Join us as we debunked some common myths about what Security Risk Analysis isn’t and then cruise through the seven essential steps to conduct a complete and thorough SRA for any organization. It’s not just a one-off IT review or a checkbox on compliance forms—it’s an ongoing, dynamic process. From identifying what you need to protect to managing how you protect it, each step builds on the last to fortify your defense against the digital wild west.
In this episode:
7 Crucial Steps to a Comprehensive SRA – Ep 462
Today’s Episode is brought to you by:
Kardon
and
HIPAA for MSPs with Security First IT
Subscribe on Apple Podcast. Share us on Social Media. Rate us wherever you find the opportunity.
Great idea! Share Help Me With HIPAA with one person this week!
Learn about offerings from the Kardon Club
and HIPAA for MSPs!
Thanks to our donors. We appreciate your support!
If you would like to donate to the cause you can do that at HelpMeWithHIPAA.com
Like us and leave a review on our Facebook page: www.Facebook.com/HelpMeWithHIPAA
If you see a couple of numbers on the left side you can click that and go directly to that part of the audio. Get the best of both worlds from the show notes to the audio and back!
Thanks to our donors.
HIPAA Briefs
[01:52] OCR updates Change Healthcare FAQ to include info on breach notifications:- Covered entities affected by the Change Healthcare breach may delegate to Change Healthcare the tasks of providing the required HIPAA breach notifications on their behalf.
- Only one entity – which could be the covered entity itself or Change Healthcare – needs to complete breach notifications to affected individuals, HHS, and where applicable the media.
- If covered entities work with Change Healthcare to perform the required breach notifications in a manner consistent with the HITECH Act and HIPAA Breach Notification Rule, they would not have additional HIPAA breach notification obligations.
We haven’t even been given the details of just how many millions of people were involved in the data extraction. Good news is at least they can’t do what some vendors expect to do: it is not my responsibility, all I have to do is tell you what happened and what patients were involved.
HIPAA Say What!?!
[04:55] Check your BAAs folks – even with the big guys. If that is an option for the vendors, make the argument now with this situation as the reason. If you have them sign your own BAA make sure it requires them to pay all the costs of notification if it is their fault or the fault of one of their vendors.HIPAA says you can put any additional requirements in your BAA that you can negotiate with the vendor. Don’t let them tell you they get 60 days to tell you nor that they get to just pass notification requirements on to you – put it in the contract they are responsible for all costs associated with notifications if a breach occurs at their site or with any of their vendors.
Quick follow up
[07:56] We just said this was a bad idea….This Hacker Tool Extracts All the Data Collected by Windows’ New Recall AI | WIRED
7 Crucial Steps to a Comprehensive SRA
[09:59] We’ve mentioned several times that OCR has said they have started an SRA enforcement initiative. We also know this has always been the number one thing everyone does wrong when there have been enforcement actions over the years. Today, we are doing a refresh of the topic we have covered many times before: How to do a comprehensive SRA. A Security Risk Analysis and Assessment is an analysis of the security risks you face and an assessment of how you plan on managing those risks.What an SRA is NOT
First a quick list of what is NOT an SRA. For all of those who think they have done these for years and know what they are, make sure you review this part before tuning us out!
I asked ChatGPT which term is the proper one to use when discussing this issue because I always waffle back and forth between misconceptions and misperceptions. It was very helpful in explaining the difference but the problem is in this case both apply. It does recommend the use of misconception, though.
Misconception refers to a view or opinion that is incorrect because it is based on faulty thinking or understanding. This term aptly describes the situation where people incorrectly believe that a gap analysis is the same as a security risk analysis.
Misperception, on the other hand, refers to an incorrect understanding or interpretation of a particular situation or thing. While it is related, “misconception” is more appropriate for highlighting a widespread incorrect belief or understanding.
It may be a misconception but many of these issues have been so prevalent over the years I think it could also be called a misperception.
- An SRA is not just a paperwork exercise. Many people approach it as if it’s nothing more than paperwork. It is not. Documentation is crucial, but the objective is not just to complete “paperwork.” Until you move past this misconception, you will not be successful in performing a true SRA. Documentation is just one component of your SRA.
- An SRA is not a review of the HIPAA security rule requirements. That’s a gap analysis, which is different from a security risk analysis. While addressing non-compliance is essential, it’s just one of the many business risks. The OCR clarified this years ago, yet we still see well-documented gap analyses and IT scans presented as SRAs. April 2018 OCR Cybersecurity Newsletter A gap analysis can definitely be a component of your SRA but not the entirety.
- An SRA is not just generating some IT reports and scans. A comprehensive SRA cannot rely solely on automated tools. It must consider factors like human error, physical security, and third-party risks. Many crucial elements, such as technology assets, may not appear on IT scans but are still vital. These should all be components of your SRA.
- An SRA is not something you do once every 2 or 3 years. It’s outdated to think an SRA can be done every three years, or even every two years, and still be sufficient. The threat landscape evolves rapidly, and regular assessments are necessary. Past reports should inform your current SRA but are not sufficient on their own.
- An SRA is not something you do and put it “on the shelf” until next time. Your findings and the associated risk management plan should be reviewed consistently, ideally monthly, but at least quarterly. These ongoing reviews should also be components of your SRA, ensuring continuous improvement and adaptation.
