There is a frequent issue with people understanding what a Security Risk Analysis includes. In fact, there is so much confusion we often see documents presented as a risk analysis that is actually a gap analysis. It happens so often that OCR is trying to address it in their April newsletter. We are going to take a stab at explaining what gap analysis reports look like vs what a security risk analysis report really includes when done properly.
Before we get rolling there is a story David wanted to share about someone who was fired for violating privacy rules. The story isn’t so much about that but the screw up that occurred afterward when her employer sent her a box of PHI.
Now let’s get down and dirty about the difference between a risk analysis and gap analysis. A risk analysis failure is often sighted as a specific violation resulting in a settlement. We have discussed many times that a risk analysis requires more than most people understand.
A gap analysis evaluates the compliance requirements and determines if you have any gaps in your program that should exist. As it is stated in the OCR newsletter, a risk analysis is completely different.
A risk analysis requires so much more than a gap analysis and that is where people get in trouble in these settlements. If your risk analysis includes the question of “have you done a risk analysis,” it is likely a gap analysis. If you stop and think about it, why would your risk analysis ask you if you have done a risk analysis? Can you say “loop?”
If you have done a risk analysis and there is not a list of potential threats with an associated risk rating, you don’t have a proper risk analysis. You should have a list of all the equipment, applications, devices, etc showing what you evaluated for risks or remote access. Those kinds of things make it a risk analysis, not a gap analysis.
Evaluating risk means you identify what you want to protect, what things could go wrong, and impact on the things you want to protect if something does go wrong. You evaluate which risks you are willing to take and the ones you want to avoid. That is your risk analysis.
Most reports include a list of the HIPAA requirements and ask if you are doing them. A gap analysis is what most organizations actually have done if they haven’t spent time actually learning the difference.
In order to do a proper risk analysis start with threat catalogs from reasonable authorities. A great place to start with the NIST Guide for Conducting a Risk Assessment.
As the OCR newsletter covers, a risk analysis should include a definition of the scope of all of your ePHI locations that should be protected. After you know where it all lives, then you must learn how it moves around and what/who can access it. A proper risk analysis will include a list of potential threats and vulnerabilities that could be used against the confidentiality, integrity, and availability of your PHI that you have reviewed. In your review, you establish what you believe the likelihood of those things happening. If it does happen, just how bad would the impact be to your organization? Finally, you take those two values and determine what you consider your actual risk to your organization.
Once you have identified that list of problems and the risk you perceive them to be for your organization’s PHI, now it is time to get down to work and figure out what you will do about them. Each risk should be addressed by saying you are willing to accept the risk or make a plan for it. If you make a plan for it, then how are you doing with that plan? This is where you assess your current measures in place including a gap analysis of your compliance requirements.
Compare all that information and use it to make your compliance and risk management plans. You then work the plans and evaluate the risk over and over again. If you turn in a risk analysis that is just a checklist of what HIPAA requires and your opinion of how well you are doing those things there is an immediate issue. Your opinion states that you have done a risk analysis but the risk analysis is really a gap analysis. Your opinion is now in question for the rest of the process. Remember, you don’t know what you don’t know.
A proper risk analysis is required to have an effective privacy and security program. That is the reason it is a core element of the HIPAA Security Rule. If you aren’t doing a risk analysis properly you are basically just doing the “check the box” compliance approach not actually trying to secure patient information. Pull your reports and evaluate which one you have for your documentation. Is it a gap analysis or a risk analysis? Maybe it is a mix of both of them. If it doesn’t seem to meet the requirements we have discussed here, it is time to plan when you are going to do a proper one for managing your security.