Using collected info can help you sidestep serious security problems. Regs and tools provided by the feds may offer helpful guidance, but it’s still easy for providers to get lost in the maze of HIPAA risk analysis. For example: The type and size of your organization factors into how you’ll assess and identify risks — and may determine how you’ll implement the necessary changes. Plus, financial and employee constraints may impact how much of your budget or workforce will go toward your HIPAA Security Rule compliance planning and management. “Most organizations, regardless of size, struggle to properly scope the environment they’re evaluating,” cautions Jen Stone, principal security analyst with Security Metrics in Orem, Utah. “Under the HIPAA Security Rule, we care most about protecting ePHI, so the scope should include anywhere ePHI is created, received, transmitted, or stored. It’s important to remember networks and systems that have the ability to communicate with the primary scope as well.” Pinpoint Your Risks Before Analyzing A common theme runs through many of the HHS Office for Civil Rights settlements, especially among data security breaches. Covered entities (CEs) or their business associates (BAs) missed opportunities to better address their vulnerabilities at various levels of assessment, logging, monitoring, and testing. Remember, before you can analyze your risks, you must collect the data and that requires mechanisms for identifying threats. “In general, most risk analysis frameworks consist of gathering information about the data and systems being evaluated, listing the threats and vulnerabilities related to them, assigning values to the likelihood and impact of a threat successfully executing against a vulnerability, and developing a prioritized list of risks based on these inputs,” Stone says. Mapping out an action plan will help you form the risk analysis that’s best for your organization. Moreover, outlining your objectives not only will help you improve security but will give you an idea of what the overall cost will be from the fiscal to the professional. “The analysis needs to be deep enough to provide a view into the security evaluation, direction, necessary corrections, [and] things to be watching, so that a reasonable, prioritized, actionable list of tasks can be created,” explains Jim Sheldon- Dean at Lewis Creek Systems in Charlotte, Vermont. Sheldon-Dean maintains that a good risk analysis provides a picture of these elements: “a) the strength of security controls versus the threats; b) the overall direction and momentum in improvements to security; c) what should be done to improve security or correct deficiencies; and d) an indication of what needs to be monitored and reviewed on a regular basis to ensure continued and improving security.” He adds, “The issues should be sorted into a kind of a ‘fix this now,’ ‘fix this when you reasonably can,’ and ‘keep your eye on this’ set of priorities.” Critical: Evaluating your organization’s data security and keeping up with risk analysis is just the first step. Using the information to improve data security and implement policies that safeguard ePHI is an essential step in the process, Stone says. “Unfortunately, there are organizations that perform risk analyses but fail to put measures in place to address risk. Even though it can seem overwhelming, organizations should not just have a plan to mitigate risk, they also need to work the plan,” she warns.