Same Risk Analysis that would be used for Sorb-Ox, GLB -
really, it doesn't matter. It's a methodology of determining who owns the
data (you're either a data custodian (you properly have data from someone else)
you are the data owner (well, you own the data) or a thief (you don't own the
data)) and seeing that the data owner understands the classification of the data
(Private, sensitive, confidential, etc.) and that it is classified
properly.
Once it's classified, then you must have procedures and
processes to go with the classifications that match with HIPAA - this will
determine how the Data Custodian must deal with the data. The Data
Custodia cannot classify your data - it's not his.
Once the classification of the data is done, the Risk
Analysis pretty much falls into place with the same quantitative and qualitative
methods as any other type of RA. Be sure to consider what methods of
transmission, what the likelihood of the data being compromised while it's in
your possession, out of your possession, and how can you transfer the
risk. Remember, there are lots of ways to transfer the risk, number one
being Insurance, number two out-sourcing.
Hope that gives you a start.
Rick Kingslan MCSE, MCSA, MCT, CISSP
Microsoft
MVP:
Windows Server / Directory Services
Windows Server / Rights
Management
Associate Expert
Expert Zone -
www.microsoft.com/windowsxp/expertzone
WebLog -
www.msmvps.com/willhack4food
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, March 19, 2004 9:10 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [ActiveDir] OT HIPAA Security Risk Analysis
Does anyone here in
the Healthcare field? If you are, what Risk Analysis methodology are you
using to move forward with the HIPAA Security
Rule?
