Conducting an Effective Security Risk Assessment

HIPAA Mandate


Congress initiated health care reform during the Obama Administration to provide people with health insurance throughout their employment (i.e., job after job) and to safeguard their medical data through a uniform management of electronically stored data. Rules imposed standards that were promulgated by the Department of Health and Human services, including specifics for managing and protecting health information. The specifics appear as the Health Insurance Portability and Accountability Act (HIPAA). Its Security Rule mandates that those covered by the Act evaluate their health care operation for potential security risk. Healthcare organizations are required to be compliant with HIPAA’s technical, administrative, and physical safeguards. The Office for Civil Rights has provided compliance information.





Methodology for Conducting an Effective Security Risk Assessment



Competing stakeholders utilize a variety of systems to manage data, store the information, and convey the information to users. Classically, these responsibilities have been “delegated” to data managers, but HIPAA stakeholders comprise a much larger concerned group than those who enter or maintain computers and IT data. Security risk can be assigned to multiple stakeholders, but the IT framework must address their access, hardware, software, employee training, and multiple interfacing business models with their internal processes. Risk assessment commences when the value of data is recognized on each level and the vulnerability of storage of information is defined. Managing risks identified will impact costs, productivity of employees, inter-system confidentiality barriers, communication, and decisions about delegating responsibility for continuing risk assessments in the future.




Goals Beyond HIPAA Requirements



Risk assessment may be impacted by issues beyond just risk. Those issues may foster additional goals for any assessment. For example, a further goal may be to identify points of noncompliance with existing mandates relating to office administrative protocols, technician and user training in data access, storage, actual technical training of technicians, etc. Another goal may relate to compatibility of data management with licensing requirements, limits based on the cultural folkways of the local region precluding effective risk assessment, legal mandates resulting from lawsuit, incident, complaint, etc. The additional goals will help determine whether resources for risk assessment are exclusively in-house or whether external consultants will be required for the risk assessment.



The Initial Assessment


“In broad strokes,” an initial assessment plan will define the present threat status for an organization, provide a framework for development of a continuing risk assessment program, and will typically entail these and additional parameters:


  1. Determine specifics of analysis,e.g., HIPAA requirements, objectives, etc.


  1. List organizational assets,e.g., system components, networking diagrams, physical hardware and equipment, data storage, types of data, software, existing operational protocols, operating security systems, access and authentication procedures, etc.


  1. Determine potential threats to those assets


  1. Itemize system vulnerabilities,e.g., people, equipment such as tyvek suits, communications and interfaces, etc.


  1. Determine effectiveness of current security.


  1. Identify specific levels of risk for problems delineated.


  1. Identify interaction effects of organizational assets.


  1. Review and modify organizational operations to eliminate potential internal threats.


  1. Develop a strategy to ameliorate all potential external threats.


  1. Establish a monitoring systemand a risk reassessment schedule.



Help in the Process


It is apparent that doing a risk assessment involves collection of a variety of information, in some cases, “voluminous” data. A number of resources (e.g., a “governmental consultant,” a “systems academic,” an “IT specialist,” a “safety consultant,” etc.) may assist the completion of the risk assessment task. Continuing education for a variety of health and safety professional groups continue to offer coursework on performing risk analysis. Businesses focusing on risk assessment vary from engineering groups, to IT groups, to medical schools, to software companies, etc.




Author Kenneth Overton is a risk management consultant and a former construction supervisor with over 10 years of experience in the industry. He specializes in risk analysis and disaster management.  Contact:


Risk Management at Industrial Work Zones

It’s no secret; work zones can be a dangerous place both for employees and for passers-by. Due to the materials, heavy equipment, and the busy activities at industrial zones, they can be a risky place making safety an important concern. Keeping everyone safe on site should be top priority to all supervisors, workers, and those nearby. A focus on safe zones and safe work means construction can proceed effectively, on schedule, with good quality, and with everyone being safe. Luckily, there are good tips to help those who work in and manage industrial zones to keep them safe.



Protective Gear is a Must


Everyone entering a work zone should be wearing protective gear. Whether the person is simply looking around, delivering supplies, or talking with someone on the crew, protective gear is still important. Even one unprotected person is at risk in industrial zones. Likewise, everyone needs to be wearing the correct gear. Leaving off a safety hat or vest because of hot weather, for instance, is an unwise risk because a break without proper safety equipment leaves one exposed. Also, it is important to make sure each person has the proper equipment for the specific job available to them and that it is in good condition.



Clear Directions and Communication


Industrial zones can be chaotic, loud, and confusing. Due to the number of people and the equipment being used, communicating clearly is very important. Posting clear signs with words or obvious imagery to remind everyone on site of important rules or reminders is a great idea. Bright colored signs with clear images or large, simple wording will be certain everyone remembers the proper precautions. Likewise, it can draw attention to remind passers-by to be careful in heavily populated places.



Choose the Right Times


Choosing the right times to perform construction work is important, especially for jobs on busy streets or in populous areas. Avoiding night time work is advisable. Even with reflective clothing, night work can be a hazard both to people nearby and to workers. Likewise, workers are more likely to be tired and less focused from long hours continuing into the evening. Therefore, working during daylight hours only is one of the safest ways to handle a construction zone.



Keep an Eye Out


In addition to proper positioning and clothing that is meant to make others nearby aware of the workers, be sure to have a safety supervisor on each project. Having a specific person appointed to looking out for general safety concerns as well as all workers as his or her primary task means safety concerns that might not be seen otherwise are more likely to be noticed and addressed. The manager should have a good amount of experience in construction and be familiar with safety codes, company procedures, and what sorts of things to look out for that may be a danger.





If at all possible, detour as much traffic as possible – both human and automobile – to keep people from getting unnecessarily close to the zone. If a detour isn’t possible, be sure to set up clear ropes and barricades to mark where people should not go past and put someone in charge of looking out for people not paying attention during busy times. Barricades and proper signage and someone flagging or watching traffic can greatly reduce accidents from those passing by who aren’t paying attention.



Proper Insurance


Perhaps it’s stating the obvious, but insuring both workers and the work zone is an extremely important part of industrial work zone safety. Insurance policies keep workers protected in case of injury and supervisors and owners safe in case of any accident or problem. Looking into a good coverage policy or set of policies is one of the first things that should be undertaken before opening a new construction zone. Likewise, policies should be inspected regularly to make sure they still meet the needs of the zone and that they don’t need an update or renewal.


By following these and other common sense safety tips, industrial construction zones can be a much safer place for everyone. Likewise, following safety tips will ensure work proceeds the way it should and is a success for everyone.



Kenneth Overton is a risk management consultant and a former construction supervisor with over 10 years of experience in the industry. He specializes in risk analysis and disaster management. Contact:

Professional Development Resource

Learn How to Reduce Workers Comp Costs 20% to 50%"Workers Compensation Management Program: Reduce Costs 20% to 50%"
Lower your workers compensation expense by using the
guidebook from Advisen and the Workers Comp Resource Center.
Perfect for promotional distribution by brokers and agents!
Learn More

Please don't print this Website

Unnecessary printing not only means unnecessary cost of paper and inks, but also avoidable environmental impact on producing and shipping these supplies. Reducing printing can make a small but a significant impact.

Instead use the PDF download option, provided on the page you tried to print.

Powered by "Unprintable Blog" for Wordpress -