Page 1

elements of a risk analysis There are abundant methods of performing risk analysis and there is no definite process or "best practice" that ensures fulfillment with the Security Rule. A few examples of measures that might be useful in a risk analysis process are printed in NIST SP 800-30.6. The remainder of this guidance article explains more than a few elements a risk analysis must hold, despite of the approach used. Scope of the Analysis The scope of risk analysis that the Security Rule encompasses comprises of the promise risks and vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an establishment makes, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This comprises e-PHI in all forms of electronic storage, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices, personal digital assistants, transmission media, or portable electronic media. Digital media encompasses a lone workstation as well as multifaceted networks associated connecting various places. Therefore, an organization's risk analysis ought to take into account all of its e-PHI, apart from of the specific electronic means in that it is fashioned, received, maintained or transmitted or the source or location of its e-PHI. Data Collection An institute ought to identify where the e-PHI is kept, received, maintained or transmitted. An society may well collect appropriate facts by: reviewing earlier and/or existing projects; performing interviews; reviewing documentation; or using additional data meeting procedures. The information on top of e-PHI gathered by these methods ought to be recognized. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).) Discover and Document Potential Dangers and Vulnerabilities Organizations be required to make out and keep a record reasonably anticipated risks to e-PHI. (See 45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may possibly classify distinct threats that are exclusive to the circumstances of their location. Organizations ought to too make out and write down vulnerabilities which, if triggered or exploited by a threat, would build a hazard of inappropriate access to or discovery of e-PHI. (See 45 C.F.R. §§164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).) Full Posting

Fundamentals of a Risk Analysis  

There are several methods of performing risk analysis and there is no single routine or "best practice" that guarantees observance with the...

Fundamentals of a Risk Analysis  

There are several methods of performing risk analysis and there is no single routine or "best practice" that guarantees observance with the...

Advertisement