The Challenge: A major healthcare organization wanted to move beyond the “checklist” approach to complying with HIPAA risk-analysis requirements and also satisfy the requirements in principle, including:
- Performing HIPAA risk analysis on all e-PHI assets/systems
- Laying significant groundwork for future HIPAA risk analysis
- And, at the same time, implementing a robust quantitative cyber risk analytics program
The organization turned to the RiskLens Services team to introduce FAIR™ (Factor Analysis of Information Risk) risk analysis practices and the RiskLens platform for information risk management.
Here’s a step by step outline of how RiskLens helped the organization meet each of these critical HIPAA standards:
HIPAA Requirement 1 - Finalize Risk Analysis Documentation
“The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is a direct input to the risk management process.” – HIPAA Risk Analysis Requirement
Because there is no formal rule on how risk analyses are documented, the RiskLens Platform was more than sufficient to document the organization’s risk analysis. The platform enabled detailed documentation in each analysis of the following FAIR best practices:
- Controls considered
- Subject matter experts (SME) and data used
- Future state showing potential corrective actions
We followed these standard FAIR documentation elements, thus the organization was able to satisfy this element of the analysis rule. Furthermore, all of this documentation was stored in the RiskLens platform, tied to specific analyses, and thus will be extremely helpful during their future HIPAA evaluations/audits.
Learn more: Automate Cyber Risk Analysis with RiskLens Data Helpers
Tyler Britton is a RiskLens Risk Consultant
HIPAA Requirement 2 - Scope the Analysis
“The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits.” – HIPAA Risk Analysis Requirement
The first step in all FAIR analysis is to scope the risk scenario, which includes identifying the:
- Effect (confidentiality, availability or integrity)
The RiskLens platform requires these elements in each analysis. During the RiskLens engagement with this healthcare organization, a comprehensive list of all e-PHI assets/systems were considered and analyzed. The result of these analyses was an understanding of the risks to e-PHI confidentiality, integrity, and availability.
Importantly, this analysis resulted in understanding at an organization-wide level as well as on a detailed, scenario basis.
Learn more: How To Scope A Risk Analysis Using FAIR
HIPAA Requirement 3 - Collect and Store Data
“An organization must identify where the e-PHI is stored, received, maintained or transmitted… The data on e-PHI gathered using these methods must be documented.” – HIPAA Risk Analysis Requirement
The first part of the engagement with the organization was an Identification Workshop, where we identified a comprehensive list of systems/assets within the organization that were relevant to e-PHI.
Later, we conducted a detailed Data Gathering Workshop where, together with SMEs, we evaluated:
- The potential frequency of loss
- All of the various financial impacts to an organization based on the 6 forms of loss in FAIR
The data gathering efforts and rationale were extensively documented in the RiskLens platform, as discussed earlier in this case study.
Learn more: 5 Takeaways from a RiskLens Top Risk Identification Workshop
HIPAA Requirement 4 - Identify and Document Potential Threats and Vulnerabilities
“Organizations must identify and document reasonably anticipated threats to e-PHI… Organizations must also identify and document vulnerabilities.” – HIPAA Risk Analysis Requirement
The RiskLens platform contains numerous functionalities for identifying and documenting threats and vulnerabilities:
- The Threat Library provided allowed the organization to define and document all types of relevant threat actors
- The Scenario Library allowed the organization to document all probable risk scenarios and the Threat Actors relevant to those scenarios
- Vulnerabilities were documented in each scenario in the Scenario Library
For the organization, this requirement was fulfilled simply by using the RiskLens platform to conduct risk analysis.
Learn more: A Better Way to Understand Vulnerabilities with FAIR and RiskLens
HIPAA Requirement 5 - Assess Current Security Measures
“Organizations should assess and document the security measures an entity uses to safeguard e-PHI” – HIPAA Risk Analysis Requirement
We included current security controls/measures in the rationale of each scenario used in the risk analysis, per standard FAIR documentation practices. Furthermore we:
- Described how and to what affect the controls safeguarded e-PHI
- Assessed and documented weakness found in any controls
Learn more: 4 Steps to Rightsizing Your Cybersecurity Controls Environment with FAIR™ and RiskLens
HIPAA Requirement 6 - Determine the Likelihood of Threat Occurrence
“The Security Rule requires organizations to take into account the probability of potential risks to e-PHI…The output of this part should be documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of e-PHI of an organization.” – HIPAA Risk Analysis Requirement
FAIR is a quantitative risk analysis model that analyzes risk as:
- The probable frequency in a given timeframe (usually per year) of a loss event occurring
- The financial impacts should that loss occur
The HIPAA risk assessment we performed with this healthcare organization determined the likelihood and financial impact (determined through data gathering with organizational SMEs) of loss for each system/asset that processes e-PHI.
HIPAA Requirement 7 - Determine the Potential Impact of Threat Occurrence
“The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.” – HIPAA Risk Analysis Requirement
During the engagement with the organization, each analysis listed the probable financial impact on the organization. Furthermore, the platform’s Risk Assessment Library allowed us to aggregate scenarios together in order to understand the total/aggregate financial impact on the organization from e-PHI.
HIPAA Requirement 8 - Determine the Level of Risk
“Organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis… The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.” – HIPAA Risk Analysis Requirement
As discussed, the natural output of FAIR and RiskLens platform analysis is the financial risks each scenario poses to an organization. In other words, the output of analysis always shows the level of risk, in financial terms.
In the engagement, this allowed the organization to evaluate:
- Whether or not the annualized financial exposure for a given scenario was acceptable
- How much risk (in financial terms) each e-PHI asset posed
Learn more: How to Set a (Meaningful) Cyber Risk Appetite with RiskLens
HIPAA Requirement 9 - Periodic Review and Updates to the Risk Assessment
“The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed.” – HIPAA Risk Analysis Requirement
After the completion of the HIPAA Risk Assessment engagement, we “locked in” the current state of each scenario which is a functionality in the platform that makes the current state analysis results immutable. Then, these results can be copied and evaluated and updated, effectively allowing the organization to:
- Document risk for a given scenario over time
- Always evaluate whether or not the current state of a Scenario is within an acceptable level of risk
There are significant automation features built into the platform that allow changes in the environment to propagate through and automatically update all scenarios.
The outcome for the organization was perfectly consistent with their goal to fulfill the letter and the spirit of the HIPAA risk analysis rule with FAIR and RiskLens. The organization is not only compliant and prepared for a HIPAA audit/assessment, but their cyber risk program is significantly more robust than before the assessment. Going forward, they have the groundwork, knowledge, and tools needed to fully implement an effective risk management program based on FAIR cyber risk quantification.