1.Get Everyone On Board
The first step is to get everyone on board with the risk assessment. If you want it to be comprehensive and thorough, you can’t afford to leave anyone out. Everyone from doctors and nurses to IT professionals and administrators need to understand what’s happening.
“A Risk Analysis is not an IT ‘project.’ If it relegated to a single individual or department to complete, the results and impacts will not be understood by those that are most affected.” Says Rich Curtiss, an expert in the field and one of Clearwater’s principal consultants. “It is an organizational responsibility and requires multiple stakeholder involvement to be successful. Critical to the success is the participation by key operational personnel within the organization. The IT infrastructure lies unseen and nebulous to most operational professionals but when they start seeing the impact of potential, inappropriate use of IT assets and procedures, it makes an impact. Stakeholders should include the Board of Directors, C-Suite, Medical Staff Services, Compliance, Audit, Physical Security, Cybersecurity, IT and Supply Chain.”
Once you’ve identified the correct stakeholders you can move forward with the assessment and begin focusing on how you can run the most effective and complete analysis possible.
2.Identify the Scope
The second step is to identify the scope of the assessment with those involved. Take into account all electronic patient health information your organization develops, sends, receives, or otherwise maintains. Any aspect of your organization that touches health information needs to be included in the scope of the assessment.
3.Gather All Data
The third step requires you to gather all relevant data, records, files, and information. If you’ve adequately identified the scope and noted all areas of your organization that are involved with electronic patient health information, this step is much easier.
Gathering information will look different in every situation but typically involves manually downloading files, conducting interviews, and consolidating information from various sources. You’ll also find it helpful to go ahead and classify this data as you’re gathering it. When conducting steps four and five, it’s helpful to know whether or not any information is public, confidential, or highly confidential.
4.Assess Current Security Measures
Now it’s time to assess the current security and privacy measures you have in place, which will be different in every organization, but refers to both technical and nontechnical measures. Technical security measures are such things as login requirements, data encryption methods, and audit controls. Nontechnical security measures include company policies and procedures, physical security measures, and patient interaction guidelines.
5.Identify Risks and Determine Impact
The next step requires you to identify potential pitfalls and risks and then determine the impact these threats could have on your organization. In other words, you need to understand which threats your organization is exposed to and how significant of an impact they could have if brought to fruition. During this step, you should also determine the likelihood of a threat occurring.
6.Document Absolutely Everything
The next step requires you to identify potential pitfalls and risks and then determine the impact these threats could have on your organization. In other words, you need to understand which threats your organization is exposed to and how significant of an impact they could have if they do happen. During this step, you should also determine the likelihood of a threat occurring.
Simply conducting a risk analysis isn’t enough. If you want to protect your organization, adhere to HIPAA guidelines, and safeguard private information, you need to continually reevaluate your organization and the potential risks it faces. Circumstances change over time and it’s up to you to stay on top of what’s happening in and around your organization.