• E-mail
• Print
• RSS

Final security regulations place more emphasis on risk assessment

HIM Connection, February 28, 2003

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

Dear Colleagues:

In the final security rule, the Department of Health and Human Services (HHS) put an emphasis on risk analysis and management, which is the cornerstone of any successful security program, says William Miaoulis, CISA, principal at Phoenix Health Systems, in Montgomery Village, MD.

"By emphasizing risk analysis and management, they're really saying you have to determine what are appropriate safeguards," he says. "It gives you more gray area, but it doesn't diminish the need to have security. You still need to be using generally accepted security principles and practices."

The final rule introduces organizations to the term "addressable." All standards are required, but the regulations create a distinction between the underlying required implementation specifications and addressable specifications.

Organizations are permitted to determine that an "addressable" specification really isn't reasonable for that organization and come up with a comparable alternative. And if there isn't a reasonable alternative, the organization can eliminate the specification as long as it provides documentation and analysis, explains Kate Borten, CISSP, president of The Marblehead Group, in Marblehead, MA. "But all the implementation specifications allow latitude for flexibility and scalability anyway. There's already a huge debate on how to interpret the term."

Conducting your risk analysis will help you determine whether an addressable specification is necessary for your organization, says Miaoulis.

"Even though we look to HIPAA and talk about those civil and criminal penalties, the greater risk is a private lawsuit or bad press," says Borten. "Seeing this final rule makes that even clearer. The rule is written as a very open-ended regulation. The more vague, the more opportunity there is to challenge it."

Organizations are still required to implement audit trails, contingency plans, and staff training. And there are some addressable requirements that should be "no-brainers," says Miaoulis. "HHS lists protection for malicious software as addressable, but you'd be a fool not to have virus protection."

Although encryption is only required where organizations think it is necessary, the risk is too great to not use it when sending patient information over the Internet, says Miaoulis. "The rule is just a baseline. Look at this as a floor and not the maximum you're supposed to do."

The week's HIM Connections was adapted from the Healthcare Information Security newsletter. Click here for more information or to subscribe.

Sincerely,

Kim Raines
Managing Editor

Want to receive articles like this one in your inbox? Subscribe to HIM Connection!

• E-mail to a Colleague
• Print
• RSS
• Archive