No matter how long you have been dealing with HIPAA there are probably some parts you just don’t get. In the end, the HIPAA Security Rule exists to prevent bad stuff from happening. So what is your risk of bad stuff happening? That’s the purpose of one of the HIPAA requirements “conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization.” Before you take part in a risk assessment or analysis, you need to understand what is a risk.
Risk = potential for bad stuff because a threat exploits a vulnerability. In general, here are the four types of threat sources:
This ranges from cyber-criminal organizations to the snotty nosed kid hacking from his parent’s basement.
Your employees making mistakes
Floods, fires, other acts of nature
You can’t protect everything from every threat so luckily, a HIPAA Risk Analysis (or assessment as some people call it) only looks at threats to electronic protected health information (ePHI.) A side benefit is that the threats that exist to the ePHI are often the same threats that exist to all your information.
Going through a risk analysis can prevent future loss of data and work stoppage. It is also required by federal law. Knowing what threats and vulnerabilities to look for can save your staff valuable time and frustration during the risk analysis process.