|
"Failure to meet these rules results in hefty
fines and potential jail time if memory serves me correctly."
Yes, on both counts. AND - it means on each
instance, and each violator. The Feds aren't playing when it comes to the
protection of patient data.
Now, if we could only get them as serious on other
matters..... But, I digress.
Sadly, no - I don't know of any consultants in the
area, Justin. You might check with other Health groups or associations in
your area. Someone is bound to be in the same
situation.
Rick Kingslan MCSE, MCSA, MCT, CISSP From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Salandra, Justin A. Sent: Monday, March 22, 2004 8:53 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] OT HIPAA Security Risk Analysis Our buy
in is HIPAA. This process is
mandatory from the federal government in order to move toward compliancy of the
HIPAA Rule. Failure to meet these
rules results in hefty fines and potential jail time if memory serves me
correctly. I guess
since no one in the organization has the expertise to conduct a RA, a consultant
will have to come in to guide us.
Do you know of any that are not extremely expensive in the Greater New
York Area? -----Original
Message----- Not
everything is best done with software. The only software that I know of
(name escapes me at the moment - I'll get it and report back) is more of a data
collection tool to help you format the data - it doesn't help collect it, per
se. You still have to know HOW to do an RA. It still is going to
require the classification of data types, assigning likelihood of loss, cost of
loss, etc. Nothing I know of is going to make that easier than
experience. First, and
foremost - do you have buy-in for this process to the highest levels of
management, and financial backing to get it done? And, dedicated staff
toman the project? Without these, it's not going to
succeed. Rick
Kingslan MCSE, MCSA, MCT, CISSP From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Salandra, Justin
A. Can you
point me to a software package that can conduct this analysis or do you have
something that you could send over that would help us developing a methodology
inhouse? -----Original
Message----- Same Risk Analysis that
would be used for Sorb-Ox, GLB - really, it doesn't matter. It's a
methodology of determining who owns the data (you're either a data custodian
(you properly have data from someone else) you are the data owner (well, you own
the data) or a thief (you don't own the data)) and seeing that the data owner
understands the classification of the data (Private, sensitive, confidential,
etc.) and that it is classified properly. Once it's classified,
then you must have procedures and processes to go with the classifications that
match with HIPAA - this will determine how the Data Custodian must deal with the
data. The Data Custodia cannot classify your data - it's not
his. Once the classification
of the data is done, the Risk Analysis pretty much falls into place with the
same quantitative and qualitative methods as any other type of RA. Be sure
to consider what methods of transmission, what the likelihood of the data being
compromised while it's in your possession, out of your possession, and how can
you transfer the risk. Remember, there are lots of ways to transfer the
risk, number one being Insurance, number two out-sourcing. Hope that gives you a
start. Rick
Kingslan MCSE, MCSA, MCT, CISSP From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Salandra, Justin
A. Does anyone here in
the Healthcare field? If you are, what Risk Analysis methodology are you
using to move forward with the HIPAA Security Rule? |
Title: Message
- [ActiveDir] OT HIPAA Security Risk Analysis Salandra, Justin A.
- RE: [ActiveDir] OT HIPAA Security Risk Analysis Rick Kingslan
- RE: [ActiveDir] OT HIPAA Security Risk Analysis Salandra, Justin A.
- RE: [ActiveDir] OT HIPAA Security Risk Analysis Salandra, Justin A.
- RE: [ActiveDir] OT HIPAA Security Risk Analys... Rick Kingslan
- RE: [ActiveDir] OT HIPAA Security Risk Analysis Jackson Shaw
