Medical Staff

Three steps to setting up a security risk assessment

Hospitalist Leadership Connection, January 26, 2007

Editor's note: This article is the first in a two-part series. Don't miss next week's issue of HIM Connection for the last four steps to setting up a security risk assessment.

Although the Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that covered entities perform risk analyses or assessments the security rule provides no further details.

To get you started, below you'll find sure-fire techniques to get your own assessment in the works. Once you perform one, you likely will use a blend of techniques best suited to your environment.

In this issue and next, HIM Connection breaks down the risk-assessment process into seven logical steps to help you think about the process and plan for it, anticipating needs and challenges along the way. These steps are appropriate for initial and repeat assessments.

 

  1. Get real support
    The broader the scope of the assessment, the more critical the need for support from people at different levels. Senior management needs to understand why assessments are both necessary and of value to the organization. You need to get senior and mid-level management support for the time commitment. You will also need technical staff support because an assessment that delves into a system or the network will involve their time and possibly their cooperation in running scanning software.

    Support is a major factor in success. Less than full and candid support at any of these levels can sabotage your risk assessment through delays and incomplete or even misleading information. Take time to build support through solid education on core security concepts and their value to your organization.

     

  2. Define the scope
    The scope may be different with each risk assessment you perform. In any case, it is essential that you clearly spell out the scope at the outset with stakeholder agreement. If your organization has never performed a formal assessment, take a high-level, broad look for your first experience. The results of that assessment should help you decide where to focus follow-up assessments, which may be narrower and deeper in scope.

     

  3. Decide between in-house or outsourced
    Many healthcare organizations perform their own risk assessments. That is acceptable under HIPAA. But, if so, internal staff in all but the smallest organization should possess demonstrated security knowledge and experience. For credibility in technical areas, those performing the assessment should stay at arm's length from the day-to-day systems and database administrators.

It is also common for organizations to hire external security professionals for risk assessments, review of internal work as second and impartial checks, or technical penetration and vulnerability tests. Note that a vulnerability test does not constitute a risk assessment, although you may use it as a supplement. Be aware that ultimate responsibility rests with your organization even if you outsource part of the process. Your organization is in control of the information imparted to the third party, and your management should make or endorse all significant security decisions resulting from the assessment.

Editor's note: The above article was excerpted from the book Guide to HIPAA Security Risk Analysis written by Kate Borton, CISSP, CISM. For more information or to order, call 877/727-1728 or go to www.hcmarketplace.com/prod-2724.html.

Most Popular

Related Articles