Risk analysis (a.k.a., risk assessment) is one of the most key components of an organizational risk management. In the healthcare setting, risk analyses identify, prioritize, and estimate risk to organizational operations (i.e., legal, financial, clinical, operational, and reputation), organizational assets, individuals and other organizations, resulting from the operation and use of information assets and media that create, receive, transmit or maintain electronic Protected Health Information (ePHI). Here’s today’s big tip – Learn how to make better security investment decisions!
It takes two things to manage overall HIPAA-HITECH security risk: 1) ensuring compliance with the regulation itself; and, 2) ensuring you are securing your environment based on a solid risk management process. The former requires ongoing, periodic compliance audits, training and attestations, just as one would audit compliance with your code of conduct, internal policies and other regulations. The latter requires detailed due care in determining your unique and specific security exposures. These exposures are known as risks and the process of determining these risks is known as risk analysis.
Risk analyses are required for effective risk management and to inform decision making at all levels in an organization. Furthermore, risk analyses must be ongoing and enduring – a journey not a destination. In the HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A), all Covered Entities and Business Associates are required to:
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.
Far too many privacy and security investment decisions are being made in a vacuum, without benefit of risk analysis to facilitate informed decision making. Often times, capital or expense budgeting drives the decision-making process. We spent $X on security this year; on what latest cool tools will we spend $X+ next year? What’s hot? Data Leak Protection? BYOD security? Mobile devices? Secure email? Script kiddies? Big Bad Cyber Black Hats? Securing the cloud? Please!
Seriously, how are these decisions being made in your organization? Risk analysis is a fundamental and foundational step in any security, governance and risk management program.
Governance, in a nutshell, is defining who makes what decisions on what subject matter, how, when and by what informed process. Is your top team truly enabled to carry out its fiduciary responsibilities based on data and facts that result from a comprehensive risk analysis? Or, are you still making security investment decisions based on opinions and emotions?
Risk management requires order, process and discipline. Clearwater Compliance has turned risk analysis into science & engineering (from arts & crafts) with a mature, repeatable and sustainable SaaS application. We invite you to call us for an overview of the service and how we may be able to assist you in making security investment decisions that are right for your organization and demonstrate a return on your security investments.
Clearwater Compliance has developed the most sophisticated, formalized HIPAA Security Risk Analysis™ solution on the market today. Check it out jump-start your security compliance program, make more informed risk management decisions or honorably meet Meaningful Use Stage 1 and Stage 2 Attestation requirements.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017