10.2 GOALS OF RISK ANALYSIS

The goals of risk analysis is to inventory risks to the medical records cited by the HIPAA privacy regulation, identify the threats to the records and systems they reside on, identify the vulnerabilities of the systems they are stored on and manipulated by, and determine safeguards for mitigating the risks. Your risk analysis process should assemble facts, organize them appropriately, and present findings in the form of a final risk assessment report. The report should specify the rational for accepting or rejecting the risks, and included recommended controls to mitigate the risks.

Since HIPAA is a privacy law, the goal is to keep certain types of information private. It is likely that at most organizations housing medical records, that a lot of information is already kept private. However, in order to find out which information already has privacy safeguards in place, it is necessary to survey that information, ascertain who has access to it, and conclude whether the current level of access follows the prescribed HIPAA regulations. Where there are exposures, specifics of the vulnerabilities should be documented so there will be a clear understanding of what pieces of the entire system require further safeguards.

Once completed, risk analysis has three possible options: accept the risk, mitigate the risk, or transfer the risk. Accepting the risk means that your organization acknowledges the risk, and decides that it is a risk it can live with. Risks that have a low likelihood of occurring, and a low impact if they did occur are good candidates for acceptance. A decision to mitigate the risk is made for risks that appear to have a high impact, or high likelihood of occurrence, or both. When you mitigate a risk, you apply safeguards (sometimes referred to as countermeasures) to it, to decrease the possibility that it will occur. When you transfer a risk, you decide that you will risk a possible loss, and compensate for the cost of the loss, if one occurs, usually by purchasing insurance.