Friday, May 14, 2010

HHS / OCR Risk Analysis Guidance

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/radraftguidance.pdf

The Office for Civil Rights (OCR) is responsible for issuing annual guidance on the provisions in the HIPAA Security Rule.1 (45 C.F.R. §§ 164.302 – 318.) This series of guidances will assist organizations in identifying and implementing the most effective and appropriate administrative, physical, and technical safeguards to secure electronic protected health information (e-PHI). The guidance materials will be developed with input from stakeholders and the public, and will be updated as appropriate.

MIAOULIS NOTE:  Risk analysis and risk management are the foundation of an information security program.  We all do risk analysis everyday, the difference is that you need a documented risk analysis.  Start by identifying every risks you know (lost laptops, employees looking at records, hackers, viruses, unpatched servers, weak passwords, etc. etc.), determine the impact and the likelyhood and derive a risk (Very High, High, Medium or Low).  Create a plan to reduce risk and work the plan.

No comments: