Creating and conducting an organizationwide risk analysis: Part 1
Briefings on HIPAA, June 1, 2016
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Risk analysis
Creating and conducting an organizationwide risk analysis: Part 1
Editor's note: This is part one of a series about implementing organizationwide risk analyses. Look for part two in an upcoming issue of BOH.
OCR's breach settlements, corrective action plans (CAP), and penalties often take organizations to task for not completing a regular organizationwide risk analysis, yet it's all too easy for this important job to fall by the wayside. A lack of resources and competing demands within an organization can push the risk analysis to the bottom of the list of priorities. But this leaves an organization vulnerable to threats it will only see in hindsight. It also often leads to scrutiny from OCR and the public.
The big picture
An organizationwide risk analysis means just that: The entire organization and its operations must be analyzed for vulnerabilities to security breaches. Some organizations may simply perform a risk analysis of their EHR, but that leaves out the majority of the operations and will not provide a clear picture of the threats the organization really faces. Without that knowledge, a security officer can't do his or her job. A truly comprehensive picture of the organization's data assets is necessary to maintain any real security of data and goes beyond PHI included in EHRs, according to William M. Miaoulis, CISA, CISM, information security officer at Auburn University in Auburn, Alabama.
"An organizationwide risk assessment attempts to determine the risks and current controls to information, typically PHI, information that can be used for credit cards, sensitive information (human resources, corporate information), and other valuable information," he says.
If any data system in an organization is breached, whether it's directly related to PHI or not, all data in the organization's network becomes vulnerable. This is why the broad scope of an organizationwide risk analysis is so important. "Besides being required by HIPAA, it is good practice," says Kate Borten, CISSP, CISM, HCISPP, founder of The Marblehead Group in Marblehead, Massachusetts. "If the risk analysis' scope is too narrow, e.g., just focusing on the organization's EHR and its technical controls, other security risks to PHI, and to other protected information assets, are very likely to be overlooked."
Chris Apgar, CISSP, president of Apgar and Associates, LLC, in Portland, Oregon, agrees that ensuring the risk analysis has a large scope is important. "The idea is to assess the whole organization rather than just focusing on the IT shop," he says.
For example, a break-in or a fire are known threats that would be included in a risk analysis but are not IT threats, Apgar points out.
This is an excerpt from a member only article. To read the article in its entirety, please login or subscribe to Briefings on HIPAA.
Related Products
Most Popular
- Articles
-
- CMS seeks comment on quality measures
- Practice the six rights of medication administration
- Don't forget the three checks in medication administration
- Note similarities and differences between HCPCS, CPT® codes
- Nursing responsibilities for managing pain
- CMS creates web portal for questions about 1135 waivers, PHE
- Q&A: Primary, principal, and secondary diagnoses
- ICD-10-CM coma, stroke codes require more specific documentation
- OB services: Coding inside and outside of the package
- The consequences of an incomplete medical record
- E-mailed
-
- Coronavirus vaccination: 4 best practices for communicating with patients
- Q&A: Pressure ulcer POA code confusion resolved
- Neurological checks for head injuries
- Keyes Q&A: Generator lighting, fire dampers, eyewash stations, ISLM fire drills
- Including 46600 in E/M leveling systems
- How to get reimbursed for restorative nursing
- Fetal non-stress tests represent important part of maternal and fetal health
- Coding, billing, and documentation tips for teaching physicians, interns, residents, and students
- Coding tip: Know how to correctly code each procedure an otolaryngologist can perform on turbinates
- Coding Clinic reiterates guidelines for provider documentation
- Searched