Risk Analysis: Common PitfallsExpert Insights on Traps to Avoid
Healthcare organizations need to conduct a comprehensive risk analysis as part of an effective security program. But many fall short, conducting only a HIPAA compliance assessment instead, says security specialist David Newell.
See Also: A Guide to Passwordless Anywhere
"They don't understand that HIPAA compliance assessments are an important thing to do, but they aren't the same thing as a risk analysis," Newell says in an interview with HealthcareInfoSecurity [transcript below].
Another common mistake, Newell says, is that organizations initiate a risk analysis without having a good understanding of the security controls they already have in place. "They basically don't really know what they're doing in security, or they don't have it well-documented," he says.
To determine what constitutes an acceptable level of risk, such as when allocating money from a tight budget for mitigation efforts, organizations must "get management together with folks that are in the field and with IT to work together to help set priorities," Newell advises.
In the interview, Newell:
- Explains why annual risk analysis updates are important;
- Describes risk analysis advice from the Department of Health and Human Services that spells out essential steps;
- Offers insights on how to prioritize risk mitigation steps.
Newell is the former director of CTG Health Solutions' Security Solutions Practice. He has 18 years of experience as a consultant providing information security and IT architecture solutions to small and large organizations, and 24 years of experience in the IT field specializing in systems, networks and security.
A Narrow View
HOWARD ANDERSON: What do you think the most common mistake is that healthcare providers make when attempting to conduct a meaningful risk analysis?
DAVE NEWELL: A big mistake that I see healthcare providers making is that they confuse a risk analysis with a HIPAA compliance assessment or a controls assessment. They end up looking for a risk analysis and then thinking that it's an evaluation of HIPAA compliance, as opposed to a risk analysis as one of the specific requirements from the HIPAA security rule.
ANDERSON: They're taking too narrow a view?
NEWELL: That's right. They don't understand that HIPAA compliance assessments are an important thing to do, but they aren't the same thing as a risk analysis.
Frequency of Assessments
ANDERSON: The HIPAA Security Rule requires a periodic analysis. We just conducted a survey that showed about a third of organizations have not conducted a risk assessment in the past year. Do you recommend an assessment be conducted annually?
NEWELL: We definitely recommend that folks do a risk analysis every year. What we're really looking for folks to do is to do a full enterprise risk analysis every year. But really what they should be doing with the risk analysis is any time there's a change to the organization - if you have an acquisition or you bring in different technologies - you should also be doing risk analysis.
ANDERSON: HHS issued some guidance back in 2010 about conducting a risk analysis, and I have to say it didn't include a whole lot of specifics. But it did point to some critical features. Can you highlight a few of those for us?
NEWELL: That's true. ... The guidance is really marginally based on the risk analysis guidance that comes from NIST. One of the first things that's in there is a scoping activity - the idea there is to gain an understanding of your environment, to document the people, places and technologies that are involved. From that, then map out ePHI and PHI - where the data is that you're trying to protect. From there, you need to go in and identify vulnerabilities and threats. The next step after that is to document your control inventory. When we were talking earlier about folks confusing risk analysis with a HIPAA compliance assessment, or a controls assessment, it turns out that you really do need that controls assessment when you go to do a risk analysis because you need to understand what the state of your controls is.
Once you've got that control space evaluated, the next step is to actually do the risk analysis, to figure out likelihood and impact, and then to develop a remediation plan where you need one. The last point that's in this is ... you need to do a risk analysis again in the future.
Acceptable Levels of Risk
ANDERSON: What advice do you have for how to determine what constitutes an acceptable level of risk, such as when allocating money from a tight budget for mitigation efforts? How do you decide where to begin?
NEWELL: Risk analysis can be tough for folks because what can tend to happen is you do this risk analysis activity and you identify a bunch of vulnerabilities, but without any way to prioritize these you end up thinking that you have to do everything that could possibly come up on the list.
There are a couple things that we'll talk about with organizations and help to guide them in that. One of the things that we try to do is to get them to get management together with folks that are in the field and with IT to work together to help set priorities. We essentially use an exercise where we have them model some specific threat scenario and basically [we] walk through some specific threats. It might be a hacker attack or a loss of data. [We] talk about what controls they have in place and which controls, if they weren't in place, would be acceptable. It kind of gives them a way of gaining an understanding of what's acceptable to them by comparing different threats.
Risk Analysis Mistakes
ANDERSON: Finally, what other mistakes do you see organizations making when doing a risk analysis and how can others learn from those mistakes?
NEWELL: I mentioned this idea of confusion between risk analysis and an overall controls or compliance assessment. One of the other things that we'll see folks doing is really going into a risk analysis without having a good understanding of their controls. They basically don't really know what they're doing in security, or they don't have it well-documented. [Then] they end up actually with a risk analysis that sometimes can end up over-communicating what the risk is because they just simply don't know what they're doing to prevent risk.