Day 28 — Sprint #3 Retrospective & Building Toward HIPAA Compliance (Part 5)
Today I complete our 3rd sprint and continue our HIPAA-compliance Risk Analysis work.
Sprint #3 Retrospective:
Highlights of the Week
- Built a new module on insurance for young adults.
- Built a new module to address psycho-social challenges for young adults.
- Picked up our HIPAA-compliance work, breaking off a little piece each day.
💡What I Learned
- Content development is MUCH easier when solving a problem for a defined audience (and starting on paper). Previously, I would just “design some modules” and it always seemed to take much longer than it should.
- HIPAA compliance is a scary hill to climb, but it’s also a solved problem, which gives me confidence we can do it.
👍 What Went Well
- Really happy with content development efforts. I was invigorated to put pen to paper for this challenge and I’m even more excited to test it out.
- Picked up HIPAA-compliance activities that were started months ago. If we’re to work with hospitals, schools, or anyone else who delivers care and gets reimbursed by insurance, this will be a must.
👎 Opportunities to Improve
- This particular experiment is taking several weeks longer than the normal one-week sprint cadence. The main reason for that is that we’ve received some early positive feedback and it’s just a really big, unsolved challenge. Still, I need to do better at building rigorous experiments and sticking to our process.
- Didn’t talk to any new users. It was Christmas, sure, but a little extra planning last week could have allowed some testing at the beginning of this week to get some quick feedback.
⏭️ Next Steps
- Mostly HIPAA-compliance activities. Goal is to break off most of our planning activities related to HIPAA.
- Outreach to young adults and families to test new concept.
- New experiment (?)
The Risk Analysis
1. Organize the Risk Analysis
The baseline tool I’m using is from the NIH (You can access it here).
The risk analysis is organized into 7 sections, some of which I’ve completed already.
- SRA Basics
- Security Policies — complete
- Security & Workforce
- Security & Data
- Security and the Practice — complete
- Security and Business Associates — complete
- Contingency Planning — complete
2. Identify Threats & Vulnerabilities
Within each section, there are a number of vulnerabilities which could impact the confidentiality, integrity, or availability of our data in some way. The really nice part about starting with the NIH tool is that most of the initial vulnerabilities and threats are already laid out.
I’ll walk you through an example:
In this case, the vulnerability is that inadequate access controls lead to information disclosure, loss, or theft (i.e., someone gets access to a system they should not have access to and does something bad).
3. Identify Threat Rating
To generate a threat rating, there are 2 components:
- Likelihood: How likely is this event to happen?
- Impact: If this happened, what would be the consequences?
In this case, the likelihood is Low but the impact if it happened would be Medium, leading us to have a Medium Threat Rating for this threat.
4. Identify Response Actions and Policy Controls
The response action is how we choose to respond to the risk. We have a few choices on our response:
- Accept the Risk: We’re comfortable with taking this risk and don’t need to do anything.
- Mitigate the Risk: We would like to reduce the likelihood / impact of this risk by applying mitigation controls to this threat.
- Avoid the Risk: Do something that will allow us to avoid this risk altogether.
- Transfer the Risk: Transfer the risk to someone else (e.g., we do this for our environmental security with AWS).
- Share the Risk: Use a 3rd party who shares in the risk (e.g., using Okta for identify management).
For this threat, we have some fairly robust access management policies and procedures for ensuring only the right people have access to the right systems.
5. The End Result
Here’s what this vulnerability looks like with everything put together:
And we’re done! Just kidding. This process continues for each vulnerability:threat combo. Here’s what our output looks like for 40 total vulnerabilities.
Tomorrow I intend to keep chipping away at our HIPAA Compliance work. These little bits of work are making a big dent in our efforts of building in robust data security.