The organization turned to the RiskLens Services team to introduce FAIR™ (Factor Analysis of Information Risk) risk analysis practices and the RiskLens platform for information risk management.
Here’s a step by step outline of how RiskLens helped the organization meet each of these critical HIPAA standards:
“The Security Rule requires the risk analysis to be documented but does not require a specific format. (See 45 C.F.R. § 164.316(b)(1).) The risk analysis documentation is a direct input to the risk management process.” – HIPAA Risk Analysis Requirement
Because there is no formal rule on how risk analyses are documented, the RiskLens Platform was more than sufficient to document the organization’s risk analysis. The platform enabled detailed documentation in each analysis of the following FAIR best practices:
We followed these standard FAIR documentation elements, thus the organization was able to satisfy this element of the analysis rule. Furthermore, all of this documentation was stored in the RiskLens platform, tied to specific analyses, and thus will be extremely helpful during their future HIPAA evaluations/audits.
Learn more: Automate Cyber Risk Analysis with RiskLens Data Helpers
Tyler Britton is a RiskLens Risk Consultant
“The scope of risk analysis that the Security Rule encompasses includes the potential risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an organization creates, receives, maintains, or transmits.” – HIPAA Risk Analysis Requirement
The first step in all FAIR analysis is to scope the risk scenario, which includes identifying the:
The RiskLens platform requires these elements in each analysis. During the RiskLens engagement with this healthcare organization, a comprehensive list of all e-PHI assets/systems were considered and analyzed. The result of these analyses was an understanding of the risks to e-PHI confidentiality, integrity, and availability.
Importantly, this analysis resulted in understanding at an organization-wide level as well as on a detailed, scenario basis.
Learn more: How To Scope A Risk Analysis Using FAIR
“An organization must identify where the e-PHI is stored, received, maintained or transmitted… The data on e-PHI gathered using these methods must be documented.” – HIPAA Risk Analysis Requirement
The first part of the engagement with the organization was an Identification Workshop, where we identified a comprehensive list of systems/assets within the organization that were relevant to e-PHI.
Later, we conducted a detailed Data Gathering Workshop where, together with SMEs, we evaluated:
The data gathering efforts and rationale were extensively documented in the RiskLens platform, as discussed earlier in this case study.
Learn more: 5 Takeaways from a RiskLens Top Risk Identification Workshop
“Organizations must identify and document reasonably anticipated threats to e-PHI… Organizations must also identify and document vulnerabilities.” – HIPAA Risk Analysis Requirement
The RiskLens platform contains numerous functionalities for identifying and documenting threats and vulnerabilities:
For the organization, this requirement was fulfilled simply by using the RiskLens platform to conduct risk analysis.
Learn more: A Better Way to Understand Vulnerabilities with FAIR and RiskLens
“Organizations should assess and document the security measures an entity uses to safeguard e-PHI” – HIPAA Risk Analysis Requirement
We included current security controls/measures in the rationale of each scenario used in the risk analysis, per standard FAIR documentation practices. Furthermore we:
Learn more: 4 Steps to Rightsizing Your Cybersecurity Controls Environment with FAIR™ and RiskLens
“The Security Rule requires organizations to take into account the probability of potential risks to e-PHI…The output of this part should be documentation of all threat and vulnerability combinations with associated likelihood estimates that may impact the confidentiality, availability and integrity of e-PHI of an organization.” – HIPAA Risk Analysis Requirement
FAIR is a quantitative risk analysis model that analyzes risk as:
The HIPAA risk assessment we performed with this healthcare organization determined the likelihood and financial impact (determined through data gathering with organizational SMEs) of loss for each system/asset that processes e-PHI.
“The Rule also requires consideration of the “criticality,” or impact, of potential risks to confidentiality, integrity, and availability of e-PHI. (See 45 C.F.R. § 164.306(b)(2)(iv).) An organization must assess the magnitude of the potential impact resulting from a threat triggering or exploiting a specific vulnerability. An entity may use either a qualitative or quantitative method or a combination of the two methods to measure the impact on the organization.” – HIPAA Risk Analysis Requirement
During the engagement with the organization, each analysis listed the probable financial impact on the organization. Furthermore, the platform’s Risk Assessment Library allowed us to aggregate scenarios together in order to understand the total/aggregate financial impact on the organization from e-PHI.
“Organizations should assign risk levels for all threat and vulnerability combinations identified during the risk analysis… The risk level determination might be performed by assigning a risk level based on the average of the assigned likelihood and impact levels.” – HIPAA Risk Analysis Requirement
As discussed, the natural output of FAIR and RiskLens platform analysis is the financial risks each scenario poses to an organization. In other words, the output of analysis always shows the level of risk, in financial terms.
In the engagement, this allowed the organization to evaluate:
Learn more: How to Set a (Meaningful) Cyber Risk Appetite with RiskLens
“The risk analysis process should be ongoing. In order for an entity to update and document its security measures “as needed,” which the Rule requires, it should conduct continuous risk analysis to identify when updates are needed.” – HIPAA Risk Analysis Requirement
After the completion of the HIPAA Risk Assessment engagement, we “locked in” the current state of each scenario which is a functionality in the platform that makes the current state analysis results immutable. Then, these results can be copied and evaluated and updated, effectively allowing the organization to:
There are significant automation features built into the platform that allow changes in the environment to propagate through and automatically update all scenarios.
The outcome for the organization was perfectly consistent with their goal to fulfill the letter and the spirit of the HIPAA risk analysis rule with FAIR and RiskLens. The organization is not only compliant and prepared for a HIPAA audit/assessment, but their cyber risk program is significantly more robust than before the assessment. Going forward, they have the groundwork, knowledge, and tools needed to fully implement an effective risk management program based on FAIR cyber risk quantification.