The are literally hundreds of thousands, if not millions, of security threats ("Threats") in the wild. If you think this statement is hyperbolic then simply poke around IBM X-Force's site for awhile and judge for yourself. What does this have to do with a HIPAA Risk Assessment? Well, ah, everything. No organization, no matter how large, is capable of dealing effectively with this many Threats. The sheer magnitude of the problem is enough to cause analysis paralysis for the uninitiated.
Fortunately, we are not required to deal with the problem discretely at this scale. NIST's de facto Risk Assessment standard (NIST SP800-30 Rev.1 or "Standard") points to a possible (we think only) solution to the problem, and that is Threat Aggregation in the form of Risk Aggregation. The NIST Standard introduces Risk Aggregation as follows:
Organizations may use risk aggregation to roll up several discrete or lower-level risks into a more general or higher-level risk. Organizations may also use risk aggregation to efficiently manage the scope and scale of risk assessments involving multiple information systems and multiple mission/business processes with specified relationships and dependencies among those systems and processes.
OK, but what does this have to do with Threat Aggregation? The NIST Standard defines a Risk (R) as a function of a Threat/Vulnerability ("T/V") pair (which must be unique) times (as in multiplication) the Impact (I) to your organization should this T actually exploit its corresponding V. The semantic meaning of a Risk encompasses a unique T/V pair. Here's where the Threat Aggregation can help.
Let's assume that we aggregate the hundreds of thousands of threat vectors that could potentially penetrate your network into a Threat that we will call "Social Engineering or Intrusion." At some level of abstraction (i.e. from a remediation perspective) we are more concerned that the bad guys are "now in our network" then exactly how they got in. Ultimately, we will have to deal with the how, but for now we know that there is a complete set of mission critical controls that apply simply because they got in. These are foundational controls ("Controls"). There are a number of Security Rule Controls (i.e. implementation specifications) implicated simply by the fact that the "bad guys" are now in.
Do you want to comply with the Security Rule? Well then simply remediate (i.e. implement at a level that is "reasonable and appropriate") the twenty-nine Controls identified therein. That's it. If you have implemented the specified Controls then you are in compliance with the Security Rule by definition. It's at the same time that simple and that hard.
Looking for a simplified way to train your staff on HIPAA Breach Notification? For a limited time, we are offering our Breach Notification Training Module F*R*E*E* when you sign up for our monthly newsletter (also free). Go here to get your free training now! Want to learn more about Expresso, the Risk Assessment Express, click here.