Four more steps to setting up a security risk assessment
HIM Connection, December 26, 2006
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Editor's note: This article is the second in a two-part series. Check out last week's issue of HIM Connection for the first three steps to setting up a security risk assessment.
Below you'll find more sure-fire techniques to help you continue to make progress planning your security risk assessment. Of course, once you perform one, you likely will use a blend of techniques best suited to your environment.
Last week we explained how to think about the assessment process and plan for it, and also how to anticipate needs and challenges along the way. Here are the final four steps:
- Collect information
Information for a risk assessment typically comes from three sources: documents, interviews, and observation.
Once you've gathered all documents relevant to the assessment scope. There are two types of information to look for-the good news and the bad news:
- Documentation of the security controls you use, such as policies, standards, procedures, forms, and training materials
- Known security problems and history of security incidents at your organization
Collecting documentation takes persistence if documents in your organization are not already standardized, centralized, and categorized. It can be more challenging than a scavenger hunt if you don't know what specific documents you are seeking or whether they even exist.
- Analyze information
Gather the information from all sources. Follow your methodology to identify vulnerabilities, threats, and countermeasures. Weigh each risk. You can do this using a subjective scale of high, medium, and low. Document each observation and include a brief explanation and the rationale for the weight. If your security program is new, the assessment's scope is broad, or the assessment is the first one in a particular area, expect to find many risks. - Recommend solutions
For each observation, provide options for mitigating the risk or recommend that no action be taken. In some cases, you can eliminate a particular risk. In other cases, you can take steps to reduce the risk but not completely eliminate it. In still other cases, the risk is low and you may recommend your staff focus on mitigating higher risks. That is an acceptable stance. Keep in mind that there is always risk, and efforts to control and reduce risk are ongoing.The mitigating steps can include one or many administrative, physical, and technical security controls. Make sure the recommendations are consistent with your overall security framework, reasonable for your business environment, cost effective based on the risk level, and defensible. The Department of Health and Human Services (HHS) expects that healthcare organizations will spend money on security, so some new costs are inevitable. However, if your clinical system has poor access control features but is being replaced within 12 months, it may be acceptable to mitigate the temporary risk with focused user training, rather than pay for short-lived customization.
- Report to management and reach decisions
You should present the completed report-preferably both on paper and in person-to senior management (i.e., C-level officers) who are responsible and ultimately accountable for the organization's security position. A risk assessment report typically includes an executive summary, but you should also discuss specific high risk items and important mitigation strategies (such as large and/or expensive projects). Your leaders should understand in business terms what these risks are, why it is important to address them and the implications of not doing so, and the recommended course of action. The outcome should involve executive decisions on mitigating or accepting risks, and the best approach to take.
Editor's note: The above article was excerpted from the book Guide to HIPAA Security Risk Analysis written by Kate Borten, CISSP, CISM. For more information or to order, call 877/727-1728 or go to www.hcmarketplace.com/prod-2724.html.
Want to receive articles like this one in your inbox? Subscribe to HIM Connection!
Related Products
Most Popular
- Articles
-
- HIPAA Q&A: Flu shot requirement for hospital employees
- Running an effective peer review committee meeting
- HealthDataInsights posts new issues for medical necessity claims
- Sneak Peek: Effort underway to establish caseload benchmarks
- Q/A: Coding for telescopic intraocular lens
- New FAQ posted on storing laryngoscope blades
- Tip: Perform your own internal investigation prior to government audit
- HIPAA 5010 deadline extended, but threat remains, says AMA
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- E-mailed
-
- Running an effective peer review committee meeting
- HIPAA Q&A: Flu shot requirement for hospital employees
- HHS task force: Consider privacy, security with text messages
- What does case-mix index mean to you?
- Q/A: Coding for telescopic intraocular lens
- Q/A: Correct use of modifier -PT
- Tip: Correctly code bilateral pain management procedures
- "Wall fountains" may be spreading Legionnaires to patients, visitors
- 2012 CPT code changes for ASCs: Shoulder and knee scopes and pain management
- COT basics to best
- Searched