Policy Summary
- It is the policy of UW–Madison for each unit of the UW HCC and each individual or unit within UW–Madison that is a business associate of a covered entity (hereafter collectively referred to as “units”) to conduct thorough and timely risk assessments of the potential threats and vulnerabilities to the confidentiality, integrity, and availability of its electronic protected health information (and other confidential and proprietary electronic information) and to develop strategies to efficiently and effectively reduce the risks identified in the assessment process.
- Risk analysis and risk management are integral components of each unit’s compliance program and information technology (IT) security program in accordance with the Risk Analysis and Risk Management implementation specifications within the Security Management standard and the Evaluation standard set forth in the HIPAA Security Rule, 45 CFR §164.308(a)(1)(ii)(A) Risk Analysis, §164.308(a)(1)(ii)(B) Risk Management, §164.308(a)(1)(i) Security Management Process, and §164.308(a)(8) Evaluation.
- Risk assessments are done throughout the IT system life cycle:
- Before the purchase or integration of new technologies and changes are made to physical safeguards;
- While integrating technology and making physical security changes; and
- While sustaining and monitoring appropriate security controls.
- Each unit performs periodic technical and non-technical assessments of compliance with the security rule requirements, with additional assessments in response to environmental or operational changes affecting the security of electronic protected health information.
- Each unit implements security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to:
- Ensure the confidentiality, integrity, and availability of all ePHI the unit creates, receives, maintains, and/or transmits;
- Protect against any reasonably anticipated threats or hazards to the security or integrity of electronic protected health information;
- Protect against any reasonably anticipated uses or disclosures of electronic protected health information that are not permitted or required; and
- Ensure compliance by the workforce.
- All unit workforce members are expected to fully cooperate with all persons charged with doing risk management work. Any workforce member that violates this policy will be subject to disciplinary action based on the severity of the violation according to UW-138 Responding to Employee Noncompliance with Policies and Procedures Relating to the HIPAA Privacy and Security Rules.
Policy Detail
- The implementation, execution, and maintenance of the information security Risk Analysis and Risk Management processes are the responsibility of the UW–Madison HIPAA security officer, assisted by each unit’s risk management team.
- Risk Assessment: The intent of completing a risk assessment is to determine potential threats and vulnerabilities, and the likelihood and impact should they occur. The output of this process helps to identify appropriate security controls for reducing or eliminating risk. There are a variety of methods that are suitable for HIPAA risk assessment. The following is one such method. Consistency of risk assessment methods among units and over time is helpful and encouraged.
- System Characterization.
- The first step in assessing risk is to define the scope of the effort. To do this, identify where electronic protected health information is created, received, maintained, processed, or transmitted. Using information-gathering techniques, the IT system boundaries are identified, as well as the resources and the information that constitute the system. Take into consideration policies, laws, the remote workforce and telecommuters, and removable media and portable computing devices (e.g., laptops, removable media, and backup media). (To assist with these efforts, see the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit – Network Diagram Example and Inventory Asset List”.)
- Output – Characterization of the IT system assessed, a good picture of the IT system environment, and delineation of system boundaries.
- Threat Identification.
- In this step, potential threats are identified and documented. Consider all potential threat sources through the review of historical incidents and data from intelligence agencies, the government, etc., to help generate a list of potential threats. The list should be based on the individual organization and its processing environment. (See the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit –Threat Overview” for definitions and the “ Threat Source List” in the Risk Assessment for examples of threat sources.)
- Output – A threat statement containing a list of potential threat sources that could exploit system vulnerabilities.
- Vulnerability Identification.
- The goal of this step is to develop a list of technical and non-technical system vulnerabilities that could be exploited or triggered by the potential threat sources. Vulnerabilities can range from incomplete or conflicting policies that govern an organization’s computer usage to insufficient security controls to protect facilities that house computer equipment to any number of software, hardware, or other deficiencies that comprise an organization’s computer network. (See the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit – Risk Assessment Template – Security Questions and Threat Source List”.)
- Output – A list of system vulnerabilities that could be exploited by the potential threat sources.
- Control Analysis.
- The goal of this step is to document and assess the effectiveness of technical and nontechnical security controls that have been or will be implemented by the organization to reduce the likelihood of a threat source exploiting a system vulnerability.
- Output – A list of current or planned security controls used for the IT system to reduce the likelihood of a vulnerability being exploited by a threat source and to reduce the impact of such an adverse event.
