April 2018 OCR Cyber Security Newsletter
Risk Analyses vs. Gap Analyses – What is the difference?
The Health Insurance Portability and Accountability Act (HIPAA) Privacy, Security and Breach Notification Rules require covered entities and their business associates to safeguard electronic protected health information (ePHI) through reasonable and appropriate security measures. One of these measures required by the Security Rule, is a risk analysis, which directs covered entities and business associates to conduct a thorough and accurate assessment the risks and vulnerabilities to ePHI (See 45 CFR § 164.308(a)(1)(ii)(A)). Conducting a risk analysis is the first step in identifying and implementing safeguards that ensure the confidentiality, integrity, and availability of ePHI. A gap analysis, while not required by the HIPAA Rules, is a useful tool to identify whether certain standards and implementation specifications of the Security Rule have been met.
• A risk analysis is a comprehensive evaluation of a covered entity or business associate’s enterprise to identify the ePHI and the risks and vulnerabilities to the ePHI. The risk analysis is then used to make appropriate modifications to the ePHI system to reduce these risks to a reasonable and appropriate level.
• A gap analysis is typically a narrowed examination of a covered entity or business associate’s enterprise to assess whether certain controls or safeguards required by the Security Rule are implemented. A gap analysis can also provide a high-level overview of the controls in place that protect ePHI, without engaging in the comprehensive evaluation required by a risk analysis.
The Security Rule does not require a specific methodology to assess the risks to ePHI nor does it require risk analysis documentation to be in a specific format. However, there are certain elements common to a risk analysis that should be incorporated into an entity’s risk analysis process. These elements include:
The risk analysis should consider the potential risks to all of an entity’s ePHI, regardless of the particular electronic medium in which it is created, received, maintained, or transmitted, or the source or location of its ePHI.
• Data Collection
When considering the potential risks to its ePHI, entities should identify all of the locations and information systems where ePHI is created, received, maintained, or transmitted. Such an inventory should consider not only workstations and servers, but also applications, mobile devices, electronic media, communications equipment, and networks as well as physical locations.
• Identify and Document Potential Threats and Vulnerabilities Be sure to identify technical as well as non-technical vulnerabilities. Technical vulnerabilities can include holes, flaws, or weaknesses in information systems; or incorrectly implemented and/or configured information systems.
• Assess Current Security Measures
Assess and document the effectiveness of current controls, for example the use of encryption and anti-malware solutions, or the implementation of patch management processes.
• Determine the Likelihood and Potential Impact of Threat Occurrence
Determine and document the likelihood that a particular threat will trigger or exploit a particular vulnerability as well as the impact if a vulnerability is triggered or exploited.
• Determine the Level of Risk
Assess and assign risk levels for the threat and vulnerability combinations identified by the risk analysis. Determining risk levels informs entities where the greatest risk is, so entities can appropriately prioritize resources to reduce those risks.
Although the Security Rule does not specify a form or format for risk analysis documentation, such documentation should contain sufficient detail to demonstrate that an entity’s risk analysis was conducted in an accurate and thorough manner. If a covered entity or business associate submits a risk analysis lacking sufficient detail in response to an OCR audit or enforcement activity, additional documentation may be required to demonstrate that the risk analysis was in fact conducted in an accurate and thorough manner.
• Review and Update
Conducting a risk analysis is an ongoing process that should be reviewed and updated regularly. Although the Security Rule does not prescribe a frequency for performing risk analyses, risk analysis and risk management processes work most effectively when integrated into an entity’s business processes to ensure that risks are identified and addressed in a timely manner.
A gap analysis typically provides a partial assessment of an entity’s enterprise and is often used to provide a high level overview of what controls are in place to protect ePHI or to identify potential gaps where controls are not in place. Gap analyses may also be used to review an entity’s compliance with particular standards and implementation specifications of the Security Rule.
Such a gap analysis may take a form similar to the example below.
An entity’s gap analysis generally does not satisfy the risk analysis obligations because it typically does not demonstrate an accurate and thorough assessment of the risks to all of the ePHI an entity creates, receives, maintains, or transmits (See 45 C.F.R. §164.308(a)(1)(ii)(A)).
Resources for conducting a risk analysis are available on OCR’s web site at https://www.hhs.gov/hipaa/for-professionals/security/guidance/guidance-risk-analysis/index.html).
OCR’s HIPAA audit protocol may be helpful to those entities seeking information on their compliance with the HIPAA Rules (See https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html).