With the ongoing Meaningful Use timeline and the Risk Assessment requirement: “perform a security risk analysis, apply security updates as needed, and remediate any problems that the risk analysis discovers” more and more organizations are looking into Privacy and Security Risk Assessments and Incident Response Planning and Testing.
Rick Kam and Mahmood Sher-Jan, executives at Portland, Ore.-based ID Experts, note that risk assessment involves identifying threats, internal and external vulnerabilities, the harm that could come from exploiting vulnerabilities, and the probability that harm will occur.
A privacy compliance assessment “reveals the gaps between an organization’s current protective measures and what the law requires, including the HIPAA Privacy Rule,” they write in an article in Government Health IT.
Risk analysis “identifies and prioritizes current and emerging risks” to secure data, looking at both technology and workflow, they write. Steps include:
- Documenting a prioritized asset inventory including IT assets, data, business processes and facilities.
- Identifying threats for each information asset.
- Identifying security controls for each asset.
- Determining the likelihood of threats could penetrate security controls for each.
- Prioritizing risks and determining how to address them.
- Documenting the process.
Finally, there’s incident response, including simulating attempted breaches to test how well a response plan works, write Kam and Sher-Jan. They say the testing should include:
- Evaluation and gap analysis of the incident response plan.
- Defining the scope of the simulation.
- Tabletop testing including designated members of the response team.
- Detailed review and assessment, including determining what adjustments should be made.
If you have or plan to take Meaningful Use money then it’s a requirement you don’t want to overlook, especially after “OIG calls for random pre-payment audits and EHR certification changes”