Good risk assessments tend to include at least three distinct assessment components of varying complexity, followed by a good reporting system with internal and external checks and balances.
While specifically designed for the Health Insurance Portability and Accountability Act (HIPAA), this general methodology could be used for any assessment project with a compliance component. For example, this could include the Payment Card Industry (PCI) credit card rules or the Gramm–Leach–Bliley Act (GLBA) for financial institutions – with a few minor changes.
The risk assessment components include the following:
1. Stakeholder Risk Assessment Interviews- These are interviews with key stakeholders from across the organization, sometimes called risk assessment interviews. These can utilize tools such as simple spreadsheets or a formal approach such as that detailed in NIST 800-30.
2. IT Security Practices and Procedures Gap Analysis- This consists of a review or gap analysis of the practices and procedures in place within the organization, with an emphasis on identifying system dependencies and vulnerabilities. Good guidance in this area can be found in publications such as NIST 800-53 and NIST 800-66.
3. Penetration Testing or Vulnerability Assessments- This is detailed technical testing to determine the organization’s actual vulnerability to threats such as hacking, loss of protected health information (PHI) or other incidents through penetration testing.
4. Detailed and Actionable Reporting- This is a reporting process that includes multiple stages of internal and external peer review, and creates a report with prioritized recommendations that can be tracked and acted on over time.
These components vary in terms of the required level of effort and technical skill needed to perform them. To visualize this diversity, consider the following diagram:
Breadth/depth of assessment versus cost/skill
At the top of this pyramid, we have risk assessment interviews. These can be performed by virtually anyone with good organizational, social and research skills. This first layer is constrained in scope and tends to focus just on HIPAA compliance requirements without deeply examining the underlying organizational systems that support them.
In the second layer of the pyramid, the analyst will perform a review of the organization’s practices and procedures. This can be done superficially with a checklist or external standard, or in great depth by probing deeply into specific practices and procedures, as well as by identifying dependencies and unique issues that are specific to the organization. This review can help give assurance that the organization is sufficiently well managed to consistently meet regulatory needs.
At the bottom layer of the pyramid are tasks such as penetration testing, social engineering and technical reviews of security systems that can only be performed by those experienced in specific tools and technologies. While this raises the bar for the level of skill and cost to perform the assessment, it demonstrates the actual security of the organization’s security controls as a whole.
Penetration testing is particularly helpful because it can identify the organization’s greatest security and compliance problems by demonstrating that they can indeed be exploited, giving proof of this exploitation and describing how to prevent such exploitation in the future.
To learn more, see the accompanying white paper: Conducting an Efficient IT Risk Assessment to Comply with HIPAA. Also check out the video Sick Security Systems – Solved to learn more about how a hospital improved the overall health of its security controls and complied with evolving HIPAA regulations.
Have questions, comments or suggestions for future improvements, let us know in the comments.