Elements of security risk assessment and risk management
-
Upload
healthpoint -
Category
Healthcare
-
view
377 -
download
4
description
Transcript of Elements of security risk assessment and risk management
![Page 1: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/1.jpg)
Elements of Security Risk Analysis
29 September, 2014
![Page 2: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/2.jpg)
HealthPOINT at Dakota State University
Daniel Friedrich, CISSPExecutive DirectorCenter for the Advancement of Health Information Technology Dakota State University
Holly Arends, CHTS-CP, CHSPClinical Program Manager
HealthPOINTDakota State University
![Page 3: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/3.jpg)
Today’s Focus
• HIPAA Requirements
• Elements of a Security Risk Analysis (SRA)
• Evidence of requirement fulfillment
![Page 4: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/4.jpg)
Requirement
• HIPAA Security Rule 45 CFR 164.302-318
• Security Management Process 164.308(a)(1)
• Conduct Risk Analysis 164.308(a)(1)(ii)(A)
• Accurate and thorough assessment
• Maintain integrity, confidentiality, availability of ePHI
• Create Risk Management Program 164.308(a)(1)(ii)(B)
• Implement security measures to reduce risks and vulnerabilities to reasonable and appropriate level
![Page 5: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/5.jpg)
HHS Guidance on Risk Analysis Requirements Under HIPAA Security Rule
HHS Guidance Document
• Scope of Analysis
• Data Collection
• Identify and Document Potential Threats and Vulnerabilities
• Assess Current Security Measures
• Determine the Likelihood of Threat Occurrence
• Determine Potential Impact of Threat Occurrence
• Determine Level of Risk
• Finalize Documentation
• Periodic Review and Updates to Risk Assessment
![Page 6: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/6.jpg)
Foundational Work
• Risk Management
• Holistic
• Tied to Organizational Mission
• Risk Assessment is fundamental to Risk Management
Culture of Compliance
![Page 7: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/7.jpg)
Risk Assessmen
t
Risk Manageme
nt Plan
Policies and
Procedures
Training
Culture of Compliance
![Page 8: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/8.jpg)
Conduct Risk Assessment
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the (organization).
• No specific methodology outlined
![Page 9: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/9.jpg)
Heart of Analysis
Asset
Threat
VulnerabilityMitigation
![Page 10: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/10.jpg)
Elements of Risk Assessment-Interview
• Based on OCR Audit Protocol
• Potentially Hundreds of questions
![Page 11: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/11.jpg)
Elements of Risk assessment- Asset Inventory
• Create an Inventory of Relevant Information Systems
• What type of PHI
• Who has access
• Location- onsite, offsite
• Hardware/Software
• Vulnerabilities
• Threats
• Criticality
• Security Controls in place
• Likelihood and Impact
• Update as needed, new or changing systems
![Page 12: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/12.jpg)
Elements of Risk Assessment-On Site Walk Through
• Physical view of safeguards in place and how they function in real life
![Page 13: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/13.jpg)
Where’s the Evidence?
![Page 14: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/14.jpg)
Final Documentation
• Report
• Dated and Identify the organization
• Identifies Risks
• Outlines risks categorically
• Aid in prioritization
![Page 15: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/15.jpg)
What if the Final Report has not been created?
• Ask for a Draft report that may have been sent to the client
• Contact the SRA Vendor to verify dates of SRA
• Vendor to provide a letter of confirmation
![Page 16: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/16.jpg)
Periodic Review and Update
• Changes or Annually
• Date of Review
• Progress OR Lack of Progress made on Previously Identified Risks
• New Identified Risks
![Page 17: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/17.jpg)
Asset or PHI Inventory
• Scope is identified in this document
• Lists Information Systems
• Identifies
• Vulnerabilities
• Safeguards in place
• The likelihood and impact if a vulnerability is exploited
• Risk Rating Score/Urgency Score
![Page 18: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/18.jpg)
Sample Asset Inventory
PHI INVENTORYItem Name
Type (Hardware, Software,
etc.)Contains ePHI? Assignee
Probability (P)
(Likelihood)(0-3)**
Impact (I)Impact Score
Risk Rating (P
x I)
Vulnerability ** Administrative (0-
3)
Administrative
safeguards in
place?
Safeguard Score
Vulnerability ** Physical (0-3)
Physical safeguard
s in place?
Safeguard Score
Vulnerability **
Technical (0-
3)
Technical safeguard
s in place?
Safeguard Score
Remediation
Urgency
EHR System product Name EHR Located at
vendor facility Vendor () 2
Loss of some,all patient
data
3 6 2 Partial 1 2 Partial 1 2 Partial 1
36
Network Product Name
Dell LAN server
Local Area Network server located on-site in server room
Leanne / Stephanie 2
HIPAA Breach,Fi
nes6 12 0 Yes 3 2 Partial 1 0 Yes 3
24
![Page 19: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/19.jpg)
Risk Rating Score
• Threat
• Vulnerability
• Likelihood
• Impact
Asset
Threat
VulnerabilityMitigation
![Page 20: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/20.jpg)
Risk Management Plan
• Identified Risks
• Action Plan
• Responsible Person(s)
• Actions Taken
• Goal dates
• Resolved Dates
![Page 21: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/21.jpg)
Sample Risk Management Plan
Risk Identified Level of risk Date identified Responsible Party Mitigation Strategy Goal date Actions- what has been done, what
planning has been done, etc. Resolved Date
No policies or procedures present that require a risk
assessment to be done, the scope, nature, and frequency. high 07/04/05
Administration- Risk Manager/Quality
ManagerRisk Manager to write policy and
procedure 12/01/13
5/3/2013- Risk Manager has drafted a policy and is being reviewed by medical
staff in June 2013 meeting. 6/27/2013- Medical staff have reviewed and have requested changes. 10/1/2013- Risk
Manager has made changes to policy and will be reviewed at november medical staff.
![Page 22: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/22.jpg)
The Risk Web
SRA
Communications
Policy Changes
Training Events
Personnel Files
Tangible Changes
Update/review of SRA
![Page 23: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/23.jpg)
Wrap Up
• Comprehensive and Thorough
• Finalized Documentation
• Review/Update no less than annually
![Page 24: Elements of security risk assessment and risk management](https://reader035.fdocuments.net/reader035/viewer/2022062706/557c7dedd8b42a494c8b51f9/html5/thumbnails/24.jpg)
Thank you!
www.healthpoint.dsu.edu
605.256.5555