The HIPAA Security Rule requires that covered entities and business associates engage in a foundational risk analysis exercise to determine where their electronically protected health information is created, received, maintained, and transmitted throughout their enterprises. While the HIPAA Security Rule refers to this exercise as a “risk analysis,” NIST and others in the security industry refer to this exercise as a “risk assessment.” The NIST Guide for Conducting Risk Assessments (NIST Special Publication 800-30 Rev. 1) provides a useful, structured methodology to undertake this important work. While SP 800-30 goes into great detail, the following guidance summarizes the critical tasks covered entities should undertake under the framework provided by SP 800-30.

Effective risk assessment requires an organization to complete the following tasks:

1. Identify PHI
2. Identify threat sources
3. Identify potential threat events
4. Identify vulnerabilities and predisposing conditions
5. Determine likelihood
6. Determine impact

Full Article

The full article with detailed information on each step of an effective risk assessment can be found on the Breach Solutions website. KAMMCO partners with Beazley to provide KAMMCO members with cyber coverage and cyber risk management. The Breach Solutions page is an invaluable resource for insureds to discover how to protect themselves against cyber risks.

Insureds can register for the Breach Solutions website by following the instructions on KAMMCO’s Cyber Risk Management Resources page.

The views, opinions, and advice provided and expressed in this document are solely those of the author(s) and do not necessarily represent the views or opinions of Beazley USA Services. Beazley USA Services, a member of Beazley Group, provides Claims handling and breach response services. Beazley USA Services does not underwrite KAMMCO’s insurance. Policies purchased through KAMMCO are subject to KAMMCO’s underwriting processes.