HIPAA Risk Analysis Phased Approach

I will list the steps to perform a HIPAA Risk Analysis, but since I am short on time. I am going to do this in Phases.  I will try to do this in the up coming days. So everybody stand-by.




Comments (4)

Phase One- Come up with a Standardized Plan

Okay, so I guess you are a DIY (Do it Yourselfer).

You could wing it, but I would suggest that you sit down and pretend that you are not affiliated with your organiation.

Develop a list of questions by searching the internet (lazy way) or read a book on Security Controls (really hard way). I would probably do both.

I will give a little bit away. There are three basic types of Security Controls:

1. Technical Controls- This is what most IT people focus on. A Technical Control is something that (wait, I have to say it) Technical- Ergo Firewalls or Active Directory, LDAP Directory for you Linux Heads, Passwords, and blah blah blah.

2. Physical Controls- Think of this as Doors, Locks, Security Cameras, Man Traps, barbed wire and security guards.

3. Adminstrative Controls- This is the hard part. Admin Controls are written policies and procedures.

Most organization have the first to cover pretty well. The writing part not so much. So………….. Next

Creating an Interveiw Process.

The list of questions should cover the three controls above.

They should be something like, “Do you have locks on your doors?” “Do you have a firewall?” “Do you have a password policy?”

Come up with as many as you can. Then put them on an exel spreadsheet and go interveiw a sampling of Executives, Managers and Workers. Ask them these questions.

Here is the outcome of this scenerio:

If they exist you are good.

If they don’t exist you need to get them.

**** Professional Tip****************

Everything must be documented in policy so when the HIPAA police visit you after your breach, you can have some kind of defense… But that usually only works for people that document and follow the HIPAA Rules and they usually don’t have breaches. (Weird)

So, now we have done our interviewing process… Next Step is policy review. I recommend that you have several policies.

These Policies should encompass and document everything you do. In the Marine Corps, we called it Standard Operating Procedures or SOP. In Healthcare IT it is called a Policy Framework.

I will talk about next how build a policy framework.

Leave a comment