Presentation is loading. Please wait.

Presentation is loading. Please wait.

HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September.

Published byCollin Cross Modified over 8 years ago

Similar presentations

Presentation on theme: "HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September."— Presentation transcript:

1 HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September 14-16, 2003

2 2 Overview The Data Security issue – –Why listen to this presentation? –What do we need to do – Security Gap Assessment? Gap Analysis VS Risk Assessment –Goals of a Risk Assessment –How to perform a Risk Assessment Lesson Learned

3 HIPAA Security Why are you here?

4 4 Things to Think About? What grade would you get on your security plan if your DOI commissioner walked into your organization today? If you found out you had a security breach, what 3 areas come to mind? What tools and process do you use to explain to your senior management that you really studied your security plan?

5 5 Things to Think About? When you are in the witness box, how many of you can say that someone else certified your network? If it came across the national news that there are truck full of paper claims laying on the highway, how many of you would pick up the phone and call your management to see if it was your organization?

6 HIPAA Security What To Do?

7 7 Why conduct a Security Assessment? Provide an understanding of the impact of HIPAA legislation on business operations and technology infrastructure –Identify gaps between current business and technical environments compared to the requirements of HIPAA –Evaluate the significance of the vulnerabilities (Risks) in the context of the organization’s operations

8 8 What do we need to do? 1.Plan 2.Gather Data 3.Analyze Data 4.Assess Risk

9 9 Plan Kickoff meeting to provide an understanding of the security assessment process –Identify the people involved, confirm staff to be interviewed –Identify the security assessment approach –Identify the steps to be taken –Review high level milestones

10 10 Gather Security Data Customize security assessment questionnaire for HIPAA specifications Assign appropriate questions to representatives from functional areas Interview representatives from functional areas using the applicable questionnaires Record data

11 11 Conduct Gap Analysis Compile results of questionnaires Identify gaps Develop gap analysis report to reveal gaps in compliance between the current environments and the HIPAA requirements

12 HIPAA Security Gap Analysis VS Risk Assessment?

13 13 Gap Analysis vs. Risk Assessment The gap analysis compares where we are to where we need to be in relation to HIPAA compliance. It helps determine the areas where the organization has vulnerabilities The risk assessment will be used to evaluate the significance of the vulnerabilities in context of the organization’s operations

14 14 Risk Assessment The questions you are trying to answer in the risk assessment are: –What could compromise the confidentiality,integrity and availability of the health information in our possession? –If that information is compromised what is the impact to our business or to the individual? –What is the probability that it will happen?

15 15 How to perform a Risk Assessment The Risk areas rank the relative impacts of “not compliant” responses to the organization. –Qualitative Risks: based on values associated with each of the questions asked in the assessment questionnaire. If a “not compliant” answers implies a solution that typically requires a significant effort to achieve compliance, it carries a high qualitative. Medium and low qualitative risk values are assigned for those with correspondingly lower typical efforts. When summarized for a section, this value gives an indication of the average level of effort that will be needed for compliance activities. –The Quantitative Risks reflect the counts of “not compliant” responses within the set of questions for a regulation section. The counts associated with each of the High/Medium/Low risk values for each section since sections have different numbers of questions. When summarized for a section, this value shows volume of identified compliance gaps. More than 50% non-compliant responses = High 33%- 50% non-compliant responses = Medium Less that 33% non-complaint responses = Low

16 16 Other Considerations Purpose of process/system/ department Number of users Types of users, internal, external, on-site, remote, contract Type of access, level and scope of access Frequency of use Knowledge level of users Input into the Risk Assessment:

17 17 Other Considerations Number of locations/sites Physical environment Types of security controls Interdependencies and interfaces Type of information and risks for confidentiality, integrity and availability Type of threats (intentional or unintentional) Input into the Risk Assessment:

