Approaching Risk Assessments
Approaching Risk Assessments
a. A privacy risk assessment is a tool used to assess the impact and risks to the privacy of personally identifiable information (PII) stored, used and exchanged by information systems.
b. Risk Analysis involves conducting an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of personal identifiable information held by the organization.
c. Risk analysis process usually involves: reviewing existing polices, identifying any issues/holes, accessing the likelihood of a breach, developing ways to mitigate risks and monitoring the results of the assessment and plan development. This is how I envision approaching risk assessments.
d. For example, health care providers are required to conduct risk assessments under HIPAA and attest to meaningful use criteria of EHR systems under HITECH. These providers must provide also documentation of this process, if audited by DHHS. To effectively perform this privacy risk assessment, a medical facility should determine the risks and effects of collecting, maintaining, and disseminating information in identifiable form in an electronic information system, and to examine and evaluate protections and alternative processes for handling information in order to mitigate potential privacy risks.
e. While engaged in private practice as an Attorney, I was tasked with managing and maintaining client access to their files and the disclosures of confidential information to third parties. I performed a simple risk analysis when selecting the right content management provider, in order to ensure that confidential information would be maintained in a secure manner with low risk of threats to breaches. In addition, I restricted and monitored staff access (log trails) to information necessary to perform their duties. With respect to disclosures to third parties, I ensured that one of the following conditions were met before disclosing information: client’s written authorization; disclosure was required by and or court order.
f. What I have learned is to conduct risk assessment as soon as possible. In fact in my opinion, it should be the first step that a Privacy Officer takes. For example, this can be achieved by conducting a walk-through of the office/facility to identify whether all PI or PHI is located; identify vulnerabilities/threats; and develop a risk mitigation plan.
Comments
Post a Comment
all comments to this blog are moderated