- Likelihood Determination.
- The goal of this step is to determine the overall likelihood rating that indicates the probability that a vulnerability could be exploited by a threat source given the existing or planned security controls. (See the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit – Risk Likelihood, Risk Impact, and Risk Level Definitions”.)
- Output – A likelihood rating for each threat source/vulnerability pair of low (.1), medium (.5), or high (1). Refer to the NIST SP 800-30 definitions of low, medium, and high.
- Impact Analysis.
- The goal of this step is to determine the level of adverse impact that would result from a threat source successfully exploiting a vulnerability. Factors of the data and systems to consider should include the importance to the organization’s mission; sensitivity and criticality (value or importance); and associated costs that could result from the loss of confidentiality, integrity, and availability of systems and data. (See the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit – NIST Risk Likelihood, Risk Impact, and Risk Level Definitions”.)
- Output – Magnitude of impact rating for each threat source/vulnerability pair of low (10), medium (50), or high (100). Refer to the NIST SP 800-30 definitions of low, medium, and high.
- Risk Determination.
- This step is intended to establish a risk level. By multiplying the ratings from the likelihood determination and impact analysis, a risk level is determined. This represents the degree or level of risk to which an IT system, facility, or procedure might be exposed if a given vulnerability were exploited. The risk rating also presents actions that senior management (the mission owners) might take for each risk level. (See the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit – NIST Risk Likelihood, Risk Impact, and Risk Level Definitions”.)
- Output – Risk level for each threat source/vulnerability pair of low (1-10), medium (>10-50), or high (>50-100). Refer to the NIST SP 800-30 definitions of low, medium, and high.
- Control Recommendations.
- The purpose of this step is to identify security controls that could reduce the identified risks to an acceptable level. Factors to consider when developing security controls may include the effectiveness of recommended options, legislation and regulation, organizational policy, operational impact, safety, and reliability. Security control recommendations provide input to the risk mitigation process, during which the recommended technical and non-technical security controls are evaluated, prioritized, and implemented. (See the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit – NIST - Risk Mitigation Activities”.)
- Output – Recommendation of security controls and alternative solutions to reduce risk.
- Results Documentation.
- Results of the risk assessment are documented in an official report or briefing and provided to senior management of the unit, the UW–Madison HIPAA Privacy and Security Operations Committee, and the UW–Madison HIPAA Privacy and Security Executive Board, so they can make decisions on policy, procedure, budget, and system operational and management changes. (See the HIPAA Collaborative of Wisconsin “Risk Analysis & Risk Management Toolkit –Risk Analysis Report Template”.)
- Output – A risk assessment report that describes the threats and vulnerabilities, measures the risk, and provides recommendations for security control implementation.
- Risk Mitigation: Risk mitigation involves prioritizing, evaluating, and implementing the appropriate risk-reducing security controls recommended from the risk assessment process to ensure the confidentiality, integrity, and availability of electronic protected health information. Determination of appropriate security controls to reduce risk is dependent upon the risk tolerance of the organization consistent with its goals and mission. There are a variety of methods that are suitable for HIPAA risk mitigation. The following is one such method. Consistency of risk mitigation methods among units and over time is helpful and encouraged.
- Prioritize Actions.
- Using results from Step 7 of the Risk Assessment, sort the threat source/vulnerability pairs according to their risk levels in descending order. This establishes a prioritized list of actions that need to be taken, with the pairs at the top of the list getting/requiring the most immediate attention and top priority in allocating resources.
- Output – Actions ranked from high to low priority.
- Evaluate Recommended Control Options.
- Although possible security controls for each threat source/vulnerability pair are listed in Step 8 of the Risk Assessment, review the recommended security controls and alternative solutions for reasonableness and appropriateness. The feasibility, (e.g. compatibility, user acceptance, etc.,) and the effectiveness, (e.g. degree of protection and level of risk reduction,) of the recommended security controls should be analyzed.
- Output – A list of the “most appropriate” security control option for each threat source/vulnerability pair.
- Conduct Cost-Benefit Analysis.
- Determine the extent to which a security control is cost-effective. Compare the benefit (e.g., risk reduction) of applying a security control with its subsequent cost of application. Security controls that are not cost-effective are also identified during this step. Analyzing each security control or set of controls in this manner, and prioritizing across all security controls being considered, can greatly aid in the decision-making process.
- Output – Documented cost-benefit analysis of either implementing or not implementing each specific security control.
- Select Controls.
