Once again, I was brought into a conversation with an organization that had unfortunately just become aware of its HIPAA responsibilities and had done very little in the way of privacy and security. That is not what precipitated my desire to write this piece though. That type of conversation happens all too frequently, especially now that Business Associates are finally realizing they really do have to “get with the program.” What motivated me to write was why I was asked to join the call.
I was asked if I could explain why it is important to perform a risk assessment early and often and why it is not (as the title says above) a graduation exercise to be performed once you think you are going to pass it. First of all there is no “passing it”. You don’t pass or fail a risk assessment. You might identify more or less risk, the underlying purpose of the exercise, but you don’t get a pass/fail grade based on the results. You definitely can and will fail your compliance requirement to conduct one if you don't. You definitely will jeopardize your meaningful use status if you don’t. You definitely will put yourself in a less defensible position should you have a breach and be investigated by the OCR if you don’t. You definitely will receive a negative finding on an OCR audit if you do not do one. You may very well jeopardize a business relationship with a partner if you cannot produce one. Need I go on?
There is a reason that risk analysis is not only a required specification in the HIPAA Security Rule, but also the first required specification in the rule. It’s because risk analysis is designed to “inform” your information security program and the selection of security controls. Its purpose is to enumerate risks, identify steps for mitigation and assist in selecting appropriate controls. Its focus is to assist in lowering risk. It is always best performed at the onset of a new program, service, operation, or when developing an information security program. It does not simply concern itself with whether or not you have policies or procedures, it seeks to understand whether they are effective at controlling or reducing the risk to an acceptable level. That is another important distinction.
Risk assessment is not black and white—it permits shades of grey. It is not meant to act like a an audit or a gap analysis that rarely touch on the sufficiency of a policy while determining if one exists in conformance with a standard or requirement. Like anything else, it helps to understand the tools and to use the right one for the job. A gap analysis will tell you whether you have a policy, whether or not it appears to meet the requirements of the standard based on its elements, whether the policy is current or not, but most gap analysis performed for compliance purposes never answer the question of whether or not the policy is effective, or what it should contain and how it should be written. Risk assessment gives no points for “showing up” or simply having a policy that is compliant. It looks at whether the policy as written is effective at reducing risk.
Most importantly, we conduct risk assessments because they are valuable tools for enhancing our business. They promote cost avoidance by helping us meet compliance requirements, by early identification of vulnerabilities that can lead to incidents, by helping to avoid down time and system outages, or by simply providing an effective tool for enumerating and addressing risks. The second benefit associated with risk assessments is that they can be revenue generators. Business Associates and partners have to demonstrate their compliance to OCR in addition to the Covered Entities they work for and other business partners who are going to request it as part of their vendor selection due diligence processes. The third big benefit of risk assessment is that it is an enabler of business. It is required to earn incentive dollars associated with Meaningful Use, for certain NIH research grants, for participation in some collaborative initiatives like health information exchange (HIE) and accountable care organizations and is required by both Covered Entities and Business Associates alike as a gateway to doing business together.
A single risk analysis performed correctly can support multiple business requirements. The fourth benefit is that risk assessment saves money. By supporting more informed security controls choices we avoid costly incidents. Done correctly, we identify ineffective controls, duplicative controls and options for securing data that may not require higher investment. Repeated over time risk assessment reinforces our choice of controls or provides early warning that the risk may have changed and therefore affected their effectiveness. Last, but not least, risk assessment provides the mechanism for reaching consensus and building support for security investment, because it fosters a better understanding of the risks.
So when you hear someone in your organization suggest that you are not ready for a risk assessment, look them straight in the eye and say, that just proves we are! If you are telling me you think your program is lacking then you definitely need to assess the risk you are exposed to, and you need to perform a risk assessment to identify the priority areas you need to address first. You don’t wait until you think you are ready, you do it now, you do it first, you do it when it can benefit you the most. Conducting a risk assessment is your first step to demonstrating compliance, critical to meeting meaningful use, and important to a number of other regulatory, security and business requirements.