Security Risk Assessments, or SRA, can be difficult to navigate. Here are some best practices you can implement in your organization when conducting your yearly SRA.
Conduct an Organization-Wide Security Risk Assessment
One of the most common comments from the Office for Civil Rights in its breach settlements is that the organization that was breached did not conduct an organization-wide risk assessment. Keeping in mind that a risk assessment is simply a tool to identify all risk to the Protected Health Information at any organization, it makes sense that the SRA should cover the entire organization. Despite the temptation to cut corners and only assess the risk to the most prominent portions of the organization, you must also include those often forgotten areas. Otherwise, you are in jeopardy of missing risks that could lead to a breach.
Utilize A Risk Assessment Tool To Guide Your Assessment
It is critical when conducting a risk assessment that you consider all of the potential risks to your organization. This can be very challenging, especially for devastating events that might only happen once in a lifetime (i.e. building fire, earthquake, or employee sabotage). The universe of risks to Protected Health Information is massive, therefore it is often helpful to have a guided approach in which you are presented with various potential risks and you simply determine the likelihood and impact of each. This systematic method results in a more efficient and more thorough risk assessment than the alternative.
Assess For a Layered Approach
A risk assessment should not just take a superficial look and determine if a safeguard is in place. Instead, a three-tiered approach is necessary. In the first layer, for every safeguard in place, there should be a corresponding policy which was the catalyst for the safeguard. In the next tier or layer, you should assess whether a documented procedure is in place which dictates how the safeguard is to be implemented. The procedure should be of sufficient detail to allow someone to know how to implement the safeguard just by reviewing the procedure. The third, and final, aspect of the analysis is the actual implementation of the safeguard. The risk assessment must determine if the safeguard is implemented consistent with the policy and procedure. Missing any one of these layers is a risk, and should be noted in the risk assessment report.
Conducting a risk assessment is a complex endeavor, but is one that can be manageable if the proper steps are taken. The most important thing to keep in mind is to assess all of the possible risks across the entire organization. Otherwise, there is great flexibility in your approach and methodology