What is an SRA
[25:55] The Kardon expression that privacy and security is not a project you complete, it is a chronic condition you treat gives us an easy analogy. We can compare your SRA to your annual physical with your doctor. You do a complete patient history review plus check all the systems and threats to those systems. Just like an annual physical isn’t supposed to just check your ears, your SRA should be checking everything too.An SRA is an annual check-up of your business information’s security. Just remember your business is a person who needs to protect itself from a constant barrage of potential threats to its wellbeing. Bombs are going off in the distance while cars are racing by and debris is swirling around. Every little knick or cut can be an opening for a nasty bacteria to take hold. Oh, and don’t forget there are thousands of possibilities hidden deep inside that a tumor could be developing or one of the systems may not be performing properly.
1 – Define what’s important (Scope)
First, you decide what you are going to include in your SRA by asking what important information you need to protect. If you are focused only on HIPAA then that is PHI, but you really should consider everything like your financials, payroll, proprietary information like we call our “secret sauce”. If you are doing it, why not consider all of it, right?
2 – Gather details (Data Collection)
Next you gather all the details you can about where that information lives and moves into, around and out of your organization. As HIPAA says you need to know where it is created, received, maintained and transmitted.
A complete inventory of all the systems and applications that could have any impact at all on the confidentiality, integrity or availability of your information is the only way you can make sure you are actually protecting it. Look for that stuff everywhere – check inside the ears, nose and well, you know where you get checked in an annual physical. Everywhere they can look they should look to see what is going on even take blood samples to run additional tests.
You will need to ask others to supply information. Document all the people who contributed information. You will reference this for years in the future and need to know where things were coming from.
3 – Identify potential problems (Threats and Vulnerabilities)
[42:34] Now, you consider what could go wrong. This is your list of threats and vulnerabilities. This step is like brainstorming all the things that could harm your home: fire, theft, natural disasters, or even a leaky roof could pose a threat. For your business, this means thinking about everything from natural disasters to human errors, cyberattacks, and technical failures. Anything that could impact the confidentiality, integrity or availability of your information must be considered. Anything you skip could be the thing that causes your life threatening infection.4 – Assess the risks you face (Define your risk)
Once you have identified all your possible problems, ask yourself of all of those things I have considered which ones am I going to worry about. Ask how bad it would be if this really did happen. Then, ask what is the likelihood that it will actually happen. This is very important – do not assume best case scenarios assume the worst.
At this point you should have a good understanding of the risks you face and how serious some of them are versus others. It is easy to see that an earthquake could be catastrophic but here in GA we consider a negligible chance of having anything more than the occasional tremor. Our risk would be low and therefore something we will decide we are willing to just accept that risk.
Document your decisions here for future reference. Remember, you will need to remember anything that isn’t documented and no one can recall that much detail for the next 6 years.
5 – Plan your response to the risk (Assessment)
When you evaluate all the risks and determine the ones you should worry about next you ask yourself how do I plan on handling it. You have a few options:
- Control the Risk: Implement measures within your business using people, processes and technology.
- Transfer the Risk: Use third parties, like hiring a security company to monitor your home.
- Avoid the Risk: Change how you operate to eliminate the risk. For example, if you don’t want a tree falling on your house, you might choose a property without tall trees nearby.
Document your decisions here too. Why do you think something is being avoided or accepted or can be transferred? Also, don’t think you transfer your responsibility when you transfer risk. All you are doing is transferring the risk management.
6 – Evaluate your plan (Assessment)
[52:33] At this point you have done an analysis of the risk and determined what you plan to do about it. Now you evaluate how you are doing with that plan. This is where a gap analysis comes into play. You are supposed to be doing all those healthy things like watching what you eat, exercise, drink plenty of water, sleep, etc. How many “gaps” are in those plans?Consider these questions when evaluating how you are doing.
- Do you have clear written contracts with your vendors so that you can be sure you have outsourced the risks you intended to outsource?
- Do you have documented policies and procedures to prevent two problems: what you intend to be done will be done consistently the way you intend plus you can prove you are doing those things for compliance.
- Have you trained everyone to know how to work with the vendors and follow the policies and procedures they will make it up on their own so all the other work may be for naught.
- If this risk does actually impact you, do you have a plan that makes sure everyone will know how to handle it?
If you document those considerations you will be able to determine your residual risk. How well are you mitigating the risks you should be worried about?
7 – Build your list for improvements (Risk Management Plan)
Finally, you have everything you need to write up your risk management plan. That would be the same as your treatment plan. These are the things you need to do for maintaining healthy systems for information security.
This is the part that will get the regular reviews and updates throughout the year. You should prioritize these plans and set projected completion dates. Then, each review should document progress and update them accordingly.
What are the elements included in a proper SRA report
OCR explains this clearly and it is even included in the NIST Security Rule guide. We have always referenced both of those resources in doing our SRAs. So, if you look at the reports you have from before you should see all of these elements. You should also make sure that any vendor who is doing one for you will produce a report with all of these elements explained.
Guidance on Risk Analysis | HHS.gov
If you document all the things we included above, you have the report. Include everything you gathered and all of your findings.
Finally, add an Executive Summary or cover page that includes an overview of the process and its findings. It should clearly state how the business looks at risk and how well those plans are working out.
And that’s a wrap on our deep dive into Security Risk Analysis! Remember, safeguarding your organization’s digital health is an ongoing journey, not a one and done project. Shift your focus from just ticking boxes to truly embracing a culture of privacy and security. Your first complete and thorough SRA will not be easy, it’ll be exhausting. But each time after, it should be less exhausting.
Remember to follow us and share us on your favorite social media site. Rate us on your podcasting apps, we need your help to keep spreading the word. As always, send in your questions and ideas!
HIPAA is not about compliance,
it’s about patient care.TM
Special thanks to our sponsors Security First IT and Kardon.
