Industry guidelines and regulations are increasingly focused on implementing a risk-based approach to management of information security. In reviewing regulations protecting customer information, a common theme is apparent: risk identification and management. Compliance requirements across the medical, insurance, payment card and financial industries each focus on securing data and protecting the IT assets of the organization, with specific emphasis on risk identification and mitigation. Within the medical industry, small health plans (annual receipts of $5 million or less) had until April 2006 to establish security safeguards over electronic transmission of protected health information in accordance with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.
Today, an auditor/security compliance specialist follows a risk-based approach when evaluating a health care organization's information security. This process includes identifying risks, evaluating the existing control procedures, assessing results, and recommending improvements. From an organizational standpoint, the key is whether management is aware and has implemented appropriate measures to mitigate the risks.
Key elements of a risk assessment should include:
- IT assets and how those assets rank by importance to the organization.
- Risks-threats to the organization such as loss/unauthorized disclosure of sensitive information.
- Severity Rankings-financial and reputation risk impact to the organization.
- Key Controls/Compensating Controls-procedures, whether logical or manual, that prevent or detect the risk and mitigate the loss.
- Reference to information security program policy/procedures.
- Residual Rankings-remaining risk of loss assuming the identified controls are functioning as intended.
A risk assessment should be used as a tool by management for maintaining an overall information security program. If properly designed and maintained, the risk assessment can be used by management to scope internal audit functions and define third-party service provider activities.
The key to compliance with the HIPAA security rule is understanding what assets (information) need to be protected, identifying the risk environment around these assets and ensuring these risks are managed on a continual basis. If you have questions or would like to talk to a professional, contact your local Eide Bailly Technology Consultants at 866.324.0968 or through e-mail at techinfo@eidebailly.com
Action
To mitigate risks to your information, make sure you understand what assets (information) need to be protected, identify the risk environment around these assets and ensure these risks are managed on a continual basis.
