Risk Management Versus Crisis Management

Administrative Procedures

Several speakers emphasized risk management as a key component of administrative procedures that would help health providers meet HIPAA requirements. At this OAT Seminar Koss provided an overview of a Risk Assessment Framework and discussed the critical steps for getting ready to comply with HIPAA rules (See Table 1). Koss offered the following definitions:

• Risk analysis is a process where by cost-effective security/control measures may be selected by balancing the cost of security/control measures against the losses that would be expected if these measures were not in place.
• Risk management is the process of assessing risk, taking steps to reduce risk to an acceptable level and maintaining that level of risk.
• Risk assessment is an assessment based on technical vulnerabilities and sensitivity of the information.
• A gap analysis is an analysis that looks at the gap between the organization’s baseline security measures and the outcome of the risk analysis – the possibility and impact of adverse threats.

The impact and likelihood of an adverse event depends on the sensitivity of the health information and the number of people who may have access to that information.

Koss explained that risk can be defined as the impact and likelihood of an adverse event (OAT, 2000). The impact and likelihood of an adverse event depends on the sensitivity of the health information and the number of people who may have access to that information. On one hand, a small medical office with only one computer, no network system and limited information access would most likely rate a low risk assessment if the information stored in the computer and office is not highly sensitive. On the other hand, a large hospital with many networked computers shared by a number of personnel at different nurse workstations might rate a high risk level. A risk assessment in this case would reflect the number of users, the type and level of access, the frequency of use as well as the number of sites where the information can be accessed. Moreover, if the health information at these sites is highly sensitive, such as medical records containing details of HIV/AIDS or cancer, the risk level will be even higher.

Table 1

Critical steps for getting ready to comply with HIPAA Initial security responsibilities and organization awareness Baseline security assessment Gap analysis Risk assessment Resource identification Develop/revise policies and procedures Design/ revise security architecture Implement enterprise-wide security Establish corresponding administrative support Establish audit process and mechanisms Source: Shannah Koss, IBM

Physical Safeguards and Technical Security Mechanisms

Speakers at the OAT (2000) workshop also mentioned physical safeguards that should be coupled with administrative procedures to establish security. A physical safeguard focuses on physical rather than procedural safeguards, such as placing computers with sensitive information away from public areas, and locking rooms or cabinets that store sensitive information.

Other OAT Seminar speakers also recommended technical security mechanisms, ranging from user passwords, to encryption (the transformation of data by the use of cryptography to produce unintelligible data [encrypted data]), to digital signatures as a means to limit access to and protect medical record information. Some common technical security mechanisms include:

• Software passwords
• Digital signatures, which authenticate the sender and guarantees message integrity
• Data encryption
• Encryption over public networks
• Backup systems
• Disaster recovery plan