We know that HITECH/HIPAA compliance requires covered entities and business associates to proactively manage security risks, but what does that mean? In simple terms, it means that healthcare organizations which use ePHI must conduct a risk analysis (45 CFR 164.308(a)(1)(ii)(A)) and address the problems identified in that exercise.
From a very practical perspective, a completed risk analysis offers a prioritized list of security risks to be addressed with risk mitigation strategies. The classic formula for calculating risk is:
Risk = Impact * Likelihood
First, the organization identifies areas of risk. Each risk is then categorized according to its potential impact or “harms”: Low, Medium, High or Critical. The third step is to evaluate the likelihood that any given risk will be realized.
In a world with inherently scarce resources, leadership needs this kind of information to effectively direct design and implementation of risk remediation action plans.
And, of course, every step is thoroughly documented to demonstrate the steps an organization has taken to ensure data security.
We have assisted more than 400 customers to operationalize and mature their information privacy, security, compliance and information risk management programs. And in the process, we are raising the bar for safeguarding PHI, protecting millions of Americans and driving real value for the organizations we support and the healthcare industry at large.
Latest posts by Clearwater Compliance (see all)
- Clearwater Compliance’s IRM|Pro ™ Offers Expanded Enhancements to Address Evolving Hospital Cybersecurity Threats - April 4, 2017
- Cyber Contagions Knock Out Hospital Systems — Prompting Triaging of Cybersecurity to Code Red Status - July 19, 2016
- Exclusive Webinar for American Hospital Association (AHA) Members - July 12, 2016