Risk Assessment & Compliance Policies
Overviewโ
HIPAA Security Rule 45 CFR ยง 164.308(a)(1) requires an accurate and thorough assessment of potential risks to ePHI confidentiality, integrity, and availability. Risk assessments must be documented, repeated periodically, and whenever significant operational changes occur.
1. Risk Assessment Frameworkโ
Use the NIST SP 800-30 methodology:
1. Prepare for Assessment
2. Identify Threat Sources and Events
3. Identify Vulnerabilities
4. Determine Likelihood
5. Determine Impact
6. Determine Risk (Likelihood ร Impact)
7. Communicate Results
8. Maintain Assessment (ongoing)
Risk Scoring Matrixโ
| Likelihood \ Impact | Negligible (1) | Minor (2) | Moderate (3) | Major (4) | Critical (5) |
|---|---|---|---|---|---|
| Almost Certain (5) | 5 | 10 | 15 | 20 | 25 |
| Likely (4) | 4 | 8 | 12 | 16 | 20 |
| Possible (3) | 3 | 6 | 9 | 12 | 15 |
| Unlikely (2) | 2 | 4 | 6 | 8 | 10 |
| Rare (1) | 1 | 2 | 3 | 4 | 5 |
| Score | Risk Level | Action |
|---|---|---|
| 20โ25 | CRITICAL | Immediate remediation |
| 12โ19 | HIGH | Remediate within 30 days |
| 6โ11 | MEDIUM | Remediate within 90 days |
| 1โ5 | LOW | Accept or remediate within 1 year |
2. Risk Register โ GCP PHI Environmentโ
RISK-001: Unauthorized Database Accessโ
| Field | Value |
|---|---|
| Asset | Cloud SQL (phi-db-instance) |
| Threat | Unauthorized access by attacker or insider |
| Inherent Risk | 15 (HIGH) โ Possible ร Critical |
| Controls | Private IP, Auth Proxy, IAM least privilege, MFA, audit logging |
| Residual Risk | 5 (LOW) โ Rare ร Critical |
RISK-002: PHI Exposure via Application Logsโ
| Field | Value |
|---|---|
| Asset | Cloud Run / Cloud Logging |
| Threat | Developer accidentally logs PHI |
| Inherent Risk | 9 (MEDIUM) |
| Controls | Code review, log scanning CI check, PHI-safe logging library |
| Residual Risk | 6 (MEDIUM) |
RISK-003: Redis Storing Raw PHIโ
| Field | Value |
|---|---|
| Asset | Cloud Memorystore |
| Threat | Developer caches PHI directly in Redis |
| Inherent Risk | 9 (MEDIUM) |
| Controls | Code review, Redis data policy, automated tests |
| Residual Risk | 6 (MEDIUM) |
RISK-004: Compromised Service Account Keyโ
| Field | Value |
|---|---|
| Asset | IAM Service Accounts |
| Threat | Key leaked (e.g., committed to git) |
| Inherent Risk | 8 (MEDIUM) |
| Controls | Workload Identity (no keys), Secret Manager, key rotation, git pre-commit hooks |
| Residual Risk | 4 (LOW) |
RISK-005: Audit Log Tamperingโ
| Field | Value |
|---|---|
| Asset | Cloud Audit Logs |
| Threat | Insider deletes logs to cover tracks |
| Inherent Risk | 8 (MEDIUM) |
| Controls | Retention lock on GCS bucket, REVOKE DELETE on DB audit table |
| Residual Risk | 4 (LOW) |
RISK-006: Data Exfiltration via Misconfigured VPCโ
| Field | Value |
|---|---|
| Asset | VPC / Network |
| Threat | PHI routed over public internet |
| Inherent Risk | 10 (MEDIUM) |
| Controls | VPC Service Controls, private IP enforcement |
| Residual Risk | 5 (LOW) |
RISK-007: Third-Party Dependency Vulnerabilityโ
| Field | Value |
|---|---|
| Asset | Application code / containers |
| Threat | Vulnerable library allows RCE or data exposure |
| Inherent Risk | 16 (HIGH) โ Likely ร Major |
| Controls | Dependabot, container scanning in CI, SCC Container Analysis |
| Residual Risk | 12 (HIGH) โ requires ongoing attention |
3. Required HIPAA Policiesโ
| Policy | HIPAA Reference | Owner | Frequency |
|---|---|---|---|
| Information Access Management | ยง 164.308(a)(4) | Privacy Officer | Annual |
| Workforce Training | ยง 164.308(a)(5) | HR + Privacy Officer | Annual |
| Security Incident Response | ยง 164.308(a)(6) | Security Officer | Annual |
| Contingency Plan (DR/BCP) | ยง 164.308(a)(7) | Security Officer | Annual |
| Access Control Policy | ยง 164.312(a) | Security Officer | Annual |
| Audit Control Policy | ยง 164.312(b) | Security Officer | Annual |
| Transmission Security | ยง 164.312(e) | Security Officer | Annual |
| Breach Notification | ยง 164.400 | Privacy Officer | Annual |
4. Training Requirementsโ
| Audience | Content | Frequency |
|---|---|---|
| All workforce | HIPAA basics, PHI handling, incident reporting | Hire + annually |
| Developers | Secure coding for PHI, PHI in logs, encryption | Hire + annually |
| Cloud admins | GCP security controls, audit log review | Hire + annually |
5. Business Associate Registerโ
| Vendor | Service | BAA Signed | BAA Review Date |
|---|---|---|---|
| Google LLC | GCP (Cloud Run, Cloud SQL, Memorystore) | Yes | [DATE+1yr] |
| [Vendor] | [Service] | [ ] | [DATE+1yr] |
6. Evidence Retention (6 Years)โ
All compliance documentation must be retained for 6 years from creation or last effective date:
- Risk assessments and risk register
- Security policies and procedures
- Training records and acknowledgments
- Audit logs
- Incident reports
- BAAs
- DR test results
- Breach notifications
This completes the HIPAA GCP documentation suite. Return to the HIPAA Checklist โ