Q&A: Essential steps for risk analysis

Q: What are the essential steps when conducting a risk analysis? Are there any sample tools out there to provide guidance on best practices for risk analyses? How often should organizations be conducting these tests?

A: The essential steps include identifying your assets, determining what threats and vulnerabilities may harm those assets, examining current security controls, and determining impact and likelihood. This will provide you with a risk ranking and help you develop mitigation plans. You need to make sure that you assess the risk and follow up with timely mitigation.

The Office of the National Coordinator for Health Information Technology (ONC) has made available a free web-based risk analysis tool that has been approved by OCR. The risk analysis tool is designed for small to medium entities. You can find more about the ONC tool here. There are a number of good vendors out there who can help you out, but it will likely cost some money.

Risk analyses need to be conducted annually at minimum. This is not a HIPAA Security Rule requirement, given that the rule does not specify the frequency with which a risk analysis needs to be conducted, but it is sound security practice. If you’re receiving Merit-based Incentive Payment System (MIPS) payments, you need to conduct a risk analysis annually or you will not be eligible for MIPS payments.

Editor’s note: Chris Apgar, CISSP is president of Apgar & Associates, LLC, in Portland, Oregon. He is also a BOH editorial advisory board member. This information does not constitute legal advice. Consult legal counsel for answers to specific privacy and security questions. Opinions expressed are those of the author and do not represent HCPro or ACDIS.