Even after all of these years I still run into covered entities (CEs) and business associates (BAs) who have not conducted a risk analysis, haven’t conducted on for several years or only conducted what OCR calls a gap analysis.  Well, that can get you in hot water really quickly.  HIPAA requires it, MIPS requires it (if you are interested in the incentive dollars), sound security practices mandates it and doing a good job helps limit the chances you will be sued.  It’s that important.

We’ve all seen the OCR headlines where CEs and BAs have been fined and one of the reasons is still they haven’t conducted a risk analysis lately or they completed a gap analysis instead of a risk analysis.  Compliance aside you really need to know what risks your organization faces to avoid costly cyberattacks, reputational harm, potential harm to your patients and prolonged downtimes.

Recently the FBI and the Department of Homeland Security CISA warned the healthcare industry of a significant increase in ransomware   attacks targeting the industry.  That warning was renewed the week of August 30, 2021, with the two agencies warning that the industry would see a significant increase in attacks over the Labor Day Weekend.  It may be a little late to conduct a thorough risk analysis before the holiday but that doesn’t mean don’t get started now.  Whether you do it yourself or you engage a vendor to do it for you, it’s important to make this a very high priority.

What is the difference between an risk analysis and a gap analysis?  A risk analysis is a look in to the crystal ball – what’s out there that can hurt your organization and what controls have you implemented to limit the harm from threats and vulnerabilities.  A gap analysis is looking things like does your organization have the right policies implemented, are you complying with the HIPAA Security Rule, have you trained your staff and  so forth. 

You can also characterize a gap analysis as a desk audit.  The risk analysis is much more than that.  As an example, you can comply with the Security Rule but still have inadequate controls in place to protect your organization from harm.  You may have as solid information systems activity policy but are you really looking at logs?  Is your firewall adequately protecting you?  Do you regularly run simulated phishing      attacks?  Compliant doesn’t necessarily mean secure.

If you’re not really sure what goes into a risk analysis, here’s a link that demystifies what is entailed in conducting a risk analysis.  There is also a free risk analysis tool that was developed by the Office of the National Coordinator for Health Information Technology (ONC) that can be found here.  Keep in mind that the free tool was designed for small to medium healthcare provider organizations.  It’s not a one size fits all tool.  If you use the tool, you need to make sure what you input into the web based tool is accurate and answers what is being asked.  Some of the questions are technical so it’s a good idea to involve your IT team or your managed services provider (MSP).

Written by Chris Apgar, CISSP, C|CISO