Having problems with message search?
How does a covered entity establish a Security Management
Process? There are many approaches you can consider. Simply HIPAA
iLearn uses the NIST Security Risk Management Program as its approach. I
have provided an excerpt from the Simply HIPAA’s Administrative
Safeguards curriculum below my signature that may be helpful. I am not
able to provide the iLearns mentioned below as they are proprietary web-based or
server-based tools. However, some of the iLearns have been made freely
available from the Simply HIPAA web site (www.simplyhipaa.com).
In order to access them, registration is required.
Regards,
Barbara McGowin
Executive Recruiter/Resource Consultant
HIT Recruiting
(843) 824-8537
Connecting Health Care Organizations with People,
Products and Services to Achieve
HIPAA Compliance.
NIST Risk Management Program
1) Develop a security
checklist (i.e. survey, questionnaire) based on the requirements and
implementation specifications of the security rule, your business operations,
and known threats (internal and external). If you are unsure of what
should be included in your security checklist, you may want to consider asking
your local organizations or associations if one is available. There are
many vendors who have a security checklist included in a HIPAA compliance assessment
tool. NIST has developed a generic, non-healthcare related security
checklist (NIST SP 800-26 Security Self-Assessment Guide for Information
Technology Systems http://csrc.nist.gov/publications/nistpubs/
scroll down to SP 800-26).
2) Use your security
checklist to conduct surveys. The interviewer should have HIPAA subject
matter expertise or have access to informational references that will allow the
interviewer to answer any questions that the interviewees may have in order to
answer the survey questions accurately. Care should be taken to address
questions to the appropriate level. For small organizations some of the
levels may overlap. The four levels that should be addressed are
a. Organization
b. Department
c. Facilities (primary
focus is physical security controls)
d. Application/System
(primary focus would be the availability and use of technical security controls,
i.e., mechanisms)
3) Determine the gap for
each item on the Security Checklist. Gaps are vulnerabilities and can be
at the organizational, department, facility, or application level. The
gap levels would be
a. Policy (Gap Level I)
i.
Have policy and is HIPAA compliant
ii.
Have policy but needs update
iii.
Have no policy
b. Procedure/mechanism (Gap
Level II)
i.
Have procedure/mechanism and is HIPAA
compliant
ii.
Have procedure/mechanism but needs
update
iii.
Have no procedure/mechanism
c. Training (Gap Level III)
d. Implementation and
process integration (Gap level IV)
e. Audit (Gap Level V)
4) Determine
the impact a breach of confidentiality, integrity, or availability of a system
or application would have to your organization. NIST uses the term
“security categorization” for impact analysis and uses qualitative
measurements of low, moderate, and high. Additional information on
security categorization is found in FIPS 199 (FIPS Publication 199 Standards
for Security Categorization of Information systems http://csrc.nist.gov/publications/fips/fips199/FIPS-PUB-199-final.pdf
). Here is the NIST security categorization tool for impact analysis:
|
Security
Objective |
Low |
Moderate |
High |
|
Confidentiality Preserving
authorized restrictions on information access and disclosure, including means
for protecting personal privacy and proprietary information. [44 U.S.C., Sec. 3542] |
The unauthorized disclosure of information could be
expected to have a limited
adverse effect on organizational operations, organizational assets, or
individuals |
The unauthorized disclosure of information could be
expected to have a serious
adverse effect on organizational operations, organizational assets, or
individuals. |
The unauthorized disclosure of information could be
expected to have a severe or catastrophic
adverse effect on organizational operations, or organizational assets, or
individuals. |
|
Integrity Guarding
against improper information modification or destruction, and includes
ensuring information non-repudiation and authenticity. [44 U.S.C., Sec. 3542] |
The unauthorized modification or destruction of
information could be expected to have a limited
adverse effect on organizational operations, organizational assets, or
individuals. |
The unauthorized modification or destruction of
information could be expected to have a serious
adverse effect on organizational operations, organizational assets, or
individuals. |
The unauthorized modification or destruction of
information could be expected to have a severe
or catastrophic adverse effect on organizational operations,
organizational assets, or individuals. |
|
Availability Ensuring timely and reliable access to and use of
information. [44 U.S.C., Sec. 3542 |
The disruption of access to or use of information or
an information system could be expected to have a limited adverse effect on organizational operations,
organizational assets, or individuals |
The disruption of access to or use of information or
an information system could be expected to have a serious adverse effect on organizational operations,
organizational assets, or individuals. |
The disruption of access to or use of information
system could be expected to have a severe
or catastrophic adverse effect on organizational operations,
organizational assets, or individuals. |
5) Determine risk.
The risk determination process described below is for a qualitative or
subjective determination of risk. There are other methods, such as
quantitative methods using algorithms that may be used for risk analysis.
a. Vulnerabilities are
identified through the survey.
b. Threats were considered
in the development of the survey and now must be paired with identified
vulnerabilities to determine risk.
c. Determine the impact
should a threat exploit a vulnerability. The NIST security categorization
or the CMS Risk Analysis (RA) impact levels may be used for a qualitative
measurement of potential impact. The Risk Determination iLearn uses the
CMS RA impact levels.
d. Determine likelihood of
a threat exploiting a vulnerability. The Risk Determination iLearn uses
the CMS RA likelihood levels.
e. Risk is the potential
impact of a threat exploiting a vulnerability. Risk is a function of
likelihood and impact. The Risk Determination iLearn performs this
function for you for each threat/vulnerability pair. You must select the
impact level (as per CMS RA) and the likelihood (as per CMS RA).
6) You must determine
what you will do to fix the gaps to mitigate your risk. If there are
numerous gaps and limited resources you will need to prioritize your
tasks. This step is called your mitigation-planning phase. Guidance
on appropriate security controls or security safeguards are found in NIST SP
800-53 Recommended Security Controls for Federal Information Systems.
(NIST Special Publications are freely accessible from the
7) The security work plan
is the result of your mitigation planning. It is your roadmap to
achieving compliance with the HIPAA Security Rule.
Security
management is change management. You should schedule periodic risk
assessments and mitigate any new gaps that are identified. In your
day-to-day operations, issues or incidents may arise. These should also
be assessed and mitigated. Anytime policies change, business processes
change, or technology changes a risk assessment will need to be conducted.
Offline 
Send Email