Quantitative vs. Qualitative
Risk Assessment and Risk Analysis can be defined within the framework of two primary methodologies; qualitative and quantitative. The purpose of this document is to outline the basic differences to help you decide which method best suits the needs of your organization.
Every assessment must be base-lined against something, for HIPAA Security based risk analysis there are the regulations set forth in CFR 45 Parts 160, 162 and 164. For other types of risk assessment, base-lines may include industry standards, required regulations, third party defined guidelines, best practices, or a previous GAP analysis with the specific or comparable organization.
Many traditional security companies are offering medical organizations Risk Analysis services to satisfy the requirements of the HIPAA Security Rule under part 164.308. These companies, in their lack of understanding regarding the HIPAA legislation, are unaware that most of the Security Rule implementation specifications are non-technical and that providing only a technical audit of the organizational assets leaves the customer non-compliant. The purpose of the document is to help you understand the different types of methodologies and how they can be applied to HIPAA compliancy.
Risk Analysis Defined
Risk is the possibility of loss. Risk Analysis is the process of identifying risks, assessing risk magnitude and weighing the cost benefit of implementing countermeasures to mitigate the risk. Risk analysis and risk assessment are often used interchangeably. After the risk assessment is completed, an organization should start the process of risk management to take proactive measures to mitigate findings from the risk analysis. An organization can choose to accept the risk, mitigate the risk, or transfer the risk by purchasing insurance against the possible loss due to the risk.
Risk Analysis intent in the HIPAA Security Rule
HIPAA is a privacy law. The Security Rule is based on privacy and requires safeguards to be implemented to protect the privacy of electronic information. There is a major misunderstanding that the Security Rule is solely related to technological implementations to protect information and attain compliancy. This is not true. Two thirds of the Security Rule is related to administrative safeguards such as policies and procedures, documentation, training and contract language. Any security company will tell you that an organization's largest risk is its people, not its computer systems. This mentality is reflected in the Security Rule's requirements.
Quantitative Risk Analysis
In short, Quantitative risk analysis is by far the most exhaustive, costly and time consuming method of doing a risk assessment. However, its primary benefit is identification of your greatest risk based on financial impact. Assigning a dollar value to loss associated with vulnerability is often the best way to obtain corporate buy-in and a true understanding of impact to the organization.
In quantitative risk analysis, the likelihood of occurrence of particular threats and the risks or loss associated with these particular threats are estimated and assessed according to predetermined measurement scales. The Analyst will attempt to provide financial loss calculations that can be mathematically measured. Quantitative analysis requires significant time to associate cost and assemble the required metrics. Quantitative is the only option if your CFO or legal counsel requires numeric dollar figures and findings that can be measured against budgets from year to year. Quantitative will also allow you better protection against litigation as the cost of lawsuits and disclosures can be measured and used to determine potential loss and prioritize remediation efforts.
In quantitative risk analysis, the risk exposure is obtained by multiplying the likelihood of the potential loss by the severity of the potential loss
P(L) (Potential Loss) x S(L) (severity of potential loss) = R(E) (risk exposure)
Severity of loss is represented in the following formula as an exposure factor which is a percentage:
P(L) x EF (exposure factor) = R(E)
The reduction in value of an asset based on an incident is referred to as a single-loss expectancy (SLE)
SLE = original cost (TCO) – Remaining asset value after loss
It is as important to understand the potential occurrence of a threat as it is the potential impact of the loss. In quantitative risk analysis, the potential occurrence (Based on industry statistics usually) is called the annualized rate of occurrence (ARO) and needs to be factored into the potential risk / loss equations. ARO is expressed in the probability adjusted to a single year.
ARO x EF = R (E)
When an analyst preparing the quantified risk assessment adjusts the probability of a threat to a rate of occurrence such as the ARO, the loss is then said to be annualized. The annualized loss is now called the annualized loss expectancy or ALE
ARO x SLE = ALE
Because the probability of a threat can be based on geographic location, an exposure factor needs to be applied. ARO's are adjusted based on these factors to create the local annualized frequency estimate (LAFE) or the standard annual frequency estimate (SAFE). The difference between the LAFE and SAFE is the geographical area expected to be impacted by the threat. SAFE is normalized for a larger area than LAFE. SAFE and LAFE are both expressed primarily in decimal values in threat frequency tables.
If the threat frequency (ARO) states that the probability exists that a $50,000 database will be destroyed by a hurricane once every 5 years, our risk equation is calculated as follows:
$50,000 x .2 = R(E) or ALE = $10,000
Once the ALE is calculated, you can determine what should be spent on safeguards and controls to protect the assets from this threat. There is always a maximum price that should not be exceeded when purchasing a countermeasure for the asset. You must first determine the value of the countermeasure annualized over its lifecycle.
Safeguard cost / Number of years of its life = Cost benefit per year
If the annualized safeguard cost is less than the ALE or potential Risk Exposure then you can show that the safeguard is clearly worth the investment. With HIPAA, there are many assets that are at risk. The process of identifying those assets and assigning ALE's to each of them can be extensive. The finished result however will help cost justify safeguards as well as give an overall level of understanding to the organization that can not be ascertained through other types of risk analysis.
Highlights of Quantitative Risk Analysis:
- Yields results in terms of financial impact
- Emphasizes remediation based on cost of remediation vs. potential cost of loss
- All findings are expressed in monetary values, percentages, and probabilities
- Allows for more control and understanding regarding procurement and budgeting
- Requires larger organizational cooperation
- Better protection against litigation risk
- Very time intensive
Qualitative Risk Analysis
Qualitative risk analysis is more common than quantitative due to the time and cost involved. In Qualitative analysis, the assets are discovered and reviewed for known vulnerabilities against a database of potential vulnerabilities. The risk is then measured against relative scales to determine the probability of a threat exploiting the vulnerability. Threat impact, probability of threats, and vulnerabilities used in the analysis are very subjective between analysts conducting the analysis. It is not uncommon in a qualitative risk analysis to have two experts with differing conclusions. If an organization is strapped for time or can't afford the resources to dedicate to understanding your HIPAA risk in dollar figures, qualitative is the way to go.
Highlights of Qualitative Risk Analysis:
- Requires less time, less costly
- Quicker process to complete
- Findings are simple in nature
- Focus is on specific vulnerabilities to the affected assets
- Values of loss are perceived and not quantified
- Vulnerabilities are rated subjectively
- Focus is on understanding the risk and often include recommendations for mitigation based on analysts knowledge and expertise
The types of methodologies expressed in this document are just one factor that affects the size, scope and cost of a HIPAA risk analysis. Make sure when talking to any consultant or analyst that you understand what methodology they are using to perform your risk analysis. It is also extremely important that you understand the baseline's that the consultant is using to perform the audit and that they understand the full requirements of the HIPAA Security Rule as it differs from other industries in ways that if overlooked could have extensive negative ramifications.
Please click on a menu option to the left to learn more about specific healthcare services we offer or Contact us to speak with a sales representative.