Risk Management is a Balancing Act
We know that HITECH/HIPAA compliance requires covered entities and business associates to proactively manage security risks, but what does that mean? In simple terms, it means that healthcare organizations which use ePHI must conduct a risk analysis (45 CFR 164.308(a)(1)(ii)(A)) and address the problems identified in that exercise.
From a very practical perspective, a completed risk analysis offers a prioritized list of security risks to be addressed with risk mitigation strategies. The classic formula for calculating risk is:
Risk = Impact * Likelihood
First, the organization identifies areas of risk. Each risk is then categorized according to its potential impact or “harms”: Low, Medium, High or Critical. The third step is to evaluate the likelihood that any given risk will be realized.
In a world with inherently scarce resources, leadership needs this kind of information to effectively direct design and implementation of risk remediation action plans.
And, of course, every step is thoroughly documented to demonstrate the steps an organization has taken to ensure data security.