Chapter 7

Simplify and Focus Security Risk Assessments

Here is some advice on Security Risk Assessment, from a national expert. Health Security Solutions' SRA results have been reviewed
by Figliozzis auditors on multiple occasions, and have always passed muster. If it is your cost-effective, right-sized rigor that gives
you "compliance comfort", we highly recommend their advice.
Reproduced Courtesy of Health Security Solutions, November 2013
Many eligible providers (EP) are racing to fulfill Meaningful Use requirements as their second year of attestation under Stage 1 draws
to a close. Along with meeting certain thresholds and objectives related to increased patient engagement and improved patient care,
Meaningful Use also requires providers to conduct or review a security risk analysis each year of attestation.
When attesting to Stage 1 of Meaningful Use, EPs are required to conduct a security risk analysis during or prior to the initial 90 day
meaningful use reporting period. According to the language of the Meaningful Use Stage 1 Core Set of Objectives, EP are required to
conduct or review a security risk analysis and implement updates as necessary and correct identified security deficiencies as part of
the risk management process. The keyword in this core objective statement is review. The language within Meaningful Use and
HIPAA allows EP to perform a review of a previous risk analysis instead of conducting a novel risk analysis each year of attestation.
Performing a review allows EPs to build upon previous work to determine what (if any) changes to policies and procedures should
occur.
Review vs. Risk Analysis
Determining whether to perform a risk analysis or a review can be a challenge. The first step is to understand the difference between a
security risk analysis and a review. A full security risk analysis evaluates how and where patient information is stored, as well as the
security of stored protected health information (PHI). Final risk analysis reports typically identify assets, threats, vulnerabilities, and
include an impact and likelihood assessment and a risk results analysis. Following a security risk analysis, EPs should able to use the
provided report to determine the appropriate controls, policies and procedures needed to protect patient information and the devices on
which it is stored.
1

A review is carried out based on a previously completed, proficient risk analysis. In order to conduct a review of a risk analysis, EP
must have previously performed a comprehensive security risk analysis. It is impossible to perform an adequate review without first
having the sound foundation of a good risk analysis. A review then evaluates any changes that have occurred since the initial risk
analysis was performed, including added equipment involved in the storage of PHI, changes in office facilities or locations, or new
software systems. Once a review is completed, it should provide the EP with guidelines for further improving the security of PHI
based on a list of threats and vulnerabilities identified during the review.
When is a Review Appropriate?
So how should eligible providers determine whether to perform a full risk analysis or a review? A review is admissible by Meaningful
Use and HIPAA standards based on the idea that security is iterative, i.e., continually adding on to what has been done before.
Therefore, the ability to perform a review as opposed to a full risk analysis hinges upon the adequacy of any previous risk analyses. A
good risk analysis should include inventory of PHI storage devices, identification and prioritization of risks to PHI on the EPs
network, as well as a reasonable set of policies and procedures necessary to secure patient information. If the EP has previously
conducted an adequate [S1] risk analysis, then a proper review can be carried out.

How do I perform a Review?

Since providing adequate security for PHI is an ongoing process, a proper review involves looking at previous risk analyses and
examining what, if anything has changed since the risk analysis was performed. EP should ask questions such as:
Do I have any new IT assets that should be added to inventory? Specifically, those IT assets in which PHI resides.
Have there been any policy changes since the previous risk analysis? Should these changes be reviewed?
Is there any reason to believe that policies created based on the previous risk analysis should be changed, i.e., have any
security incidents occurred?
If a security breach has occurred, is there a security incident response and reporting procedure that can help identify potential
causes? If so, how can the risk of similar security incidents be mitigated?
Has the business changed locations, added square footage, or carried out significant structural remodeling?
Are we using the same hardware platforms, operating systems, and software programs as during the previous risk analysis?
2

Even with an appropriate risk analysis, review of that risk analysis is not always sufficient for compliance with Meaningful Use Stage
1 requirements. Answers to several of the aforementioned questions can indicate the need for a full risk analysis as opposed to a
review. For example, if an EPs business has moved locations or the office layout has significantly changed, or if hardware or software
used to manage and store PHI has changed, a full risk analysis may be necessary to elucidate security vulnerabilities at the new facility
or in the new IT systems.
Ultimately, evaluation of every aspect of the original risk analysis is necessary for conducting an adequate review. The review should
incorporate assessment of overall changes in the environment and a methodical consideration of the security risks associated with
those changes. As with every aspect of Meaningful Use attestation and HIPAA compliance, the review should be thoroughly
documented, referencing the prior risk analysis. Each review should result in an additional list of threats and vulnerabilities that can be
added to the Security Management Plan as required by the second HIPAA Security rule.
Recommendations
The language of Meaningful Use allows for the performance of a review, as opposed to a full security risk analysis, in the following
year or two after the initial attestation. If a proper risk analysis was performed the first year, EP can build on the foundation of that
risk analysis to improve security practices in subsequent years. However, most security experts recommend that every covered entity
do a full risk analysis every two to three years.
Update
Since this article was initially published, ONC has published their own tool. The ONC tool provides a structured database designed
for small and mid-sized providers to conduct and document annual Security Risk Assessments. Given the authorship of the tool,
providers should have a high level of confidence in the acceptability of a SRA conducted using it. For more information, see
http://www.healthit.gov/providers-professionals/security-risk-assessment.