Business Technology Risk Assessment
HIPAA Security Policies Review and Development
Disaster Recovery Planning
Data Security:Risk Assessment
Threat Analysis | Mitigation
Securing patient data is about knowing where electronic protected health information (EPHI) resides in your computer systems, how it flows through the systems, identifying potential risks to the data and taking reasonable and appropriate measures to address the them.
What does the Risk Analysis process involve?
We provide you with insight into your current technology and its effectiveness in ensuring the security and privacy of electronic protected health information(ePHI). A complete inventory of all systems that store or transmit ePHI is done. The Risk Analysis (RA) examines the threats and vulnerabilities to the confidentiality, integrity, and availability of the ePHI held by an organization. It looks at ePHI stored in computer systems (data at rest) and the ePHI flowing in and out of a corporate network (data in motion).
Risk Analysis is the foundation of a strong data security program
RA seeks to determine the level of risk to the data, taking in to consideration the likelihood of occurrence of potential threats and their adverse impact on the business. The combination of high probability of threat occurrence and significant adverse impact leads to higher degree of risk. Security measures currently in place to protect the data are evaluated and best practices , policies and procedures are recommended.
For example: ePHI stored on mobile devices such as laptops are especially vulnerable. Laptop theft is very common(threat)and unencrypted data on it( vulnerability)can be expose the ePHI to an unauthorized user. Implementation of a mobile device policy with appropriate tecchnology and policy controls can prevent the loss of ePHI and can be a "safe harbor" in the event of a data breach.
How long does the Risk Analysis take?
A thorough risk analysis is the foundation of a good security management program. It is one of the primary requirements under the HIPAA security rule. Hence doing it right is very important. Depending upon the size of your organization and the number of systems that contain ePHI, it might take us a day or two to gather all the information we need. We will need to talk with your Security/Compliance officer and IT staff to get the information we need. We spread this activity over a few days and work around your schedule to minimize disruption to your work.
Risk Analysis - Common Misconceptions
Risk Analysis is only an IT risk analysis: RA examines the administrative, physical and technical safeguards that the organization has in place to ensure the security of ePHI. It covers people, policies, processes and technology in place and helps healthcare organizations identify and address gaps in their EPHI security.
Risk Analysis is a one-time event. Organizations change over time. Technology is constantly updated, people leave, new employees join etc. RA is needed to be conducted /reviewed on a regular basis, preferably annually, and certainly when major changes occur within an organization. Possible changes include updating security measures, implementing new policies and completion of additional security training for staff.
Risk Analysis is the responsibility of the IT department alone. RA should involve the IT personnel as well as senior management. One person, preferably in senior management, should be named the Chief Security Officer and be held accountable for all EPHI security and compliance activities
Risk Analysis is optional. RA is a required implementation specification under the Security Management Standard of the HIPAA security rule. It is also a Core Measure under the Meaningful Use attestation process.