SRA – Security Risk Analysis
Why Perform a Security Risk Analysis
Aside from the obvious reason, it is required under HIPAA, why should you take the time to perform a Security Risk Analysis?
- FBI studies show a 100% increase in stolen health information since 2010. Health information is being sold at $10-$20 per file as compared to $1 per file for credit card information hence its increase in popularity and corresponding increase in the need for upgraded PHI security
- Multiple consequences, including but not limited to the following, could occur if your practice has a security breach:
- Financial penalties of up to $1.5 M per incident
- Reputation damage
- Loss of patient trust, and thus a decline in patients
- Individual civil or class action lawsuits
- Credit monitoring, reporting and other costs to repair breach damage
- It will be one of the first documents examined in an Audit.
When should I perform a Security Risk Analysis
Did you know that the Security Risk Analysis requires regular updating?
Annual updates are typically adequate unless there are significant security changes such as:
- New staff who introduce new devices into your practice
- New software installation
- New hardware installation
What are the steps in the Security Risk Analysis?
There are many steps that comprise Security Risk Analysis (SRA). It is important to remember that this process cannot be entirely automated. Since over 50% of the Security Rule is made up of Administrative Safeguards, it is paramount to have both the automated IT component and the human component to generate an optimal SRA.
A high-level summary of steps includes:
- Identify critical assets that use PHI
- Analyze assets to discover threats and vulnerabilities
- Review policies, processes & staff use of PHI
- Identify gaps and determine threat levels
- Develop an action plan to address risks
- Monitor security compliance on an ongoing basis
Who should conduct the Security Risk Analysis
A critical component of ensuring a compliant Security Risk Analysis is making sure the person who conducts the analysis is qualified to do so. Key questions to ask include the following:
- Does the person conducting the analysis understand the requirements?
- Does the person conducting the analysis understand the technical terms and specialized jargon associated with the analysis?
- Can the person conducting the analysis remain objective and not use “good enough” thinking in their assessment?
- Does the person conducting the analysis have the skills necessary to utilize the analysis tool and generate action plans and reports?
Use the questions as a guide while you consider the best path for your practice. Following the Security Rule is not an option. How you chose to do so is. Find the solution that best fits your skills, personnel and practice.
For more information contact Teresa Daulong, CHSP, CHTP at firstname.lastname@example.org.