Aligned Risk Management’s Scope and Methodology
When conducting our thorough and accurate risk assessment process, Aligned Risk Management uses a proven and comprehensive methodology.
The first step in an enterprise-wide Risk Assessment is to identify all systems that are in scope. Aligned Risk Management risk analysts will identify all systems and procedures in place to receive, collect, create, maintain, transmit and dispose of PHI (Protected Health Information) in any form, including electronic and printed information.
Next we will identify potential threats to the privacy, security and availability of PHI. Threats are any person or agency that could, whether maliciously or otherwise, cause damage to the system. A number of reasonably anticipated threats will be identified:
- Environmental threats, referring to immediate physical environments, such as offices or data centers
- Natural threats, referring to weather, natural disasters, mass human events and Acts of God
- Human threats, referring to individuals who could cause harm, either inadvertently or negligently, or intentionally and maliciously
A primary focus will be human threats to the PHI systems and, in particular, on internal, non-malicious human threats. Although hackers and criminals pose a real threat in today’s internet-connected world, inadvertent and unintentional breaches of privacy and security are extremely common.
Information Gathering Methodology
Aligned Risk Management will conduct an initial kick-off interview to identify key stakeholders. Introductions, verification of scope and identification of relevant documentation will take place at this point.
In the first two weeks, we will schedule two intensive interviews with staff. The first interview is with the practice manager, HIPAA compliance officer and other key staff. The Aligned Risk Management systems analyst and risk analyst will inventory and document all PHI systems in place at the organization. We will also begin gathering the organization’s policies and procedures, notice of privacy practices, business associate agreements and all other pertinent documents.
The second meeting is a technical interview that serves to clarify and confirm the status of various technical and non-technical controls.
Due to the nature of the remote work, these interviews will be conducted back-to-back on two consecutive business days.
A site visit of the administrative, operations and IT locations will be conducted to document physical security controls.
Documentation, including business associate agreements, notice of privacy practices and other pertinent documents, obtained during the interview process will be stored, securely and centrally.
Auditing and Documentation Methodology
Having identified likely threats to PHI, the Aligned Risk Management risk analysts will carefully review systems for technical and process-related vulnerabilities and any flaw or weakness that a threat could accidentally trigger or intentionally exploit. All systems have vulnerabilities; complex systems can have many.
We will then audit systems to identify existing controls, measures that have already been implemented to reduce the likelihood that a threat can effectively exercise a vulnerability. All documentation of existing controls will cite relevant policy and procedure documentation reviewed for the organization. Risks and controls will be mapped to the standard HIPAA Implementation Specifications and also to the cybersecurity controls documented in NIST 800-53r4.
A threat acting on a vulnerability mitigated by controls creates a risk. The relationship among these four concepts forms the basis of our risk assessment approach, which can be thought of as a formula:
Threat × Vulnerability – Controls ⇒ Risk
By analyzing threats, vulnerabilities, controls and potential impact, we assign a Risk level to each risk, ranked on a four-point scale from Negligible to Critical.
Recommendations for Management and Mitigation
Our Risk Assessment not only identifies potential risks. We also propose solutions and are committed to helping our clients find the best way to improve HIPAA compliance and also to forward their strategic goals.
For each identified risk, we propose new controls that will mitigate the risk. The proposals contained in our report will not plumb the technical details and specific challenges that implementation will entail, but they will offer a general road map that will help guide the risk management process.
We also recognize that every organization must budget the resources available for any task, even a mission-critical task like risk management. At the end of the Risk Assessment report we will include a Quantitative Analysis of Control Priorities, ranking each proposed control according to a weighted cost-benefit algorithm.
Based on our cost-benefit analysis, we will propose a tentative time frame based on the criticality of the security ranking and cultural burden for implementing new controls and new policies to advance the organization’s security posture and bring the organization into compliance with the HIPAA rules.