NIST guide helps health organizations conduct risk analyses

The National Institute of Standards and Technology has taken another step to help the healthcare industry safeguard information contained in electronic health records, issuing a guide to help organizations conduct risk assessments.  

The publication outlines a step-by-step process to identify both threats and vulnerabilities within EHRs and other information technology, including:

  • how to prepare for risk assessments;
  • how to conduct risk assessments;
  • how to communicate risk assessment results to key organizational personnel; and
  • how to maintain the risk assessments over time.

The guide is written broadly, and can be used not only by healthcare organizations but also financial institutions, government agencies and other entities, according to NIST's announcement.

"With the increasing breadth and depth of cyber attacks ... risk assessments provide important information to guide and inform the selection of appropriate defensive measures so organizations can respond effectively to cyber-related risks," Ron Ross, NIST fellow and one of the guide authors, said in the announcement.

Conducting a risk analysis is one of the core measures listed for the first two stages of Meaningful Use. It's also a requirement of HIPAA's security rule.

NIST previously has expressed concern about EHRs, not only for their security, but also their usability, launching an initiative to voluntarily test existing EHR systems and issuing guidance for evaluating their use in pediatric care.

To learn more:
- read the announcement
- here's the guide