The Risk Assessment process is more than just a tool your facility uses to satisfy auditors and Meaningful Use dollars. Each time you perform a Risk Assessment, you are implementing a critical element of your overall Strategic Planning Process – or in layman’s terms – your Risk Assessment helps you identify areas of strategic weakness, protect areas of acute importance, and keep your facility safe from threats.
This goes beyond firewalls and anti-virus. It includes maintaining proper user rights and control over access to HIPAA protected information. Your Risk Assessment helps to determine physical access to specific areas within your facility – like server rooms or file lockers. It provides guidelines for proper handling of software and hardware to ensure your facility’s ongoing security through things like security patches, password policies, getting rid of outdated technology, software applications that are no longer supported or are in need of an upgrade.
In essence, your Risk Assessment touches all critical elements of your facility’s operations to reduce the levels of risks to reasonable levels, ensure the confidentiality and availability of sensitive data and ePHI, and keep your staff and your patients protected continuously.
We’re confident that you probably already understand that Risk Assessments are important and you may even have some form of a risk assessment in place. But what you may not know, or understand the true impact of, is whether or not your Risk Assessment will hold up in the event of an audit?
To help you answer this question, we’ve outlined some information to help you self-assess the strength of your organization’s current Risk Assessment.
For starters, every good Risk Assessment should address the following basic components:
- Initial Screening Questions – screening interviews with staff should be conducted to gain an understanding of existing controls and their effectiveness
- Asset Management – determine what assets need the most protection, in order of priority, and how
- People Issues – realize that your staff are the core of your organization’s security and human error is the cause of a large percentage of security damage
- Technology Issues – track and monitor both hardware and software for needed upgrades, replacements, and repairs
- On-site Inspections/Penetration Testing – perform routine tests to help identify areas of weakness and potential risks, be it human error, technology failure, external threats, or other
- Findings and Remediation Steps – identify and implement solutions and incorporate changes into your organization’s culture
In regards to managing the People Issues, the following steps should be taken:
Screening interviews with staff should be conducted to gain an understanding of existing controls and their effectiveness. From there, assessments and recommendations need to be made to evaluate the threats, the exposure potential, and the likelihood and impact of each of the threats discovered. Most importantly, your IT partner should also provide you with assistance with Risk Prioritization and Mitigation Decisions to ensure that all vulnerabilities are properly addressed.
Concerning technology issues, several of the key systems to monitor and evaluate include the following:
- Management of Terminated Users – consistently search for inactive or inappropriate user rights
- Computers with passwords that don’t follow the Group Policy – search for and highlight passwords that are not changed or don’t follow the required password format
- Systems without Anti-virus or Anti-spam Solutions – scan for systems that are not protected
There’s a lot more that goes into an effective, full-scale Risk Assessment, but the above details give you a glimpse into the depth that your Risk Assessment should go.
Recently, Progressive Computer Systems performed a Risk Assessment for a large, community hospital in the Triangle area as part of their Meaningful Use Attestation. Going into the Risk Assessment, this hospital was lacking key documentation about their systems and some basic understanding about the requirements for HIPAA Compliance, such as email encryption, password management, access control management, audit logging, etc. After completing the Risk Assessment, we were able to identify a number of areas that needed to be addressed in preparation for an upcoming audit. After the audit, we were pleased to learn that the hospital passed the audit with flying colors and the auditor was impressed with the quality of the work performed. This not only saved them from major penalties for non-compliance, but ultimately helped ensure the protection of their patients, as well.
At Progressive Computer Systems, we rely on tools that use industry-wide best practices for network health, performance, and security to perform comprehensive Risk Assessments. Whether you are trying to meet Meaningful Use Requirements, to prepare for an internal audit, or just want to be prudent by evaluating your organization’s potential exposures, we can make that process easy to perform, easy to understand your risks, and easy to mitigate and prioritize your vulnerabilities. Given the number of security breaches in the news later with the digital age, most organizations are now budgeting for a Risk Assessment on an annual basis. Feel free to give us a call to learn more about how we can help you with your Risk Assessment process.
Progressive Computer Systems, Inc. was founded in August 1987 by Lisa Mitchell and Mark Michal in the Research Triangle Park area of North Carolina. Over the past 25 years, Progressive Computer Systems, Inc. has focused on building a professional, certified staff that is committed to excellent customer service, has established long-term partnerships with clients based on trust and integrity, and continues to provide a proactive, strategic approach to IT for all their clients.