V

Risk analysis (also known as risk assessment) is the cornerstone of any information security program, and it is the fastest way to gain a complete understanding of a healthcare organization’s security profile — its strengths and weaknesses, its vulnerabilities and exposures. A risk analysis is a key requirement of the HIPAA final security rule. The security rule requires covered entities (CEs) to “conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.” The rule further states that “[t]he required risk analysis is also a tool to allow flexibility for entities in meeting the requirements of this final rule. . . . ”