People tell me all the time that their management doesn’t want them to do a risk analysis, even if it’s a requirement. Sometime they say that they have no budget
to fix anything – so why bother?
Even if it’s a requirement, like new workplace violence assessments, or a federal law like the required HIPAA risk analysis, there are people who want to do it in 30 minutes in a spreadsheet, without conferring with other staff members, without bothering to do a walk-through of the facility, without management’s enthusiastic support.
Here is a list of good reasons to do a Risk Analysis for HIPAA, even if you are not sure about whether you need it or not:
1. It’s a Federal law. It’s possible that no one will know if you don’t do it, but
what if you have a MassGeneral-style data breach next week?
2. It saves the organization BIG BUCKS, by doing the cost benefit analysis so
the IT department can implement controls that actually increase protection
AND reduce potential threats at the same time.
3. A Risk Analysis acts like a security awareness training program if you
involve the entire hospital or healthcare staff. Many times they aren’t
aware of the policies and procedures, and having them answer the
HIPAA compliance surveys is a great no-cost refresher cost.
4. You can uncover REAL vulnerabilities and fix them right away. For example,
you may not know who’s taking your database home on their unencrypted
laptop. You may not know that only 20% of the hospital staff took time to
take the online training! This lets your IDENTIFY problems and FIX them.
5. It instantly makes the security analyst/information security officer the
SMARTEST person in the room. You know understand everything about
protection of medical records in your organization!
6. Regulators are getting CASH BONUSES for finding problems. Don’t let
them vacation in the south of France because they found a vulnerability
in your IT systems!