Can
you point me to a software package that can conduct this analysis or do you have
something that you could send over that would help us developing a methodology
inhouse?
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rick Kingslan
Sent: Saturday, March 20, 2004 2:18 AM
To: [EMAIL PROTECTED]
Subject: RE: [ActiveDir] OT HIPAA Security Risk AnalysisSame Risk Analysis that would be used for Sorb-Ox, GLB - really, it doesn't matter. It's a methodology of determining who owns the data (you're either a data custodian (you properly have data from someone else) you are the data owner (well, you own the data) or a thief (you don't own the data)) and seeing that the data owner understands the classification of the data (Private, sensitive, confidential, etc.) and that it is classified properly.Once it's classified, then you must have procedures and processes to go with the classifications that match with HIPAA - this will determine how the Data Custodian must deal with the data. The Data Custodia cannot classify your data - it's not his.Once the classification of the data is done, the Risk Analysis pretty much falls into place with the same quantitative and qualitative methods as any other type of RA. Be sure to consider what methods of transmission, what the likelihood of the data being compromised while it's in your possession, out of your possession, and how can you transfer the risk. Remember, there are lots of ways to transfer the risk, number one being Insurance, number two out-sourcing.Hope that gives you a start.Rick Kingslan MCSE, MCSA, MCT, CISSP
Microsoft MVP:
Windows Server / Directory Services
Windows Server / Rights Management
Associate Expert
Expert Zone - www.microsoft.com/windowsxp/expertzone
WebLog - www.msmvps.com/willhack4food
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A.
Sent: Friday, March 19, 2004 9:10 PM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Subject: [ActiveDir] OT HIPAA Security Risk AnalysisDoes anyone here in the Healthcare field? If you are, what Risk Analysis methodology are you using to move forward with the HIPAA Security Rule?
