No matter how long you have been dealing with HIPAA there are probably some parts you just don’t get.  In the end, the HIPAA Security Rule exists to prevent bad stuff from happening.  So what is your risk of bad stuff happening?  That’s the purpose of one of the HIPAA requirements “conduct an accurate and thorough assessment of potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the organization.” Before you take part in a risk assessment or analysis, you need to understand what is a risk.

 

Risk = potential for bad stuff because a threat exploits a vulnerability. In general, here are the four types of threat sources: 

Adversarial

This ranges from cyber-criminal organizations to the snotty nosed kid hacking from his parent’s basement.

Accidental

Your employees making mistakes

Structural

Equipment breaking

Environmental

Floods, fires, other acts of nature

You can’t protect everything from every threat so luckily, a HIPAA Risk Analysis (or assessment as some people call it) only looks at threats to electronic protected health information (ePHI.) A side benefit is that the threats that exist to the ePHI are often the same threats that exist to all your information.

Going through a risk analysis can prevent future loss of data and work stoppage.  It is also required by federal law.  Knowing what threats and vulnerabilities to look for can save your staff valuable time and frustration during the risk analysis process.