We recently reported that The National Institute of Standards and Technology (NIST) has published Special Publication 800-30 Revision 1 Guide for Conducting Risk Assessments. This past week, Healthcare InfoSecurity’s Eric Chabrow, interviewed Dr. Ron Ross, the father of the NIST Cybersecurity Framework and author of most of NIST’s risk management Special Publications. Here’s today’s big tip – Learn from Dr. Ross ! …learn more…
Listen to NIST’s Ron Ross on Risk Analysis
The insightful interview by Eric Chabrow can be found here: Ron Ross on New Risk Assessment Guide.
For those in health care, HHS/OCR issued risk analysis guidance on completing a bona fide HIPAA Security Risk Analysis in July 2010. This guidance, in turn, references the NIST Security Framework and several related documents. Since the publication of the HHS/OCR risk analysis guidance, the NIST risk management approach has been updated.
- Special Publication 800-30 has been revised to provide guidance on risk assessment as a supporting document to Special Publication 800-39.
- This brand new SP800-39 publication takes over the “big picture” view of the overall four-step Risk Management process.
- The new SP800-30 Revision 1, focuses on risk assessment, step one in the risk management process.
- And, NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations is invoked in the overall process. As we speak, this catalog of ~600 controls is undergoing revision and Revision 4 is expected to be published in 4Q2012.
While the NIST Security Framework is designed for government organizations, there is still much for healthcare Covered Entities, Business Associates and their Agents/Subcontractors to leverage within SP800-30 Revision 1. As Dr. Ross states in the interview, no single organization is expected to consider everyone of the ~600 controls in the NIST SP800-53 Revision 3 Final. The overall framework is designed to select the controls they need to protect the information assets in their environment. The NIST Security Framework is not “one-size-fits-all”. It is designed to scale up and down to enable organizations to complete a risk analysis in a cost effective manner.
Check out how we have brought NIST SP 800-30, 800-37, 800-53, etc to life in Clearwater HIPAA Security Risk Analysis™. The only SaaS solution on the market!
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016