Do I need to address all identified security risks?

Risk is the level of exposure and potential impact of threats on the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI).

Threats are all factors that can have a negative impact on ePHI.

  Threats may be:

–  Intentional (e.g., malicious intent); or

–  Unintentional (e.g., misconfigured security role assignment in EHR system, data entry error).

Threat sources include:

– Natural (e.g., floods, earthquakes, storms, tornados);

–  Human (e.g., intentional, such as identity thieves, hackers, spyware authors; unintentional, such as data entry error, accidental deletions, improper disclosure); or

– Environmental (e.g., power surges and spikes, hazmat contamination pollution).

 Vulnerabilities are flaws or weaknesses in an EHR or PMS system’s security procedure, design, implementation, or control that could be intentionally or unintentionally exercised by a threat.

Impact is a negative quantitative and/or qualitative assessment of a vulnerability being exercised on the confidentiality, integrity, and availability of ePHI.

Covering how to identify security risks during your meaningful use security risk assessment process is beyond the scope of this article. Rather, our focus will be on strategizing how to address the identified risks. As demonstrated by recent announcements from major retailers and healthcare providers on data breaches, identifying security risks in the technology systems is only half the battle. Strategically addressing the risks identified in the risk analysis is the key to maintain the upper hand. The majority of risk identification will be focused on analyzing your different systems, including your EHR programs, network, wireless infrastructure, desktops/laptops, mobile devices, and other portable devices including USB thumb drive, backup tapes, etc.

In terms of addressing all identified risks, it’s effectively impossible to address all of them, as security experts generally agree that security threats are constantly evolving. For instance, by the time you have reasonably secured all desktops and laptops, your ePHI  also may be on mobile devices and/or with cloud service providers. It’s said in the industry that you cannot run a business with zero risk, and this notion very much applies to the information security risk area.

Prioritization of risk should take into account all information gathered and determinations made by analyzing the likelihood of threat occurrence and its resulting impact. The risk-level determination may be performed by assigning a risk-level based on the average of the assigned likelihood and impact levels. A risk-level matrix, such as the sample depicted below, can be used to assist in determining risk levels.

It’s possible for most organizations to address the risks using one or more of the following options:

• By accepting the risks
• By mitigating the risks
• By transferring the risks

It should be noted that not all possible recommended security controls can always be implemented to reduce risks identified. To determine which are most required and appropriate, a cost-benefit analysis needs to be conducted for the recommended controls to demonstrate that the costs of implementing the controls will be justified by the reduction in the level of risk. In addition to cost, organizations should consider the operational impact and feasibility of introducing the recommended security controls into the operating environment.

Your overall objective for addressing any risks needs to be minimizing the probability and consequences of adverse events to your organization, along with managing the risks within acceptable levels

Download Free FAQ on MU EHR Incentive Audit

Listen to our on-demand webinar on security risk analysis: