Understanding risk mitigation strategy

According to the HHS Security Series on Risk Analysis and Management, “The required implementation specification at § 164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to '[c]onduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity…”

Risk mitigation in healthcare forms part of the risk analysis used to secure electronic protected health information (ePHI) from unauthorized access, alteration, or destruction. The Security Rule provides the framework for implementing risk analyses, requiring that potential risks be identified and mitigated appropriately.

What are control options?

Control options are the methods or actions used to reduce or manage risks to systems or data. These options, which are aligned with the HIPAA Security Rule safeguards, are designed for the security of ePHI based on the degree of risk assessed in the risk analysis, The control options include: 

• Technical: The tools or software like firewalls, encryption, or access controls that help secure systems. 
• Administrative: These policies, procedures, and training programs guide employees in how to handle ePHI. 
• Physical: These involve physical barriers like locked doors or security cameras to prevent unauthorized people from accessing systems or areas where data is stored. 
  
  

Differentiating between risk levels

Risk levels assess the likelihood of various threats impacting an organization's data. These levels are based on the necessary efforts to avoid the risk effectively. The risk categories fall into several tiers ranging from low to high-risk threats. High-level threats would indicate the potential for consequential damage causing the highest degree of harm. 

How risk mitigation is implemented

There are four action points recommended by NIST SP 800-30, or points during which organizations are required to take steps towards mitigating risk, namely: 

• When a vulnerability exists 
• When a vulnerability can be exercised
• When the attackers cost less than the potential gain
• When the potential loss is too great

When one of these events occurs the report provides the following steps toward risk mitigation: 

• Action is prioritized based on risk levels from the risk assessment report, focusing on the highest risks first. 
• Control options are evaluated to determine which are feasible and effective for mitigating risks. 
• A cost-benefit analysis is conducted to determine the most effective controls to reduce risk. 
• Controls are selected which combine technical, administrative, and physical safeguards to ensure adequate security. 
• Assign responsibility to individuals with the necessary expertise to implement the selected controls. 
• Safeguards are developed that include prioritized actions, resources, and timelines for implementation. 
  
  

FAQs

How often should a healthcare organization perform risk assessments? 

Typically once a year is adequate unless significant changes occur. 

What is risk aversion? 

Risk aversion is the tendency to avoid taking risks, especially when it comes to negative outcomes. An example of this in healthcare could be employing HIPAA compliant email platforms like Paubox despite never having experienced an email breach.

What are the consequences of minimally adverse risk behaviors?

Minimally adverse behavior might not immediately cause major damage but can cause negative outcomes to accumulate over time until large-scale effects are felt.