HIPAA/SECURE:
Security Q/A
March 2003
"Risk Analysis -- The New Key to HIPAA Security"
by Eric Maiwald, CISSP, CTO,
Fortrex Technologies, Inc.
I am going to deviate from the standard question-and-answer format
of this regular column to discuss a topic that is especially important
in light of the final HIPAA security rule' publication. It is clear
that some of the most significant changes from the preliminary rule
are in the area of appropriateness of security mechanisms. In many
areas, the rule tells the organization to examine its security risks
and choose to implement those mechanisms that are appropriate to
that particular organization.
What this means for enterprises who must implement the new security
rule is that risk analysis and assessment are the key to properly
deploying security and to being in compliance with the new rule.
In fact, the rule begins by speaking of the flexibility of the approach,
in section 164.306(b). The rule tells the organizations to take
into account the costs of the security measures and the potential
risks to the information. The process for doing so is a risk assessment.
This is a major change from the proposed rule, which specified what
measures must be implemented. Now, the organization has the ability
to determine if parts of the new rule are appropriate for their
environment.
To further show the importance of the risk assessment, let's take
a look at another key change in the security rule: the addition
of "required" vs. "addressable" components.
Obviously, if a security component is required by the rule - and
many are - it must be implemented. On the other hand, the new rule
also provides for "addressable" components, which offer
flexibility to covered entities. The organization gets to decide
if the addressable component is appropriate or if there is a better
way to implement that type of control.
The final rule offers new flexibility, but the organization must
document the reasons why the "addressable" component was
not implemented. In the case where the organization chooses not
to implement a component, the organization must show why the component
is not reasonable or appropriate. The best way to demonstrate this
is through a risk assessment. The organization can use the risk
assessment results as its rational for not implementing the security
component. Risk assessments (when properly performed) show us exactly
where the risk areas are and what mechanisms should be implemented
to address these risks. Or, conversely, they provide the documentation
necessary to show why something is not necessary.
One final note about the risk assessments - risk assessments are
not a one-time event. The security rule emphasizes this. Every organization
must periodically analyze its security in response to changes in
operations and environmental concerns. This means that the risk
to the organization must be reevaluated when changes occur. Overall,
the new security rule pushes all organizations to establish a risk
assessment program and methodology so that the organization is reviewed
and risks are identified today. Follow-up risk assessments must
be included in this program so that changes to the organization
are identified along with any changes in the risk profile of the
organization. Finally, new software and hardware programs that are
put in place should be analyzed and assessed before they go live
to determine if they will cause new changes to the risk profile
and thus require some additional security features.
Overall, this change to the security rule should be viewed as a
positive, providing greater opportunity for covered entities to
customize security solutions to their particular environments, budgets
and security needs.
Read past HIPAA / SECURE Q/A articles.
Eric Maiwald, CISSP, is Chief Technology Officer of Fortrex Technologies,
which provides information security management, and process and
monitoring services for healthcare organizations and other industries.
. He can be reached at maiwalde@fortrex.com.
www.fortrex.com
|
