Reduce Workers Compensation Costs By 20-50%

You are here: Home / Assessment & Diagnostics / Conducting an Effective Security Risk Assessment

Conducting an Effective Security Risk Assessment

By //  by  Leave a Comment

HIPAA Mandate

 

Congress initiated health care reform during the Obama Administration to provide people with health insurance throughout their employment (i.e., job after job) and to safeguard their medical data through a uniform management of electronically stored data. Rules imposed standards that were promulgated by the Department of Health and Human services, including specifics for managing and protecting health information. The specifics appear as the Health Insurance Portability and Accountability Act (HIPAA). Its Security Rule mandates that those covered by the Act evaluate their health care operation for potential security risk. Healthcare organizations are required to be compliant with HIPAA’s technical, administrative, and physical safeguards. The Office for Civil Rights has provided compliance information.

 

 

 

 

Methodology for Conducting an Effective Security Risk Assessment

 

 

Competing stakeholders utilize a variety of systems to manage data, store the information, and convey the information to users. Classically, these responsibilities have been “delegated” to data managers, but HIPAA stakeholders comprise a much larger concerned group than those who enter or maintain computers and IT data. Security risk can be assigned to multiple stakeholders, but the IT framework must address their access, hardware, software, employee training, and multiple interfacing business models with their internal processes. Risk assessment commences when the value of data is recognized on each level and the vulnerability of storage of information is defined. Managing risks identified will impact costs, productivity of employees, inter-system confidentiality barriers, communication, and decisions about delegating responsibility for continuing risk assessments in the future.

 

 

 

Goals Beyond HIPAA Requirements

 

 

Risk assessment may be impacted by issues beyond just risk. Those issues may foster additional goals for any assessment. For example, a further goal may be to identify points of noncompliance with existing mandates relating to office administrative protocols, technician and user training in data access, storage, actual technical training of technicians, etc. Another goal may relate to compatibility of data management with licensing requirements, limits based on the cultural folkways of the local region precluding effective risk assessment, legal mandates resulting from lawsuit, incident, complaint, etc. The additional goals will help determine whether resources for risk assessment are exclusively in-house or whether external consultants will be required for the risk assessment.

 

 

The Initial Assessment

 

“In broad strokes,” an initial assessment plan will define the present threat status for an organization, provide a framework for development of a continuing risk assessment program, and will typically entail these and additional parameters:

 

  1. Determine specifics of analysis,e.g., HIPAA requirements, objectives, etc.

 

  1. List organizational assets,e.g., system components, networking diagrams, physical hardware and equipment, data storage, types of data, software, existing operational protocols, operating security systems, access and authentication procedures, etc.

 

  1. Determine potential threats to those assets

 

  1. Itemize system vulnerabilities,e.g., people, equipment such as tyvek suits, communications and interfaces, etc.

 

  1. Determine effectiveness of current security.

 

  1. Identify specific levels of risk for problems delineated.

 

  1. Identify interaction effects of organizational assets.

 

  1. Review and modify organizational operations to eliminate potential internal threats.

 

  1. Develop a strategy to ameliorate all potential external threats.

 

  1. Establish a monitoring systemand a risk reassessment schedule.

 

 

Help in the Process

 

It is apparent that doing a risk assessment involves collection of a variety of information, in some cases, “voluminous” data. A number of resources (e.g., a “governmental consultant,” a “systems academic,” an “IT specialist,” a “safety consultant,” etc.) may assist the completion of the risk assessment task. Continuing education for a variety of health and safety professional groups continue to offer coursework on performing risk analysis. Businesses focusing on risk assessment vary from engineering groups, to IT groups, to medical schools, to software companies, etc.

 

 

 

Author Kenneth Overton is a risk management consultant and a former construction supervisor with over 10 years of experience in the industry. He specializes in risk analysis and disaster management. Contact: [email protected]

 

Related Articles

I Can’t Teach Anyone Anything In Workers’ Comp, I Can Only Make Them Think

Assess 12 Areas To Determine Cause Of High Workers’ Comp Costs

New Year’s Resolutions to Reduce Workers’ Compensation Costs

5 Elements to Review in Assessment of a Workers’ Comp Program

How to Calculate Your Minimum Experience Modification Factor

Start the New Year Off Right With An Ergonomics Review

The Single Biggest Mistake With BIG DATA in Workers’ Comp

The Single Most Comprehensive Workers’ Comp Leading Indicator

8 Steps To Assess Your Workers Comp Program

Complex Regional Pain Syndrome – Red Alert!

Identify Real Cost Drivers in Post Loss Workers Compensation

How to Handle the Worst News in Company History

Free Download

5 Critical Metrics To Measure Workers’ Comp Success - FREE Download Click Here Now!

Train to Succeed

BECOME CERTIFIED IN WORKERS’ COMPENSATION

Proven Course Catalog & WC Toolbox Give You The Power To Achieve Lower Costs and Better Injured Worker Outcomes

VISIT WORKERS' COMP TRAINING CENTER

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *