Security risk assessments play a vital role in making sure your patient data is safe and secure. Many organizations believe that a simple vulnerability scan will satisfy the requirement for a risk assessment, but the fact is that it’s only one element. A complete and compliant risk assessment must include four distinct components. These include:
1. Technical Safeguards
Technical safeguards are those that protect the aspects of how you’re storing your personal health information and are generally tested by running a vulnerability scan. The vulnerability scan is an automated test that identifies network security weaknesses.
2. Organizational safeguards
Organizational safeguards primarily address the “minimum necessity rule.” This Rule is designed to ensure and determine who has access to specific data and to consider whether it is required or necessary to perform their duties. If any person has more access than they need, you’ve created an organizational vulnerability.
3. Physical safeguards
Physical safeguards speak to the physical protection of information. You are the custodian of privileged patient information and are responsible for it’s care. This component includes precautions that defend against physical and environmental hacking, such as building security, key card access, off-site data replication and recovery and firewall protection, just to name a few.
4. Administrative safeguards
Administrative safeguards are the protection of information from a legal perspective and include such things as business associate agreements, employee confidentiality agreements, background checks, termination checklists and the implementation of formal policies and procedures. It’s critical to be able to administratively ensure that you have proper documentation and processes in place to terminate an employee’s access and maintain compliance, especially in an environment where technology plays such a large part.
What to do after a security risk assessment
It’s important to remember that performing a security risk assessment is only the first step in a process. Once all of the vulnerabilities and deficiencies are identified, the next step is to design and implement a remediation action plan. The key to compliance is continually repeating the process and addressing the issues. Technology and business change on a daily basis so it’s critical for your compliancy program to remain fluid.
Featured Expert: This post was written with the assistance of Jim Johnson, President of Live Compliance. Live Compliance specializes in HIPAA regulation compliance and training and is the provider of Digirad’s Compliance Program.