(ii) Implementation specifications:
(B) Risk management (Required). Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
Tell Me More:
The Risk Management implementation specification requires covered entities to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
Security professionals generally define risk management as a process for identifying, selecting, and implementing controls, countermeasures, reporting, and verification to achieve an appropriate level of risk at an acceptable cost. Effective risk management requires leadership and accountability—without these key individual attributes, a risk management exercise is generally doomed.
Someone must be accountable and have the ability to make complex and often difficult decisions. This individual will ultimately determine what level of threat and risk is appropriate and acceptable. This individual is also generally able to allocate resources for achieving the target levels.
Risk Management requires covered entities to implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.
A complete set of HIPAA Security Policies and Procedures may be purchased here.
- NIST SP 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
- NIST SP 800-30 Risk Management Guide for Information Technology Systems
- NIST SP 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations
- NIST SP 800-12 chapter 5 An Introduction to Computer Security: The NIST Handbook
- HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals