By Diane Evans
In last week’s post, we discussed how an unaddressed IT vulnerability led to the massive Change Healthcare data breach.
In our field work, we see unaddressed vulnerabilities all the time. We also see, in breaches reported by the U.S. Office for Civil Right (ORA), that blame often falls on insufficient risk assessment.
But what makes a risk assessment "insufficient"? It's all in the details
Here are some points for managing a risk assessment:
Step 1: Assign duties to leaders in your organization, with the initial goal of taking inventory of all places where private information exists.
You can use your organizational chart as a place to start. Go to every department and every facility. Document where information is. If you need outside help, get it. It will be a lot less expensive than the cost of a breach.
Step 2: Consider all the potential places each piece of information can potentially go. Prioritize risks, based on lapses likely to result in the greatest disruption. Document everything, and plan for ongoing risk mitigation.
Step 3: Update your HIPAA security policies with new procedures that emerge from the risk assessment.
Is this a big undertaking? Of course it is. The alternative is leaving your organization exposed to undiscovered threats under your own roof. Thorough risk assessment is your means to discover, correct and gain peace of mind that you are doing your best to protect the individuals you serve, as well as your organization.
.
Comments