Risk analysis (a.k.a., risk assessment) is one of the most key components of an organizational risk management. In the healthcare setting, risk analyses identify, prioritize, and estimate risk to organizational operations (i.e., legal, financial, clinical, operational, and reputation), organizational assets, individuals and other organizations, resulting from the operation and use of information assets and media that create, receive, transmit or maintain electronic Protected Health Information (ePHI).  Here’s today’s big tip – Learn how to make better security investment decisions! 

It takes two things to manage overall HIPAA-HITECH security risk: 1) ensuring compliance with the regulation itself; and, 2) ensuring you are securing your environment based on a solid risk management process. The former requires ongoing, periodic compliance audits, training and attestations, just as one would audit compliance with your code of conduct, internal policies and other regulations. The latter requires detailed due care in determining your unique and specific security exposures. These exposures are known as risks and the process of determining these risks is known as risk analysis.

Risk analyses are required for effective risk management and to inform decision making at all levels in an organization. Furthermore, risk analyses must be ongoing and enduring – a journey not a destination. In the HIPAA Security Rule at 45 CFR 164.308(a)(1)(ii)(A), all Covered Entities and Business Associates are required to:

Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

Far too many privacy and security investment decisions are being made in a vacuum, without benefit of risk analysis to facilitate informed decision making. Often times, capital or expense budgeting drives the decision-making process. We spent $X on security this year; on what latest cool tools will we spend $X+ next year? What’s hot? Data Leak Protection? BYOD security? Mobile devices? Secure email? Script kiddies? Big Bad Cyber Black Hats? Securing the cloud? Please!

Seriously, how are these decisions being made in your organization? Risk analysis is a fundamental and foundational step in any security, governance and risk management program.

Governance, in a nutshell, is defining who makes what decisions on what subject matter, how, when and by what informed process. Is your top team truly enabled to carry out its fiduciary responsibilities based on data and facts that result from a comprehensive risk analysis? Or, are you still making security investment decisions based on opinions and emotions?

Risk management requires order, process and discipline. Clearwater Compliance has turned risk analysis into science & engineering (from arts & crafts) with a mature, repeatable and sustainable SaaS application. We invite you to call us for an overview of the service and how we may be able to assist you in making security investment decisions that are right for your organization and demonstrate a return on your security investments.

Clearwater Compliance has developed the most sophisticated, formalized HIPAA Security Risk Analysis™ solution on the market today.   Check it out jump-start your security compliance program, make more informed risk management decisions or honorably meet Meaningful Use Stage 1 and Stage 2 Attestation requirements.

Contact us for more information or to learn about a tailored Clearwater HIPAA Audit Prep WorkShop™ or the Clearwater HIPAA Audit Prep BootCamp™ series.

Please avail yourself of any of these free resources which you may access now by clicking on the links below:

Series Navigation<< HIPAA Security Risk Analysis Tips – What some CEOs don’t understand about PHIHIPAA Security Risk Analysis Tips – Meaningful Use Stage 2 Underscores Need for Risk Analysis >>

Bob Chaput

CEO at Clearwater Compliance
Bob Chaput is widely recognized for his extensive and in-depth knowledge of healthcare compliance and cyber risk management, and is one of the industry’s leading authorities in healthcare information security today. As a leading authority safeguarding health data, Chaput has supported hundreds of hospitals and health systems to successfully manage healthcare’s evolving cybersecurity threats and ensure patient safety.