Qualitative risk analysis is analyzed and measured using descriptive and relative scales. Therefore, before you begin the process, you need to establish the scales of measurement for determining the likelihood and impact of a threat.
Threat Impact | Description of Impact |
---|---|
None | The threat poses no risk to HIPAA assets, people, or organizations. |
Very low | The threat poses a small risk to HIPAA assets, people, or organizations. Safeguards provide near complete protection however it is conceivable that a threat could occur though loss is highly unlikely . |
Low | The threat poses some risk to HIPAA assets, people, or organizations. The threat of an attack is great, current safeguards provide are for the most part adequate. |
Moderate | The threat poses a moderate risk to HIPAA assets, people, or organizations. Current safeguards provide a limited amount of protection against asset loss and loss of human life. |
High | The threat poses a high risk to HIPAA assets, people, and / or organizations. The safeguards that are currently in place provide few protections . Damage to assets or human life is possible. |
Severe | The threat poses an extreme risk to HIPAA assets, people, and organizations. Current safeguards provide no protection and total destruction of assets or human life is likely. |
Table 11 is one type of scale for measuring the likelihood of threats. Your organization can create its own Likelihood of Threat table modified to fit its unique requirements. You will then need to assign one of the threat impact ratings to the risk statement and determine the likelihood of the threat.
Probability Rating | Likelihood Description |
---|---|
Low (10% or less) | There is some chance that the threat could cause loss. |
Medium (10%-50%) | There is a moderate chance that a threat could cause loss. |
High (50%-100%) | There is a high chance that a threat could cause loss. |
The following format is a common format for risk statements:
In qualitative risk analysis, you'll want to assess the probability or likelihood that a threat will occur and develop risk statements that describe the threat condition, and the consequences of its occurrence. Some sample risk statements are contained in Table 12.
Impact | Description | Likelihood |
---|---|---|
Moderate | If the users of the application are not authorized employees , then security and privacy of the medical information could be compromised. | Low |
High | If a nurse gains root access to the single sign-on server, then security and privacy of all the Web services on the perimeter network will be compromised. | Low |
Low | If an unauthorized user gains root access to the online cafeteria menu, then the soup of the day could be changed. | Low |
Severe | If an unauthorized user gains access to the pharmaceutical database, then the dosage of a patient's medication could be changed. | Low |
Severe | If a member of the press gains access administrator access to the domain controller, then the security and privacy of the patients ' treatment record will be compromised. | Low |
Severe | If an unauthorized user gains root access to the firewall, then the security and privacy of the internal systems and networks could be compromised. | Medium |
Severe | If an unauthorized user gains root access to the database, then the patient identification records could be changed. | Medium |
You'll want to set priorities on which assets to safeguard in accordance with impact and likelihood. Risks that have both a high likelihood and a high impact are the risks that you'll want to mitigate first. Risks with a low likelihood and low impact are the risks that you'll want to mitigate last. In order to expedite the assessment, it is worth setting up a risk determination table that takes into consideration both the impact of the threat and the likelihood such as Table 13.
Impact | Likelihood | ||
---|---|---|---|
Low (.1) | Medium (.5) | High (1.0) | |
None (0) | 0x.1=0 | 0x.5=0 | 0x1=0 |
Very low (20) | 20x.1=2 | 20x.5=10 | 20x1=20 |
Low (40) | 40x.1=4 | 40x.5=20 | 40x1=40 |
Moderate (60) | 60x.1=6 | 60x.5=30 | 60x1=60 |
High (80) | 80x.1=8 | 80x.5=40 | 80x1=80 |
Severe (100) | 100x.1=10 | 100x.5=50 | 100x100=100 |
By creating values associated with your likelihood and impact descriptions, you can more easily prioritize which risks should be mitigated in which order. Clearly the risks with the highest numerical values require the most immediate attention.
Your final recommendations should establish a justifiable balance between the impact of the threats and the cost and trouble of implementing safeguards.