Difference between revisions of "Risk Analysis and Security"
From Clinfowiki
Lisa.Briones (Talk | contribs) m (Risk analysis and security) |
Lisa.Briones (Talk | contribs) m (security) |
||
Line 14: | Line 14: | ||
*'''Security Governance''' | *'''Security Governance''' | ||
**When analyzing a system for security standards the certification and accreditation begins. The “CIA TRIAD” model is used as a guideline during system reassessment. The National Institute of Standards and Technology defines CIA as Confidentiality, Integrity, and Availability. They are defined below: | **When analyzing a system for security standards the certification and accreditation begins. The “CIA TRIAD” model is used as a guideline during system reassessment. The National Institute of Standards and Technology defines CIA as Confidentiality, Integrity, and Availability. They are defined below: | ||
− | '''Confidentiality''': A requirement that private or confidential information not be disclosed to unauthorized individuals. | + | "'''Confidentiality''': A requirement that private or confidential information not be disclosed to unauthorized individuals. |
'''Integrity:''' Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. | '''Integrity:''' Data integrity is a requirement that information and programs are changed only in a specified and authorized manner. System integrity is a requirement that a system performs its intended function in an unimpaired manner, free from deliberate or inadvertent unauthorized manipulation of the system. | ||
− | '''Availability:''' A requirement intended to ensure that systems work promptly and service is not denied to authorize users. .<ref name="AHIMA October 2013">AHIMA. "The 10 Security Domains (Updated 2013)." Journal of AHIMA 84, no.10 (October 2013): expanded web version.http://library.ahima.org/xpedio/idcplg?IdcService=GET_HIGHLIGHT_INFO&QueryText=%28risk+analysis+and+security%29%3Cand%3E%28xPublishSite%3Csubstring%3E%60BoK%60%29&SortField=xPubDate&SortOrder=Desc&dDocName=bok1_050430&HighlightType=HtmlHighlight&dWebExtension=hcsp</ref> | + | '''Availability:''' A requirement intended to ensure that systems work promptly and service is not denied to authorize users." .<ref name="AHIMA October 2013">AHIMA. "The 10 Security Domains (Updated 2013)." Journal of AHIMA 84, no.10 (October 2013): expanded web version.http://library.ahima.org/xpedio/idcplg?IdcService=GET_HIGHLIGHT_INFO&QueryText=%28risk+analysis+and+security%29%3Cand%3E%28xPublishSite%3Csubstring%3E%60BoK%60%29&SortField=xPubDate&SortOrder=Desc&dDocName=bok1_050430&HighlightType=HtmlHighlight&dWebExtension=hcsp</ref> |
Overall, risk analysis and security go hand in hand. Therefore, to ensure the security of patient health information (PHI), risk analysis assessments should be conducted regularly. If not done correctly security breaches will occur and PHI will be jeopardized. | Overall, risk analysis and security go hand in hand. Therefore, to ensure the security of patient health information (PHI), risk analysis assessments should be conducted regularly. If not done correctly security breaches will occur and PHI will be jeopardized. |
Revision as of 05:22, 27 January 2015
OverviewAs electronic patient data is being shared outside of the healthcare organizations there are unique challenges being encountered. Additional security controls are being implemented because of the changing environment to a more complex information sharing arrangement. This has prompted many security surveys in an effort to identify the risks as organizations convert to electronic patient data. Some components noted are external threats, internal threats, risks to confidentiality of patient data, compliance requirements, effectiveness of security controls, evaluation of policies and procedures, risks to integrity of patient data, risks to availability of patient data, and new opportunities to improve security.[1]
- Risk Analysis and Requirements
- What is Risk Analysis?
- “§164.308(a)(8), Evaluation, which states that organizations must “Perform a periodic technical and nontechnical evaluation, based initially upon the standards and implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.”[2]
- Security Governance
- When analyzing a system for security standards the certification and accreditation begins. The “CIA TRIAD” model is used as a guideline during system reassessment. The National Institute of Standards and Technology defines CIA as Confidentiality, Integrity, and Availability. They are defined below:
References
- ↑ www.himss.org 2008 HIMSS Security Survey sponsored by Booz/Allen/Hamilton
- ↑ 2.0 2.1 AHIMA. "Security Risk Analysis and Management: An Overview (Updated)." Journal of AHIMA 84, no.11 (November–December 2013): expanded web version.http://library.ahima.org/xpedio/idcplg?IdcService=GET_HIGHLIGHT_INFO&QueryText=%28risk+analysis+and+security%29%3Cand%3E%28xPublishSite%3Csubstring%3E%60BoK%60%29&SortField=xPubDate&SortOrder=Desc&dDocName=bok1_050533&HighlightType=HtmlHighlight&dWebExtension=hcsp
- ↑ AHIMA. "The 10 Security Domains (Updated 2013)." Journal of AHIMA 84, no.10 (October 2013): expanded web version.http://library.ahima.org/xpedio/idcplg?IdcService=GET_HIGHLIGHT_INFO&QueryText=%28risk+analysis+and+security%29%3Cand%3E%28xPublishSite%3Csubstring%3E%60BoK%60%29&SortField=xPubDate&SortOrder=Desc&dDocName=bok1_050430&HighlightType=HtmlHighlight&dWebExtension=hcsp