Security Risk Analysis: Updated Brief Available

The newly revised practice brief “Security Risk Analysis and Management: An Overview (Updated)” is available in the AHIMA Body of Knowledge. Tom Walsh, CISSP, author of the update, notes that the healthcare industry is showing a renewed interest in risk analysis as a result of the meaningful use program.

“Conducting a risk analysis has been a requirement for healthcare organizations since the final HIPAA security rule was released in February 2003,” Walsh says. “However, there is a renewed interest in risk analysis due to the meaningful use stage 1 requirement that covered entities ‘conduct or review a security risk analysis.’”

Even before meaningful use, the Centers for Medicare and Medicaid Services was drawing attention to risk analysis as a result of its 2008 compliance audits.

“CMS found that [covered entities] did not understand the key elements of an effective risk assessment and did not conduct a documented analysis targeted at risks to the confidentiality, integrity, and availability of [electronic protected health information],” Walsh notes. “In some cases, CMS found that although management had identified certain risks within the organization, no formally documented risk assessment covering ePHI risks throughout the organization existed.”

The updated practice brief provides step-by-step guidance on how to conduct a risk analysis based on the NIST publication “Risk Management Guide for Information Technology Systems.”

Walsh says now that covered entities and business associates are required to report breaches affecting 500 or more individuals to the Department of Health and Human Services, the healthcare industry has a clearer understanding of the security risks to PHI based on statistical data. While these data exclude smaller breaches, he notes, they are an improvement on 2003, when there were no sources for determining probability.

1 Comment

  1. According to me, Security risk analysis, otherwise known as risk assessment, is fundamental to the security of any organization. It is essential in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed. However, many conventional methods for performing security risk analysis are becoming more and untenable in terms of usability, flexibility, and critically.

    Post a Reply

Submit a Comment

Your email address will not be published. Required fields are marked *