Overview:

This presentation will guide the user on the principles of Risk Analysis and Risk Management to prioritize risks. It will rely heavily on the NIST 800-30 as revised and finalized on 09/18/2012.

The process of risk analysis starts with the simple principle that you must know you have an asset in order to protect it. This presentation will provide information about how to determine where the risks to the organization exist and point organizations to where to look for this information. Once information asset locations have been identified, then the risk and safeguards to that information can be explored.

Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization level, network level, and information system level.

Risk Management is a process that provides for the identification, prioritization and management of technical and non-technical risk to the confidentiality, integrity or availability of information. Risks cannot be eliminated; they must be managed appropriately. A key step in security management is risk analysis; that is, identifying threats and vulnerabilities against security controls and measures. A risk analysis allows an organization to estimate potential loss. It also can help determine the most appropriate and cost-effective security measures to implement. After the risk analysis is performed, organizations should implement the safeguards and controls needed to keep risks at an acceptable level as determined by executive management or owner.

Why should you attend: The HIPAA security rule requires every covered entity (CE) to conduct a risk analysis to determine security risks and implement measures "to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level." In addition to attest for Meaningful Use and organization must complete a HIPAA Risk Analysis and implement a Risk Management Program. This would include conducting a risk analysis at the organizational, network and application levels.

HITECH EMR Meaningful Use Post-Pay Audits have included a request that organizations provide proof that a risk analysis was performed prior to the end of the reporting period. In addition, they will ask for a risk mitigation plan to address deficiencies and they may request completion dates. It is not the Vendors Responsibility to conduct an application risk analysis; it is the covered entities responsibility. The Meaningful Use guidance has also shown that your risk analysis cannot be limited to just the application.

This session will explore the processes and methods that can assist organizations prioritize IT security projects by addressing the highest risks to the organization. Covered entities must make security decisions on what is appropriate for their specific environment and risk analysis is the tool to ensure that risk mitigation activities are reasonable for a specific environment.

This presentation reviews the regulatory requirements for security risk analysis and management, provides an overview of the types of risk analysis that can be performed, and offers a practical approach on how to comply with these requirements.

Areas Covered in the Session:

• Locate the data, and then conduct a risk analysis


• Define Reasonable By Using NIST and CMS Guidance as a Guide
  • Risk Analysis Steps
    • Identify the scope of the specific analysis
    • Gather Data
    • Identify and document potential threats and vulnerabilities
    • Assess and document current security measures
    • Determine the likelihood of threat occurrence
    • Determine the potential impact of threat occurrence
    • Determine the level of risk
    • Identify potential security measures and finalize documentation
• Risk Management Steps
  • Develop and implement a risk management plan
  • Implement security measures
  • Evaluate (monitor) and maintain security measures
• Risk Mitigation or Acceptance Options

• Define Reasonable by Using the HIPAA Regulation as a Guide
  • The size, complexity, and capabilities of the covered entity
  • The covered entity's technical infrastructure, hardware, and software security capabilities
  • The costs of security measures
  • The probability and criticality of potential risks to EPHI

• Conducting a Risk Analysis Of my Certified EMR
  • What questions should I ask?
  • What Documentation should I retain?
  • Creating a mitigation plan
    

• Information Security Officers
• Compliance Officers
• Chief Information Officers
• Meaningful Use Coordinators