• E-mail
• Print
• RSS

Creating and conducting an organizationwide risk analysis: Part 1

Briefings on HIPAA, June 1, 2016

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

Risk analysis

Creating and conducting an organizationwide risk analysis: Part 1

Editor's note: This is part one of a series about implementing organizationwide risk analyses. Look for part two in an upcoming issue of BOH.

OCR's breach settlements, corrective action plans (CAP), and penalties often take organizations to task for not completing a regular organizationwide risk analysis, yet it's all too easy for this important job to fall by the wayside. A lack of resources and competing demands within an organization can push the risk analysis to the bottom of the list of priorities. But this leaves an organization vulnerable to threats it will only see in hindsight. It also often leads to scrutiny from OCR and the public.

The big picture

An organizationwide risk analysis means just that: The entire organization and its operations must be analyzed for vulnerabilities to security breaches. Some organizations may simply perform a risk analysis of their EHR, but that leaves out the majority of the operations and will not provide a clear picture of the threats the organization really faces. Without that knowledge, a security officer can't do his or her job. A truly comprehensive picture of the organization's data assets is necessary to maintain any real security of data and goes beyond PHI included in EHRs, according to William M. Miaoulis, CISA, CISM, information security officer at Auburn University in Auburn, Alabama.

"An organizationwide risk assessment attempts to determine the risks and current controls to information, typically PHI, information that can be used for credit cards, sensitive information (human resources, corporate information), and other valuable information," he says.

If any data system in an organization is breached, whether it's directly related to PHI or not, all data in the organization's network becomes vulnerable. This is why the broad scope of an organizationwide risk analysis is so important. "Besides being required by HIPAA, it is good practice," says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. "If the risk analysis' scope is too narrow, e.g., just focusing on the organization's EHR and its technical controls, other security risks to PHI, and to other protected information assets, are very likely to be overlooked."

Chris Apgar, CISSP, president of Apgar and Associates, LLC, in Portland, Oregon, agrees that ensuring the risk analysis has a large scope is important. "The idea is to assess the whole organization rather than just focusing on the IT shop," he says.

For example, a break-in or a fire are known threats that would be included in a risk analysis but are not IT threats, Apgar points out.

This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.

• E-mail to a Colleague
• Print
• RSS
• Archive