top of page

Inadequate Risk Assessment to Protect Data? Go to the Underlying Cause

Writer's picture: Diane EvansDiane Evans

By Diane Evans 


In last week’s post, we discussed how an unaddressed IT vulnerability led to the massive Change Healthcare data breach.


In our field work, we see unaddressed vulnerabilities all the time.  We also see, in breaches reported by the U.S. Office for Civil Right (ORA), that blame often falls on insufficient risk assessment.


 But what makes a risk assessment "insufficient"?  It's all in the details


Here are some points for managing a risk assessment:  


Step 1: Assign duties to leaders in your organization, with the initial goal of taking inventory of all places where private information exists.  


You can use your organizational chart as a place to start.  Go to every department and every facility.   Document where information is. If you need outside help, get it.  It will be a lot less expensive than the cost of a breach. 


Step 2:  Consider all the potential places each piece of information can potentially go.  Prioritize risks, based on lapses likely to result in the greatest disruption.  Document everything, and plan for ongoing risk mitigation. 


Step 3:  Update your HIPAA security policies with new procedures that emerge from the risk assessment.


Is this a big undertaking?  Of course it is.  The alternative is leaving your organization exposed to undiscovered threats under your own roof.  Thorough risk assessment is your means to discover, correct and gain peace of mind that you are doing your best to protect the individuals you serve, as well as your organization. 



.


0 views0 comments

Recent Posts

See All

Yes, You Must Update your Privacy Notice

February 5, 2025 By Diane Evans Dear readers, in less than 7 minutes, this video explains new changes to HIPAA regulations: If you need...

Take a Lesson from Change Healthcare

Change Healthcare issued a statement last week, saying it has substantially completed its review of last year’s data breach that impacted...

Proposed Changes in HIPAA Rules Help YOU!

By Diane Evans  Recently, the U.S. Office for Civil Rights (OCR) proposed stronger rules for data security and compliance under the...

Comments


Guarded Edge LLC

526 S Main St  - #104

Akron, OH 44311

  • LinkedIn
bottom of page