- Taking into account the information and results from previous steps, the unit’s mission, and other important criteria, the Risk Management Team determines the best security controls for reducing risks to the information systems and to the confidentiality, integrity, and availability of electronic protected health information. These security controls may consist of a mix of administrative, physical, and/or technical safeguards, and other technical and non-technical controls.
- Output – Selected security controls, with rationale for selecting the controls and for not selecting other controls that were considered.
- Assign Responsibility.
- Identify the individual(s) or team with the skills necessary to implement each of the specific security controls listed in the previous step, and assign their responsibilities. Also identify the equipment, training, and other resources needed for the successful implementation of security controls. Resources may include time, money, equipment, etc.
- Output – A list of responsible persons, their assignments, and other necessary resources.
- Develop Safeguard Implementation Plan.
- Develop an overall implementation plan and individual project plans needed to implement the identified security controls. The implementation plan should contain the following information:
- Each risk or threat/vulnerability pair and risk level;
- Prioritized actions;
- The selected security controls for each identified risk;
- Required resources for implementation of the controls;
- Team member responsible for implementation of each control;
- Start date for implementation;
- Target date for completion of implementation; and
- Maintenance requirements.
- The overall implementation plan provides a broad overview of the implementation of the security controls, identifying important milestones and timeframes, resource requirements, (e.g. staff and other individuals’ time, budget, etc.,) interrelationships between projects, and any other relevant information. Regular status reporting of the plan, along with key metrics and success indicators is reported to the HIPAA Privacy and Security Operations Committee, which further reports such status information to the HIPAA Privacy and Security Executive Board.
- Individual project plans for implementation of the security controls may be developed and contain detailed steps that assigned resources carry out to meet implementation timeframes and expectations. (This is often referred to as a work breakdown structure.) Additionally, consider including items in individual project plans such as project scope, list deliverables, key assumptions, objectives, task completion dates, and project requirements.
- Output – Safeguard implementation plan.
- Implement Selected Controls – as security controls are implemented, monitor the affected system(s) to verify that the implemented controls continue to meet expectations.
- Continually and consistently communicate expectations to all risk management team members, as well as senior management and to the HIPAA Privacy and Security Operations Committee throughout the risk mitigation process.
- Additional monitoring is especially crucial during times of major environmental changes, organizational or process changes, or major facilities changes.
- If risk reduction expectations are not met, then repeat all or a part of the risk management process so that additional controls needed to lower risk to an acceptable level can be identified.
- Identify when new risks are found and when security controls lower or offset risk rather than eliminate it.
- Output – Safeguard Implementation Plan project documentation, and identified residual risk levels.
- Residual Risk Acceptance.
- Any residual risk remaining after other risk controls have been applied requires sign off by the:
- HIPAA security coordinator of the unit;
- HIPAA privacy coordinator of the unit;
- Senior leadership of the unit;
- UW–Madison HIPAA security officer; and
- UW–Madison HIPAA privacy officer.
- Output – Risk acceptance documentation.
- Risk Management Schedule: The two principal components of the risk management process—risk assessment and risk mitigation—will be carried out according to the following schedule to ensure the continued adequacy and improvement of the unit’s information security program.
- Scheduled Basis – an overall risk assessment of each unit’s information system infrastructure will be conducted every three years. The assessment process should be completed in a timely fashion so that risk mitigation strategies can be determined and included in the budgeting process.
- Throughout a System’s Development Life Cycle – from the time that a need for a new information system is identified through the time it is disposed of, ongoing assessments of the potential threats to a system and its vulnerabilities should be undertaken as a part of the maintenance of the system.
- As Needed – the HIPAA privacy coordinator of the unit, the HIPAA security coordinator of the unit, the UW–Madison HIPAA privacy officer, or the UW–Madison HIPAA security officer may call for a full or partial risk assessment in response to changes in business strategies, information technology, information sensitivity, threats, legal liabilities, or other significant factors that affect the unit’s information systems.
Consequences for Noncompliance
Failing to comply with this policy may result in discipline for the individual(s) responsible for such noncompliance.
Further, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing the HIPAA Privacy and Security Rules, and an individual’s noncompliance may result in institutional noncompliance and/or an investigation by OCR. OCR attempts to resolve investigations by obtaining voluntary compliance and entering into corrective action plans and resolution agreements. Failure to comply with HIPAA or cooperate with OCR in an investigation may result in civil and/or criminal penalties.