18 18 Example: FindingsRecommendationsRisk The departments indicated that it did not know whether health care access requirements are reviewed as a result of internal policy changes. The departments indicated that it did not know whether health care access requirements are reviewed as a result of organizational restructuring or change. The qualitative risk is High. The quantitative risk is Medium since 2 of 6 responses were negative. Recommended solutions are: Policies and procedures must be developed and implemented to require review of health care access requirements as a result of internal policy changes and organizational restructuring or change. All staff must be trained on the policies and procedures Qualitative = Quantitative = Section: Administrative Safeguards Standard: (1) Information Access Management Implementation: Access Establishment and Modification (Addressable) Department; Common Department Findings

19 19 Priority Scheme Qualitative Average Low 1 High Quantitative 3 7 4 2 Medium 6 5 High Medium Low 1 98 89

20 20 Lessons Learned Create a well-defined approach Obtain executive commitment Assign one responsible individual Provide awareness and education The assessment does not execute itself –It must be administered and controlled Upfront planning pays many dividends –More timely and accurate response

21 21 Thank You ! Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc Rosemary_B_Abell@Keane.com (919) 767-2235

Download ppt "HIPAA Security A Quantitative and Qualitative Risk Assessment Rosemary B. Abell Director, National Healthcare Vertical Keane, Inc. HIPAA Summit VII September."

Similar presentations

St. Louis Public Schools Human Resources Support for District Improvement Initiatives (Note: The bullets beneath each initiative indicate actions taken.

St. Louis Public Schools Human Resources Support for District Improvement Initiatives (Note: The bullets beneath each initiative indicate actions taken.
Electronic Medical Records: Implications of HIPAA for Selecting and Implementing an EMR Todd Frech Senior Partner www.ociusmedinfo.com.

Electronic Medical Records: Implications of HIPAA for Selecting and Implementing an EMR Todd Frech Senior Partner
PhoenixPro Procurement. technology. contracts. projects.

PhoenixPro Procurement. technology. contracts. projects.
Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,

Chapter 10. Understand the importance of establishing a health care organization-wide security program. Identify significant threats—internal, external,
Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group 209-754-9130

Information Risk Management Key Component for HIPAA Security Compliance Ann Geyer Tunitas Group
© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.

© 2008 Cisco Systems, Inc. All rights reserved.Cisco Confidential 14854_10_2008_c1 1 Holistic Approach to Information Security Greg Carter, Cisco Security.
HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.

HIPAA: FEDERAL REGULATIONS REGARDING PATIENT SECURITY.
HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.

HIPAA Security Rule Overview and Compliance Program Presented by: Lennox Ramkissoon, CISSP The People’s Hospital HIPAA Security Manager The Hospital June.
Series 2: Project Management Understanding and Using 6 Basic Tools 9/2013 From the CIHS Video Series “Ten Minutes at a Time”

Series 2: Project Management Understanding and Using 6 Basic Tools 9/2013 From the CIHS Video Series “Ten Minutes at a Time”
© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,

© Copyright 2014 Saul Ewing LLP The Coalition for Academic Scientific Computation HIPAA Legal Framework and Breach Analysis Presented by: Bruce D. Armon,
1 Introduction to Workforce Planning and Development in State of Alaska Executive Branch Departments.

1 Introduction to Workforce Planning and Development in State of Alaska Executive Branch Departments.
Security Controls – What Works

Security Controls – What Works
WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.

WHY CHOOSE CEO-PE?  We employ International Association of Privacy Professionals (IAPP) Certified and Health Insurance Portability & Accountability Act.
COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.

COSO Framework A company should include IT in all five COSO components: –Control Environment –Risk Assessment –Control activities –Information and communication.
Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.

Secure System Administration & Certification DITSCAP Manual (Chapter 6) Phase 4 Post Accreditation Stephen I. Khan Ted Chapman University of Tulsa Department.
Quality evaluation and improvement for Internal Audit

Quality evaluation and improvement for Internal Audit
Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.

Center for Health Care Quality Licensing & Certification Program Evaluation 1 August 2014 rev.
DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.

DITSCAP Phase 2 - Verification Pramod Jampala Christopher Swenson.
Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.

Auditing Standards IFTA\IRP Audit Guidance Government Auditing Standards (GAO) Generally Accepted Auditing Standards (GAAS) International Standards on.
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.

Similar presentations

Ads by Google