NIST guide helps health organizations conduct risk analyses

The National Institute of Standards and Technology has taken another step to help the healthcare industry safeguard information contained in electronic health records, issuing a guide to help organizations conduct risk assessments.  

The publication outlines a step-by-step process to identify both threats and vulnerabilities within EHRs and other information technology, including:

  • how to prepare for risk assessments;
  • how to conduct risk assessments;
  • how to communicate risk assessment results to key organizational personnel; and
  • how to maintain the risk assessments over time.

The guide is written broadly, and can be used not only by healthcare organizations but also financial institutions, government agencies and other entities, according to NIST's announcement.

"With the increasing breadth and depth of cyber attacks ... risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks," Ron Ross, NIST fellow and one of the guide authors, said in the announcement.

Conducting a risk analysis is one of the core measures listed for the first two stages of Meaningful Use. It's also a requirement of HIPAA's security rule.

NIST previously has expressed concern about EHRs, not only for their security, but also their usability, launching an initiative to voluntarily test existing EHR systems and issuing guidance for evaluating their use in pediatric care.

To learn more:
- read the announcement
- here's the guide

Suggested Articles

Roche, which already owned a 12.6% stake in Flatiron Health, has agreed to buy the health IT company for $1.9 billion.

Allscripts managed to acquire two EHR platforms for just $50 million by selling off a portion of McKesson's portfolio for as much as $235 million.

Artificial intelligence could help physicians predict a patient's risk of developing a deadly infection.