| HIPAAdvisory > HIPAAction > HIPAAnotes > Archives |  |
|
HIPAAnotes Volume One, December 2001No. 55 HIPAA detail -- Gap and Risk Analysis: Get Started Now – and Not Just for HIPAA’s Sake!Has your organization performed a security gap analysis? If not, according to many security experts, it is likely that your organization’s confidential information is much more vulnerable to intrusion and damage than you think – in addition to being out of sync with HIPAA’s security requirements. What does a security gap analysis entail? You must determine the current status of your organization’s environment as it relates to compliance with the HIPAA regulations. First, do an analysis of your “baseline” environment, including your current computer and communications systems and security-related policies, processes, practices and technology. The scope of effort should include off-site entities as well as on site departments – and don’t forget to review your existing physical security measures. The deficiencies between your baseline environment and HIPAA regulatory requirements are called the "gap." How does a security risk assessment fit into a HIPAA gap analysis?
An internal risk assessment will enable you to identify the nature,
extent, and seriousness of security threats and related HIPAA vulnerabilities
within your organization. Properly done, the risk assessment will
point your organization to its HIPAA priorities and Sound like a daunting task? If your organization does not include a security professional, you may need to enlist outside security consulting support. You also should consider utilizing the many security Web resources that are available, beginning with our own http://www.hipaadvisory.com, the excellent http://www.nist.gov, and http://www.cert.org. No. 56 HIPAAdetail: Where Is Your Documented Contingency and Recovery Plan? While many organizations practice undocumented back-up and recovery
processes, they don't have documented plans in place. Does yours?
If so, is it The key features of a contingency plan as required by the proposed HIPAA security regulation include:
While the security regulation's primary focus is on protecting confidentiality of information, the purpose of the contingency plan is to ensure that accurate data needed for your healthcare operations is always available. Your contingency plan should be in place to assure that your organization is adequately prepared if the integrity or availability of system data is threatened or compromised. When developing a contingency plan, it is important to prioritize a subset of your applications and data. In the event of disaster, it will be unlikely that your organization will be able to effectively process all systems running in your current production environment. So, contingency plan priorities should be strategically determined on the basis of the organization's business goals and mission, and should be reviewed and revised periodically. While regularly scheduled back-ups are good business practice, under HIPAA they must be documented and updated on a routine basis. A written disaster recovery plan should include emergency mode alternate site processing strategies. Depending on the size of your operation, it might include a ready-to-go "hot site" where information processing operations can continue at another location. Consider issues such as system recovery, communication trees, staffing and transportation. On-going periodic testing and revision procedures will ensure the contingency plan remains current and effective. For more on disaster readiness, go to: http://www.hipaadvisory.com/tech/ Read the proposed security standards.
|
