Overview:

This presentation will guide the user on the principles of Risk Analysis and Risk Management to prioritize risks. It will rely heavily on the NIST 800-30 as revised and finalized on 09/18/2012.

The process of risk analysis starts with the simple principle that you must know you have an asset in order to protect it. This presentation will provide information about how to determine where the risks to the organization exist and point organizations to where to look for this information. Once information asset locations have been identified, then the risk and safeguards to that information can be explored. Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization level, mission/business process level, and information system level.

This presentation will explore risks at all levels including network, application and organizational risks.

Why should you attend: The HIPAA security rule requires every covered entity (CE) to conduct a risk analysis to determine security risks and implement measures "to sufficiently reduce those risks and vulnerabilities to a reasonable and appropriate level." In addition to attest for Meaningful Use and organization must complete a HIPAA Risk Analysis and implement a Risk Management Program. All levels of the organizations must be involved in security and Risk Analysis / Risk Management provides the mechanism to ensure organizations prioritize risk appropriately and address the highest risk to the confidentiality, integrity and availability of electronic Protected Health Information.

There are processes and methods that can assist organizations prioritize IT security projects which address the highest risks to the organization.
Covered entities must make security decisions on what is appropriate for their specific environment and risk analysis is the tool to ensure that risk mitigation activities are reasonable for a specific environment.

This presentation reviews the regulatory requirements for security risk analysis and management, provides an overview of the types of risk analysis that can be performed, and offers a practical approach on how to comply with these requirements.

Areas Covered in the Session:

• Locate the data, and then conduct a risk analysis.
• Define Reasonable By Using NIST and CMS Guidance as a Guide
  • Risk Analysis Steps
    • Identify the scope of the specific analysis;
    • Gather Data
    • Identify and document potential threats and vulnerabilities;
    • Assess and document current security measures;
    • Determine the likelihood of threat occurrence;
    • Determine the potential impact of threat occurrence;
    • Determine the level of risk; and
    • Identify potential security measures and finalize documentation
  • Risk Management Steps
    • Develop and implement a risk management plan;
    • Implement security measures; and
    • Evaluate (monitor) and maintain security measures.
  • Risk Mitigation or Acceptance Options
• Define Reasonable by Using the HIPAA Regulation as a Guide:
  • The size, complexity, and capabilities of the covered entity
  • The covered entity's technical infrastructure, hardware, and software security capabilities
  • The probability and criticality of potential risks to EPHI

Who Will Benefit:

• Information Security Officers
• Compliance Officers
• Chief Information Officers

Educational Objectives(S)
Upon completion of this activity, participants will be able to:

• Explain the principles of Risk Analysis and Risk Management to prioritize risks.

CME Credit Statement
This activity has been planned and implemented in accordance with the Essential Areas and Policies of the Accreditation Council for Continuing Medical Education (ACCME) through the joint sponsorship of CFMC and MentorHealth. CFMC is accredited by the ACCME to provide continuing medical education for physicians.

CFMC designates this educational activity for a maximum of 1.25 AMA PRA Category 1 Credits™. Physicians should only claim credit commensurate with the extent of their participation in the activity.

Other Healthcare Professionals Credit Statement
This educational activity has been planned and implemented following the administrative and educational design criteria required for certification of health care professions continuing education credits. Registrants attending this activity may submit their certificate along with a copy of the course content to their professional organizations or state licensing agencies for recognition for 1.25 hours.

Disclosure Statement
It is the policy of CFMC and MentorHealth that the faculty discloses real or apparent conflicts of interest relating to the topics of the educational activity. All members of the faculty and planning team have nothing to disclose nor do they have any vested interests or affiliations


Obtaining Certificate of Credit

Colorado Foundation for Medical Care (CFMC) hosts an online activity evaluation system, certificate and outcomes measurement process. Following the activity, you must link to CFMC's online site (link below) to complete the evaluation form in order to receive your certificate of credit. Once the evaluation form is complete and submitted, you will be automatically sent a copy of your certificate via email. Please note, participants must attend the entire activity to receive all types of credit. Continuing Education evaluation and request for certificates will be accepted up to 60 days post activity date. CFMC will keep a record of attendance on file for 6 years.