What is the Scope of a Security Risk Analysis?
According to guidance issued by the Department of Health and Human Services (HHS), the scope of security risk analysis includes potential risks and vulnerabilities to the confidentiality, availability, and integrity of all ePHI that an organization:
- Maintains; and
This includes ePHI in all forms of electronic media. Types of electronic media include hard drives, CDs and DVDs, smart cards, personal digital assistants, and portable electronic storage devices.
The term “electronic media” is defined broadly, to include something as small as a single workstation, up to something as large complex networks connected among multiple locations. Security risk analysis must take into account all ePHI, regardless of the medium in which it was created, received, maintained, or transmitted, and regardless of its source or location.
Security risk analysis includes six elements:
- Collecting Data
- Identifying and Documenting Potential Threats and Vulnerabilities
- Assessing Current Security Measures
- Determining the Likelihood of Threat Occurrence
- Determining the Potential Impact of Threat Occurrence
- Determining the Level of Risk
Element 1: Collecting Data
To begin the security risk analysis, an organization must identify where its ePHI is stored, received, maintained, or transmitted. It can do this in several ways, by: