Risk Analysis and Security

From Clinfowiki
Jump to: navigation, search

As electronic patient data is being shared outside of the healthcare organizations there are unique challenges being encountered. Additional security controls are being implemented because of the changing environment to a more complex information sharing arrangement.

This has prompted many security surveys in an effort to identify the risks as organizations convert to electronic patient data. Some components noted are external threats, internal threats, risks to confidentiality of patient data, compliance requirements, effectiveness of security controls, evaluation of policies and procedures, risks to integrity of patient data, risks to availability of patient data, and new opportunities to improve security.[1]

Risk Analysis and Requirements

What is Risk Analysis?

Risk Analysis is systematic and ongoing process of identifying threats, controls, and vulnerabilities—as well as their likelihood of impact—to arrive at an overall rating of risk. [2]

Regulatory HIPAA Security Rule and Meaningful Use require risk analysis of the current installed healthcare system. Security officers or Risk management personnel must follow the HIPAA Security Rule Standard:


Evaluation states that organizations must “Perform a periodic technical and nontechnical evaluation, based initially upon the standards and implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”[2]

Security Governance

When analyzing a system for security standards the certification and accreditation begins. The “CIA TRIAD” model is used as a guideline during system reassessment. The National Institute of Standards and Technology defines CIA as Confidentiality, Integrity, and Availability.

They are defined below:

  • Confidentiality: A requirement that private or confidential information not be disclosed to unauthorized individuals.
  • Integrity: Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system.
  • Availability: A requirement intended to ensure that systems work promptly and service is not denied to authorize users." .[3]

Overall, risk analysis and security go hand in hand. Therefore, to ensure the security of patient health information (PHI), risk analysis assessments should be conducted regularly. If not done correctly security breaches will occur and PHI will be jeopardized.


  1. www.himss.org 2008 HIMSS Security Survey sponsored by Booz/Allen/Hamilton
  2. 2.0 2.1 AHIMA. "Security Risk Analysis and Management: An Overview (Updated)." Journal of AHIMA 84, no.11 (November–December 2013): expanded web version.http://library.ahima.org/xpedio/idcplg?IdcService=GET_HIGHLIGHT_INFO&QueryText=%28risk+analysis+and+security%29%3Cand%3E%28xPublishSite%3Csubstring%3E%60BoK%60%29&SortField=xPubDate&SortOrder=Desc&dDocName=bok1_050533&HighlightType=HtmlHighlight&dWebExtension=hcsp
  3. AHIMA. "The 10 Security Domains (Updated 2013)." Journal of AHIMA 84, no.10 (October 2013): expanded web version.http://library.ahima.org/xpedio/idcplg?IdcService=GET_HIGHLIGHT_INFO&QueryText=%28risk+analysis+and+security%29%3Cand%3E%28xPublishSite%3Csubstring%3E%60BoK%60%29&SortField=xPubDate&SortOrder=Desc&dDocName=bok1_050430&HighlightType=HtmlHighlight&dWebExtension=hcsp