Congress initiated health care reform during the Obama Administration to provide people with health insurance throughout their employment (i.e., job after job) and to safeguard their medical data through a uniform management of electronically stored data. Rules imposed standards that were promulgated by the Department of Health and Human services, including specifics for managing and protecting health information. The specifics appear as the Health Insurance Portability and Accountability Act (HIPAA). Its Security Rule mandates that those covered by the Act evaluate their health care operation for potential security risk. Healthcare organizations are required to be compliant with HIPAA’s technical, administrative, and physical safeguards. The Office for Civil Rights has provided compliance information.
Methodology for Conducting an Effective Security Risk Assessment
Competing stakeholders utilize a variety of systems to manage data, store the information, and convey the information to users. Classically, these responsibilities have been “delegated” to data managers, but HIPAA stakeholders comprise a much larger concerned group than those who enter or maintain computers and IT data. Security risk can be assigned to multiple stakeholders, but the IT framework must address their access, hardware, software, employee training, and multiple interfacing business models with their internal processes. Risk assessment commences when the value of data is recognized on each level and the vulnerability of storage of information is defined. Managing risks identified will impact costs, productivity of employees, inter-system confidentiality barriers, communication, and decisions about delegating responsibility for continuing risk assessments in the future.
Goals Beyond HIPAA Requirements
Risk assessment may be impacted by issues beyond just risk. Those issues may foster additional goals for any assessment. For example, a further goal may be to identify points of noncompliance with existing mandates relating to office administrative protocols, technician and user training in data access, storage, actual technical training of technicians, etc. Another goal may relate to compatibility of data management with licensing requirements, limits based on the cultural folkways of the local region precluding effective risk assessment, legal mandates resulting from lawsuit, incident, complaint, etc. The additional goals will help determine whether resources for risk assessment are exclusively in-house or whether external consultants will be required for the risk assessment.
The Initial Assessment
“In broad strokes,” an initial assessment plan will define the present threat status for an organization, provide a framework for development of a continuing risk assessment program, and will typically entail these and additional parameters:
- Determine specifics of analysis,e.g., HIPAA requirements, objectives, etc.
- List organizational assets,e.g., system components, networking diagrams, physical hardware and equipment, data storage, types of data, software, existing operational protocols, operating security systems, access and authentication procedures, etc.
- Determine potential threats to those assets
- Itemize system vulnerabilities,e.g., people, equipment such as tyvek suits, communications and interfaces, etc.
- Determine effectiveness of current security.
- Identify specific levels of risk for problems delineated.
- Identify interaction effects of organizational assets.
- Review and modify organizational operations to eliminate potential internal threats.
- Develop a strategy to ameliorate all potential external threats.
- Establish a monitoring systemand a risk reassessment schedule.
Help in the Process
It is apparent that doing a risk assessment involves collection of a variety of information, in some cases, “voluminous” data. A number of resources (e.g., a “governmental consultant,” a “systems academic,” an “IT specialist,” a “safety consultant,” etc.) may assist the completion of the risk assessment task. Continuing education for a variety of health and safety professional groups continue to offer coursework on performing risk analysis. Businesses focusing on risk assessment vary from engineering groups, to IT groups, to medical schools, to software companies, etc.
Author Kenneth Overton is a risk management consultant and a former construction supervisor with over 10 years of experience in the industry. He specializes in risk analysis and disaster management. Contact: firstname.lastname@example.org