Risk assessment to determine the safety of health IT systems has three components: privacy, security and incident response testing.
Rick Kam and Mahmood Sher-Jan, executives at Portland, Ore.-based ID Experts, note that risk assessment involves identifying threats, internal and external vulnerabilities, the harm that could come from exploiting vulnerabilities, and the probability that harm will occur.
A privacy compliance assessment "reveals the gaps between an organization's current protective measures and what the law requires, including the HIPAA Privacy Rule," they write in an article in Government Health IT.
Security includes conducting a security assessment and a risk analysis, according to the article. A security assessment identifies internal and external weaknesses, looks at the IT infrastructure and recommends improvements, the authors say.
Risk analysis "identifies and prioritizes current and emerging risks" to secure data, looking at both technology and workflow, they write. Steps include:
Documenting a prioritized asset inventory including IT assets, data, business processes and facilities.
Identifying threats for each information asset.
Identifying security controls for each asset.
Determining the likelihood of threats could penetrate security controls for each.
Prioritizing risks and determining how to address them.
Documenting the process.
Finally, there's incident response, including simulating attempted breaches to test how well a response plan works, write Kam and Sher-Jan. They say the testing should include:
Evaluation and gap analysis of the incident response plan.
Defining the scope of the simulation.
Tabletop testing including designated members of the response team.
Detailed review and assessment, including determining what adjustments should be made.
The authors cited risk-assessment guidance issued in September by the National Institute of Standards and Technology (NIST) to help the healthcare industry safeguard information contained in electronic health records. The NIST guide provides steps for identifying EHR and health IT threats and vulnerabilities and how to prepare and conduct risk assessments and how to communicate results.
Docs taking unnecessary risks with patients' data, attestation
EHR hackers encrypt files, demand ransom
Fierce exclusive: 10 steps for thwarting EHR hackers