Risk Assessment

From Clinfowiki
Revision as of 04:22, 20 November 2013 by JDarin (Talk | contribs)

Jump to: navigation, search

As of 2012, the healthcare industry had still not reached maturity in terms of establishing a protocol for conducting risk assessment of systems. The 2005 HIPAA Security Rule initiated a requirement that risk assessments be conducted, but left a lot of room for interpretation. However, organizations are being forced to catch up because of increased incidence of data breaches (up nearly 200% between 2010 and 2011), increased government oversight, and the Stage 1 Meaningful Use requirement that "hospitals and eligible professionals must "conduct or review a security risk analysis" to qualify for incentive payments.

Prescriptive requirements for risk assessments are typically ineffective because they stipulate too much, and fail to account for the unique circumstances of individual healthcare systems. Therefore system security should begin with an identification and prioritization of security and privacy risks, so that systems can allocate just enough resources to account for these risks.

A good resource for conducting risk assessments is the National Institute of Standards and Technology's Risk Management Guide for Information Systems. It outlines the process of risk assessment in 9 steps:

• System Characterization - Identifying risk for an IT system requires a keen understanding of the system’s processing environment.

• Threat Identification - The goal of this step is to identify the potential threat-sources and compile a threat statement listing potential threat-sources that are applicable targeted at the intentional exploitation of a to the IT system being evaluated.

• Vulnerability Identification - The goal of this step is to develop a list of system vulnerabilities that could be exploited by the potential threat-sources.

• Control Analysis - The goal of this step is to analyze the controls that have been implemented, or are planned for implementation, by the organization to minimize or eliminate the likelihood (or probability) of a threat’s exercising a system vulnerability.

• Likelihood Determination - To derive an overall likelihood rating that indicates the probability that a potential vulnerability may be exercised within the construct of the associated threat environment, the following governing factors must be considered: 

    • Threat-source motivation and capability
    • Nature of the vulnerability
    • Existence and effectiveness of current controls.

• Impact Analysis - The next major step in measuring level of risk is to determine the adverse impact resulting from a successful threat exercise of a vulnerability.

• Risk Determination -

• Control Recommendations

• Results Documentation

Retrieved from "https://clinfowiki.org/wiki/index.php?title=Risk_Assessment&oldid=16841"