1. RISK ASSESSMENT PROJECTBy Robin Beckwith, Lisa Neuttila
& Kathy Cotterman
1
2. R.L.K. EnterprisesMedical Records Storage Company.
2
3. RLK Enterprises Risk Management Proposal
Identify risks
Create security controls and mitigation procedures
Develop an operational framework of safeguards, procedures and
controls
Reduce risks and liabilities to an acceptable level
Meet legal and statutory requirements
4. Risk Management Policy
Does not eliminate risk totally, but provides the structural
means to identify, prioritize, and manage the risks
5. Cost of managing and treating risks vs the anticipated
benefits
6. Risk management is an essential element of good corporate
governance and management practice
4
7. Everyone at RLK has a role in the effective management of
risk. All personnel should actively participate in identifying
potential risks in their area and contribute to the implementation
of appropriate treatment actions.
8. Risk Assessment Framework
Introduces a structured, flexible, extensible, and repeatable
process for managing organizational risk and achieving risk-based
protection related to the operation and use of
information
9. Security Rule Goals and Objectives
As required by the Security standards: General rules section of the
HIPAA Security Rule, each covered entity must:
Ensure the confidentiality, integrity, and availability of EPHI
that it creates, receives, maintains, or transmits;
Protect against any reasonably anticipated threats and hazards to
the security or integrity of EPHI; and
Protect against reasonably anticipated uses or disclosures of such
information that are not permitted by the Privacy Rule.
10.
11. How to Conduct a Risk Assessment
Scope the Assessment
Gather Information
Identify Realistic Threats
Identify Potential Vulnerabilities
Assess Current Security Controls
Determine the Likelihood and theImpact of a Threat
ExercisingaVulnerability
Determine the Level of Risk
Recommend Security Controls
Document the Risk Assessment Results
12. Identification and Categorization of Information Types in
RLK System
Category 0-1 -- The potential impact is LOW if:
The loss of confidentiality, integrity, or availability could be
expected to have a limited adverse effect on organizational
operations, organizational assets, or individuals
Category 2-3 -- The potential impact is MODERATE if:
The loss of confidentiality, integrity, or availability could be
expected to have a serious adverse effect on organizational
operations, organizational assets, or individuals.
Category 4-5 -- The potential impact is HIGH if:
The loss of confidentiality, integrity, or availability could be
expected to have a severe or catastrophic adverse effect on
organizational operations, organizational assets, or
individuals.
13. 11
14.
15.
16. Proposed Solution
The above Framework of risk identification, security controls and
mitigation procedures, when scoped to the particular needs and
applied to the specific operation of RLK Enterprises, is designed
to provide an acceptable level of data assurance as well as meeting
Federal Government requirements and guidelines
17. searchSecurityTechtarget.comarticle by ShonHarris
SP 800-37
SP 800-60
SP 800-66
SP 800-53
SP 800-53A
FIPS PUB 199
FIPS PUB 200
Sources
15