For week 7 we are learning the Risk Management life-cycle, I choose to research more on the current trends of risk management in IT Industries. Risk analysis and management are very essential topics in the IT industry as risk determines the implementation approach and timelines. A risk assessment helps organizations ensure they are compliant with regulatory mandates. With baseline risk management standards, risk analysis helps to determine the implementation of the safeguards contained in the security rule; we can say that risk analysis is one of the important processes of security management process.
A risk analysis process includes, but is not limited to, the following activities:
1) Calculate the possibilities and impact of the potential risks to important personal health information (Risk Score Calculation).
2) Identify the appropriate security framework to address the risks identified during risk analysis
3) Document the security framework and compliance of the infrastructure
4) Maintain continuous, reasonable, and appropriate security protections.
Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to systems and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to information. With the secure system and environment, the organizations can achieve their business goal. All the applications that are used to communicate with the secured information needs to be protected with strong security plan. Following are some of the security rules that organizations can include to safeguard the systems and assets:
•Implement Security Management Process: Organizations has to perform the risk analysis and implement the security measures that reduce the risks and vulnerability to organization assets and the infrastructure.
•Assign security personnel: security official who is responsible for developing and implementing organizational security policies and procedures has to be assigned.
•Information Access Management: Secured measures have to be implemented in order to safeguard the accessibility of the information. Policies and standards helps in maintaining the access management to the employees, external partners and other sectors.
•Workforce Training and Management: Organizations must train all workforce members regarding its security policies and procedures and must have and apply appropriate sanctions against workforce members who violate its policies and procedures.
•Evaluation: A periodic assessment of how well security policies and procedures meet the requirements of the Security Rule has to be evaluated and necessary updates have to be documented.
• Facility Access and Control. Authorized access has to be maintained to access the physical facilities.
•Workstation and Device Security: Organization must implement policies and procedures to specify proper use of and access to workstations and electronic media. Enterprise also must have in place policies and procedures regarding the transfer, removal, disposal, and re-use of electronic media, to ensure appropriate protection of electronic protected health information.
•Access Control: Organization must implement technical policies and procedures that allow only authorized persons to access electronic protected health information. Access to the software and system has to be the role based access.
•Audit Controls: Organizations must implement hardware, software, and/or procedural mechanisms to record and examine access and other activity in information systems that contain or use personal information. Internal and External audit help to maintain the reliability and compliance of the organization with standard laws.
Works Cited
American Medical Association. (n.d.). Security Standards and Risk Analysis. Retrieved September 24, 2015, from http://www.ama-assn.org/ama/pub/physician-resources/solutions-managing-your-practice/coding-billing-insurance/hipaahealth-insurance-portability-accountability-act/security-standards.page?
Cornell University Law School. (n.d.). 42 U.S. Code § 1320d–5 - General penalty for failure to comply with requirements and standards. Retrieved September 24, 2015, from Legal Information Institute: https://www.law.cornell.edu/uscode/text/42/1320d-5
Health IT.gov. (n.d.). Security Risk Assessment. Retrieved September 24, 2015, from http://www.healthit.gov/providers-professionals/security-risk-assessment-tool
No comments:
Post a Comment