Introduction to Risk Analysis
‘Risk analysis’ is likely a term that resonates with any healthcare professional–be that a compliance officer, IT security analyst, or reception staff. Not only is the protection of patient data a paramount concern in the industry, but the prevalence of technology and its dangers ensures that such terminology is within many people’s repertoire. Therefore, safeguarding data, which involves evaluating any risks to it, is implicit within the daily activities of far more than just the designated privacy official.
Risk analysis, in short, can be described as the process of identifying the threats most likely to occur and then analyzing in what ways the organization remains vulnerable. In other words, risk analysis is figuring out how threats might take purchase, thus enabling the organization to safeguard against as much. It’s important to note how risk analysis differs from risk assessment, as the latter examines existing measures taken to protect vulnerabilities, then assesses their adequacy relative to any threats posed. Think of risk analysis as the first step to safeguarding patient data and assessment as the second.
Risk analysis does not equate to gap analysis either. As Adam Greene, a partner at Davis Wright Tremaine who specializes in health privacy law, states: “A gap analysis is typically a narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule have been implemented. A gap analysis provides a high-level overview of how an entity’s safeguards are implemented and shows what is incomplete or missing (i.e., spotting “gaps”), but it generally does not provide a comprehensive, enterprise-wide view of the security processes of covered entities and business associates.” Said simply, the goal of the risk analysis is to understand the risks in the environment, the gap analysis aims to understand if the controls intended to mitigate those risks are designed and operating effectively.
While analyzing risk might sound simple enough, healthcare regulatory drivers–federal laws and accreditation agencies that dictate standards to which healthcare entities must adhere to remain in good standing–seem to require differing iterations of the process. If any definitive criteria is given at all; a lot of regulations are vague. So, in what manner should a healthcare organization approach the concept of risk analysis? Is there a way to address healthcare risk analysis comprehensively? This post attempts to examine several such healthcare regulatory drivers, what they require, and, ultimately, if exhaustive risk analysis is possible.
Within the healthcare industry, the Health Information Portability and Accountability Act (HIPAA) and the Health Information Technology for Economic and Clinical Health Act (HITECH), might be the federal legislation that first comes to mind when speaking of regulation. Thankfully, while published guidance from the U.S. Department of Health and Human Services (HHS) aren’t always perfectly clear, they do lay a helpful foundation for covered entities as to government expectations.
Risk analysis as a requirement is codified at 45 C.F.R. § 164.308. The latest guidance works through that portion of the federal code and specifies elements of risk analysis that should be considered: scope (all ePHI regardless of medium, source, and manner of creation, reception, or transmission), methods of data collection and retention, identification and documentation of threats and vulnerabilities, etc. It is worth noting that the Office for Civil Rights (OCR), who vets HIPAA and HITECH compliance, consolidates risk analysis and assessment within said guidance.
While the OCR provides few clear-cut parameters, it does suggest several sets of framework with which to guide risk analysis. The Security Series available through the HHS website better delineates the tools and methodology available for risk management in its entirety, and the government agency itself utilizes the National Institute of Standards and Technology (NIST). NIST even offers a HIPAA Security Rule Toolkit to aid in compliance measures.
MACRA & MIPS
The Center for Medicare and Medicaid Services (CMS), applies the Medicare Access and CHIP Reauthorization Act (MACRA) and Merit-based Incentive Payment System (MIPS) risk analysis criteria in conjunction with HIPAA, since many healthcare providers and organizations accept Medicare and Medicaid. Similar to its sister agency under HHS, CMS utilizes many of the same government-provided guidance and resources regarding risk analysis as the OCR. This allows those tasked with risk management to double-dip into the aforementioned, to cover both CMS and OCR requirements.
The guidance provided by CMS largely reiterates those published by OCR; many, if not most, cite directly back to the latter agency. A discrepancy worth noting is that CMS provides quick bullet points to cover information of use in conducting risk analysis in their official guidance on the topic. Myths are also discussed to spare healthcare organizations wasted time and energy, including helpful hints such as: risk analysis is mandatory even for small providers, organizations don’t have to outsource risk analysis, and there is no specific risk analysis procedure that must be followed, etc.
The Joint Commission
Specializing in accreditation for a plethora of healthcare-related organizations–such as ambulatory healthcare, imaging centers, and urgent care, The Joint Commission certifies entities to reflect care and commitment in meeting performance standards. Accreditation can lower liability insurance rates and instill public goodwill, as well as help safeguard patient information and adhere to government regulation by means of the accreditation regimen. Therefore, rubrics for risk analysis from such non-profits as The Joint Commission can help address information safeguards across the board.
In keeping with the previously mentioned federal agencies, The Joint Commission makes no specific designation of how a risk analysis should be completed. The Leadership chapter of the organization’s Manual does, however, provide examples of a risk assessment model. And yet, unlike the direction provided by HHS, these manuals (specific to each type of healthcare-related entity) require payment to access. Therefore, although the information within might be valuable, it is difficult to use as a resource unless appropriately budgeted for.
A Comprehensive Approach
No risk analysis template will be one-size-fits-all, given that the risk analysis must be appropriate to the size of the organization, the nature of the operations, and business processes. For example, it’s hard to argue that a single enterprise-wide risk analysis of a 10,000 bed IDN would accurately identify the risks in the organization, while this same approach might be sufficient for a three-physician family medicine practice. Therefore, the size, capabilities, and complexity of the organization do drive different levels and types of risk. Generally, the risk analysis performed must follow these requirements:
- Identify the scope of the analysis. This should include all ePHI in all forms of electronic media, which includes information on portable media like hard drives, CDs, thumb drives, etc. This is a critical step, not only to the OCR but also to the organization who is careful not to waste precious resources. Under-scoping can result in an insufficient risk analysis. Over-scoping means spending unnecessary costs and resource time assessing risk for areas that do not have an impact on patient privacy and care.
- Gather data. Be able to identify and locate where data is stored, received, maintained, or transmitted. Make sure to do so for all facilities or departments within the organization.
- Identify and document potential threats and vulnerabilities. Tackle this step in two parts—threats then vulnerabilities. Keep to events of each variety that can be reasonably anticipated.
Once risks have been identified, an assessment of current security measures and the likelihood of threat occurrence (as well as the impact on and associated risk to patient information), can be determined. For some organizations, the risk analysis will be a significant undertaking. Thus, it is imperative to document all your processes, methodology, results and management review and sign-off. In the absence of documenting the process, how can an examiner know that the analysis was performed? The good word of your team will not likely pass an OCR audit. As the saying goes: “trust but verify.”
Another key element of the risk analysis process is that it is not a one-time event. To be effective and adequate per the OCR, the risk analysis must be performed regularly and upon major changes to the organization that might result in a shift of the risk profile.
Ultimately, there are many resources at the public’s disposal, be that government-provided or through organizations, design to assist healthcare entities, in properly safeguarding patient information. The most comprehensive approach to risk analysis is arguably to make use of the framework and questionnaires available, such as the collection of NIST Special Publications on risk analysis. The OCR also publishes a free Security Risk Analysis tool, which is a great basic approach for a less complex organization.