Overview: This session will present the background of the regulations that call for information security risk analysis and show how it fits in to an overall information security management process. The risk analysis process will be presented within the context of the overall risk prioritization and risk mitigation process, using an example.
The Information Security Risk Analysis Process presented utilizes a non-technical approach, involving interviewing staff knowledgeable about operations and systems to discover how information is retained and moved, and reveal the risks inherent in such storage and transmission. Interview content is organized as departmental stories that are successively refined into process descriptions, lists of information in place or in motion, diagrams of information flows, and lists of information systems and flows to be assessed for risks. Risk issues and recommendations for each system or information flow can then be described and organized into a table that is used to define the risks and prioritize their mitigation, using a straightforward high-medium-low stratification of potential likelihood and impact for each risk issue, following the risk determination method identified in the preamble to the HIPAA Security Rule and guidance from the US Department of Health and Human Services. Areas of high risk, as identified by respected industry organizations, will be identified to ensure that the most significant risks are discovered and adequately prioritized.
The risk analysis process will be applied to a simplified example in order to relate the process to a real situation and drive home the usefulness of the process.
Areas Covered in the Session:
* Learn how to conduct an information security risk analysis suitable to aid in compliance with the HIPAA Security Rule and other information security regulations relevant to health information managers.
* Find out what the rules are that health care providers must follow, why they are important, and what the penalties are for not complying, including the new penalties for willful neglect of compliance, which begin at $10,000.
* See how the risk analysis requirement for meeting the privacy and security objective of meaningful use, necessary for federal funding, fits in with HIPAA compliance.
* Learn what steps to follow in the discovery and organization of information needed for the risk analysis.
* Find out what are the most significant risks a health care organization faces and how they can be mitigated.
* Learn a methodology for working through the risk analysis information to discover security strengths and weaknesses and develop a list of priorities for improving security compliance.
* Discover that staff need not be technicians in order to perform a useful risk analysis.
* Discover that a risk analysis can be useful for guiding decision-making for appropriate policies and procedures, and security investments.
Who Will Benefit:
* Compliance director
* CEO
* CFO
* Privacy Officer
* Security Officer
* Information Systems Manager
* HIPAA Officer
* Chief Information Officer
* Health Information Manager
* Healthcare Counsel/lawyer
* Office Manager
* Contracts Manager
The Information Security Risk Analysis Process presented utilizes a non-technical approach, involving interviewing staff knowledgeable about operations and systems to discover how information is retained and moved, and reveal the risks inherent in such storage and transmission. Interview content is organized as departmental stories that are successively refined into process descriptions, lists of information in place or in motion, diagrams of information flows, and lists of information systems and flows to be assessed for risks. Risk issues and recommendations for each system or information flow can then be described and organized into a table that is used to define the risks and prioritize their mitigation, using a straightforward high-medium-low stratification of potential likelihood and impact for each risk issue, following the risk determination method identified in the preamble to the HIPAA Security Rule and guidance from the US Department of Health and Human Services. Areas of high risk, as identified by respected industry organizations, will be identified to ensure that the most significant risks are discovered and adequately prioritized.
The risk analysis process will be applied to a simplified example in order to relate the process to a real situation and drive home the usefulness of the process.
Areas Covered in the Session:
* Learn how to conduct an information security risk analysis suitable to aid in compliance with the HIPAA Security Rule and other information security regulations relevant to health information managers.
* Find out what the rules are that health care providers must follow, why they are important, and what the penalties are for not complying, including the new penalties for willful neglect of compliance, which begin at $10,000.
* See how the risk analysis requirement for meeting the privacy and security objective of meaningful use, necessary for federal funding, fits in with HIPAA compliance.
* Learn what steps to follow in the discovery and organization of information needed for the risk analysis.
* Find out what are the most significant risks a health care organization faces and how they can be mitigated.
* Learn a methodology for working through the risk analysis information to discover security strengths and weaknesses and develop a list of priorities for improving security compliance.
* Discover that staff need not be technicians in order to perform a useful risk analysis.
* Discover that a risk analysis can be useful for guiding decision-making for appropriate policies and procedures, and security investments.
Who Will Benefit:
* Compliance director
* CEO
* CFO
* Privacy Officer
* Security Officer
* Information Systems Manager
* HIPAA Officer
* Chief Information Officer
* Health Information Manager
* Healthcare Counsel/lawyer
* Office Manager
* Contracts Manager