HIPAA action
HIPAA dvisory
HIPAAdvisory > HIPAAction > HIPAA/SECURE: Security Q/A Phoenix Health Systems
news
regs
action
tech
wares
alert
live
latest
online HIPAA training
HIPAAstore
HIPAA help desk
search
contact us
site map

HIPAA/SECURE: Security Q/A
February 2002

"Bare Bones Risk Assessment"

by Eric Maiwald, CISSP, Chief Technology Officer, Fortrex Technologies, Inc.

QUESTION: We are a relatively small hospital (100 beds) with a limited budget. What efforts, at the minimum, should be included in our HIPAA technical security risk assessment? As a follow-up question, will this work require outside security consulting expertise?

ANSWER: The issue that you face (small organization with a limited budget) is something that we frequently encounter. Since the HIPAA rule will affect a small organization as just as it will affect a large one, it is important for you to identify your areas of non-compliance and correct them.

That being said, it is good practice (even if HIPAA did not exist) for your organization to conduct an assessment and identify potential areas of information security risk. In an assessment, the following areas of your organization would be examined:

  • Computers and network technical security measures
  • Physical security around computers and networks
  • Policies and procedures
  • Backups and disaster plans
  • Employee awareness
  • Employee skill levels and workloads
  • The organization's attitude to security
  • The organization's adherence to policy

The results of a risk assessment should be a list of potential risk areas and cost effective recommendations for managing the risks (keep in mind that risk can never be completely removed).

If the assessment is to focus on the HIPAA rule, your organization should add a detailed examination of six key HIPAA areas to the basic assessment. These key areas are:

  • Access Control - how the organization prevent unauthorized individuals from accessing sensitive information
  • Audit - how the organization tracks activity on systems
  • Authorization Control - how the organization gains permission to disclose sensitive information
  • Data Authentication - how the organization identifies if information has been modified in an unauthorized manner
  • Entity Authentication - how the organization proves that an individual is whom he says he is
  • Communication Over Open Networks - how the organization protects sensitive information that is sent over an open network

Read past HIPAA / SECURE Q/A articles.

Fortrex Technologies, a Phoenix Health Systems security partner, provides enterprise security management services and information security process and monitoring services for healthcare and other industries.
www.fortrex.com

Go to TOP