Printer Friendly, PDF & Email

Avoid recreating the wheel: Transparency in risk mitigation

Gerry Blass (gerry@complyassistant.com) is President and CEO at ComplyAssistant in Iselin, NJ. Jason Tahaney (jtahaney@hhsnj.org) is Director, Information Technology at Hunterdon Medical Center in Flemington, NJ.

Did you know a typical healthcare system might perform up to 22 different types of security risk assessments each year? If the system uses a decentralized model, the assessment information is most likely gathered from a wide variety of areas—siloed, and not necessarily actionable. Although the organization is performing due diligence to adhere to the HIPAA Security Rule, is it doing its best to manage risk and resources? Probably not.

Whether or not healthcare organizations are prepared to perform a security risk assessment (SRA) each year, it is a required part of the HIPAA Security Rule[1] and should cover:

  • Size, complexity, and capabilities of the covered entity;

  • The covered entity’s technical infrastructure, hardware, and software security capabilities;

  • The probability and criticality of potential risks to electronic protected health information (ePHI); and

  • The costs of security measures.

Unfortunately, healthcare organizations face immense challenges in performing security risk assessments and actually mitigating risks that are discovered, including:

  • A high volume of risk areas, both inside and outside the four walls of a hospital;

  • Increasing complexity of new, connected technologies;

  • A siloed approach to risk assessments;

  • A lack of transparency or understanding of risk across an enterprise; and

  • Decentralized or unstructured risk ownership.

Because of these challenges, healthcare organizations may be spinning wheels and wasting time, energy, and money trying to make sense of the results of their annual security risk assessments. Imagine if one department discovered and mitigated a data security risk, but another department with the same or similar risk was not aware of the other department’s efforts, and thus created its own risk management project. There is no need to recreate the wheel every time.

This article explores practices to make annual security risk assessments more transparent and actionable to reduce overall enterprise risk.

This document is only available to members. Please log in or become a member