Element 5: Determining the Potential Impact of Threat Occurrence
After an organization determines the likelihood of threat occurrence, it must assess the impact of potential threats to confidentiality, integrity, and availability of ePHI. This can be done by assessing the severity of the impact resulting from a threat that triggers or exploits a vulnerability. The assessment should be documented.
A useful way to document Impact severity, is by describing the severity numerically (i.e., assigning a number to how severe an impact is, on a scale of 1 to 10, with 10 being “most severe”).
Element 6: Determining the Level of Risk
The level of risk is determined by evaluating ALL threat likelihood and threat impact combinations identified in the risk analysis so far.
The level of risk is highest when a threat 1) is likely to occur; AND 2) will have a significant or severe impact on an organization. For example, if a network is completely unsecured, and that network stores all of the organization’s ePHI, two things are likely to happen: A threat will occur, and its occurrence may have a severe impact on the organization. When threat likelihood and severity are both high, the level of risk should be classified as “high.”
On the other hand, if there is a low risk of a threat occurring, AND the threat’s occurrence will have little to no impact on the organization, the level of risk is relatively low.
Once the organization has assigned risk levels, it should document those levels, and document what corrective actions are needed.
Finally, once all six elements have been addressed, all documentation should be finalized. In addition, the security risk analysis should be periodically reviewed, and updated, as needed.
Compliancy Group Simplifies HIPAA Security Risk Assessments
Covered entities and business associates can address their security risk assessment by working with Compliancy Group to address federal HIPAA security standards. Completing a security risk assessment is required to become HIPAA compliant.
Our ongoing support and web-based compliance app, The Guard™, gives healthcare organizations the tools to address HIPAA Security Rule standards so they can get back to confidently running their business.
Find out how Compliancy Group has helped thousands of organizations like yours Achieve, Illustrate, and Maintain their HIPAA compliance!