Risk Analysis vs. Gap Analysis

The government, as well as other stakeholders and interested parties, have emphasized the importance of following the laws and regulations on cyber security. With the ever-growing increase in cyber security threats, these regulations have become imperative.

HIPAA Risk Analysis

All organizations, both large and small, must ensure they take the necessary steps to prevent, reduce the risk, and mitigate the effects of cybercrime. The terms ‘risk analysis’ and ‘gap analysis’ are used often when considering appropriate steps to take to ensure cyber security. An analysis of the definition and impact of these terms is therefore important to understand their difference and applicability.

Definitions

It is currently a legal requirement, pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the accompanying Privacy, Security, and Breach Notification Rules that cover entities and their business associates to protect electronic health information. These institutions are required to put in place appropriate measures to ensure the security of this information.

Risk analysis, as the name suggests, consists of steps taken to analyze the risks that an organization or an industry faces. In terms of cyber security, risk analysis is composed of researching and discovering the risks associated with a particular organization or industry; for instance manufacturing firms. After discovering the specific risks, the person conducting the analysis looks at the level of exposure. In this regard, the person will examine the likelihood of each specific risk affecting the organization and grade them in ascending order, from the most serious threat to the least serious. The aim of risk analysis in this regard is to make users aware of the greatest risks they face. The ultimate goal of risk analysis is to empower organizations at risk to protect themselves from cyber theft with the goal of reducing risks to a reasonable and appropriate level.

Gap analysis, on the other hand, takes place mostly after risk analysis has been conducted.  The aim of gap analysis is to determine the level of preparedness and protection that an organization has in place. This piece of information is then analyzed so as to reveal whether adequate steps have been taken to completely protect these organizations from cyber-crimes. Gap analysis is thus geared towards discovering the shortfalls of the procedures in place. This gives the organization a picture of where they’re at in terms of best practices. They can then take steps to adopt better procedures.

Requirements for risk analysis

Risk analysis, while required by the rules, does not have to be conducted using any specific method. This means that those affected are at liberty to choose whatever techniques they deem appropriate. Whatever the method, risk analysis must consider all the potential dangers that electronically protected health information (ePHIL) might be exposed to.

Entities are required to identify all the locations and information systems where the data to be protected was created, received, maintained and even transmitted. This list takes into consideration the mobile devices, electronic media, and communications equipment. The risk analysis system is also required to identify and to document potential threats and vulnerabilities.

The next step to be taken by the risk analysis is to access the current security measures that have been put in place by the organization. In so doing, the firm is required to document how effective the firm’s current controls are. This is to be followed by an assessment of the current risks facing the firm or the organization. This will enable the entity to gauge which risk is greatest and to what extent the entity is protected against the risk. The firm conducting the risk analysis should then document these findings. This provision is not a requirement under the security rules. However, for future reference, it is important the information obtained from the risk analysis be documented. Finally, the entity should ensure that it conducts frequent periodic reviews and updates.

Conducting gap analysis

Gap analysis is not a requirement under the HIPAA rules. Entities, however, are advised to conduct periodic gap analysis as a follow-up to the risk analysis or at the same time with the risk analysis. Gap analysis, if well conducted, enables the entity to discover the extent to which the protective measures it has undertaken are effective. Having explained the difference between gap analysis and risk analysis, it is important to note that while gap analysis is critical for proper protection, conducting a gap analysis does not satisfy all requirements under the security rules. Organizations are required to conduct a risk analysis, but a gap analysis can provide helpful information.

Final thoughts

In this day and time, an organization can’t be too careful with their data, especially those who hold sensitive health information for patients. The news laws include serious penalties for those who are not careful enough. In addition, patient confidence can be diminished when an organization is careless with handling health records.