SRA – Security Risk Analysis

Why Perform a Security Risk Analysis

Aside from the obvious reason, it is required under HIPAA, why should you take the time to perform a Security Risk Analysis?
  • FBI studies show a 100% increase in stolen health information since 2010.  Health information is being sold at $10-$20 per file as compared to $1 per file for credit card information hense its increase in popularity and corresponding increase in the need for upgraded PHI security
  • Multiple consequences, including but not limited to the following, could occur if your practice has a security breach:
    • Financial penalties of up to $1.5M per incident
    • Reputation damage
    • Loss of patient trust, and thus a decline in patients
    • Individual civil or class action law suits
    • Credit monitoring, reporting and other costs to repair breach damage
  • It will be one of the first documents examined in an Audit.

When should I perform a Security Risk Anaylsis

Did you know that the Security Risk Analysis requires regular updating? Annual updates are typical adequate unless there are significant security changes such as:
  • New staff who introduce new devices into your practice
  • New software installation
  • New hardware installation

What are the steps in the Security Risk Analysis?

There are many steps that comprise of a Security Risk Analysis.  It is important to remember that this process cannot be entirely automated.  There is both an automated IT component as well as a human component.  As over 50% of the Security Rule is adminstrative both necessary to have an appropriate Security Risk Analysis. A high-level summary of steps includes:
  1. Identify critcal assets that use PHI
  2. Analyze assets to discover threats and vulnerabilities
  3. Review policies, processess & staff use of PHI
  4. Identify gap and determine threat levels
  5. Develop action plan to address risks
  6. Monitor on an ongoing basis

Who should conduct the Security Risk Analysis

A critical component of ensuring a compliant Security Risk Analysis is making sure the person who conducts the analysis is qualified to do so.  Key questions to ask include the following:
  • Does the person conducting the analysis understand the requirements?
  • Does the person consucting the analysis understand the technical terms and specialized jargon associated with the analysis?
  • Can the person conducting the analysis remain objectice and not use “good enough” thinking in their self-assessment?
  • Does the person conducting the analysis have the skills necessary to utilize the analysis tool and generate action plans and reports?
Use the questions as a guide while you consider the best path for your practice.  Following the Security Rule is not an option.  How you chose to do so is.  Find the solution that best fits your skills, personnel and practice. For more information contact Teresa Daulong, CHSP, CHTP at daulongt@bcmscomp.com.