Security Risk Analysis: Updated Brief Available
The newly revised practice brief “Security Risk Analysis and Management: An Overview (Updated)” is available in the AHIMA Body of Knowledge. Tom Walsh, CISSP, author of the update, notes that the healthcare industry is showing a renewed interest in risk analysis as a result of the meaningful use program.
“Conducting a risk analysis has been a requirement for healthcare organizations since the final HIPAA security rule was released in February 2003,” Walsh says. “However, there is a renewed interest in risk analysis due to the meaningful use stage 1 requirement that covered entities ‘conduct or review a security risk analysis.’”
Even before meaningful use, the Centers for Medicare and Medicaid Services was drawing attention to risk analysis as a result of its 2008 compliance audits.
“CMS found that [covered entities] did not understand the key elements of an effective risk assessment and did not conduct a documented analysis targeted at risks to the confidentiality, integrity, and availability of [electronic protected health information],” Walsh notes. “In some cases, CMS found that although management had identified certain risks within the organization, no formally documented risk assessment covering ePHI risks throughout the organization existed.”
The updated practice brief provides step-by-step guidance on how to conduct a risk analysis based on the NIST publication “Risk Management Guide for Information Technology Systems.”
Walsh says now that covered entities and business associates are required to report breaches affecting 500 or more individuals to the Department of Health and Human Services, the healthcare industry has a clearer understanding of the security risks to PHI based on statistical data. While these data exclude smaller breaches, he notes, they are an improvement on 2003, when there were no sources for determining probability.