impacts. Threat impacts include (among other items):
- Unauthorized access to or disclosure of ePHI
- Permanent loss or corruption of ePHI
- Temporary loss or unavailability of ePHI
- Loss of financial cash flow
- Loss of physical assets
- Loss of public confidence in an organization
- Loss of an organization’s credibility
All of these adverse outcomes have the ability, or potential, to affect the confidentiality, availability, and integrity of ePHI that is created, received, maintained, or transmitted by covered entities.
Some adverse outcomes may have a greater impact to the organization than others. Factors to consider in determining the magnitude of an impact may include:
- How many people could be affected by the threat’s having occurred
- What extent of private data could be potentially exposed – just health information, or both health information and billing information?
The impact of potential outcomes should be measured to assist the covered entity in prioritizing risk mitigation activities. Broadly speaking, risk mitigation is a strategy an entity may use to prepare for and lessen (or mitigate) the effects of threats faced by an entity.
How Are the Impacts of Potential Threats Measured?
A covered entity may measure the impact of potential threats (threat occurrence impact) using a variety of methods.
The two most common methods are qualitative and quantitative. Both of these methods allow a covered entity to measure risk.
Under the qualitative method, the magnitude of the potential impact resulting from a threat is rated on a scale using descriptive terms such as “high,” “medium,” and “low.” Potential impacts can be grouped into these three categories.
The qualitative method is the most common measure used to measure the impact of risk. This method allows the covered entity to measure all potential impacts, whether tangible or intangible. The method is particularly well-suited, though, for measuring intangible impacts.
An intangible loss is more “concept-based” than something that can be measured by a specific dollar amount. As such, measuring an impact that is intangible or abstract, such as a loss of public confidence or loss of credibility, may more effectively be made using “high,” “medium,” and “low” labels, than by using a dollar amount. This is particularly so because in the case of concept-based, intangible impacts, specific dollar amounts are either impossible to ascertain, or can only be ascertained by effectively using a “best guess.”
In contrast, the quantitative method measures the tangible potential impact of a threat triggering or exploiting a specific vulnerability, by using a numeric value associated with resource cost.
A numeric value might include, for example a number associated with a resource cost – such as the specific amount it costs to make repairs to information systems, or the specific amount it costs to replace an asset that has been lost of stolen. The quantitative method provides valuable information to later be used in risk management efforts.
A covered entity may use either method or a combination of the two methods to measure impact on the organization. Since there is no single correct method for measuring the impact during the risk analysis, a covered entity should consider the advantages and disadvantages of the two approaches, qualitative and quantitative.
The final output of this step should be documentation of all potential impacts, and ratings associated with the occurrence of threats triggering or exploiting vulnerabilities that affect the confidentiality, availability, and integrity of ePHI within a covered entity.
Compliancy Group Simplifies HIPAA Compliance
Covered entities and business associates can address their security risk analysis by working with Compliancy Group to address federal HIPAA security standards. Completing a security risk analysis is required to become HIPAA compliant.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain™ their HIPAA compliance!