Redspin's thoughts and insights on State 2 after providing security risk analysis (SRA) services to dozens of hospitals for Stage 1 of Meaningful Use.
Covered entities and eligible providers must now address the issue of encryption of “data at rest” as part of their security risk analysis process. This shines a spotlight on the existing encryption references within the HIPAA Security Rule. Encryption of ePHI is specifically covered under 45 CFR 164.312(a)(2)(iv) which reads; "Implement a mechanism to encrypt and decrypt electronic protected health information.” However, since it is categorized as an “addressable control,” it is not specifically mandated.
At the end of the report, the authors suggest a new methodology for applying quantitative risk analysis to healthcare IT security called “PHIve.” Its end-goal is to enable an organization to calculate how much they should invest to reduce the risk of data breach.
The HIPAA Security Risk Analysis requirement of the Stage 1 EHR Meaningful Use Incentive Plan is here to stay! Make sure you are compliant! Redspin's top of the line assessments will set you on the right path.
FAQ about HIPAA Security Risk analysis answered for your reading pleasure.
Here is how the EHR Technology certification process works
Third party Business Associates are now accounting for nearly 40% of data breaches of protected health information. This is an alarming uptick.
As an independent provider of security assessments, we are keenly aware of the 2 primary drivers of an objective security assessment - security or compliance. Roughly, these two views of risk management can be thought of as similar in some ways but differing exponentially in others.
Why is HIPAA Security Risk Analysis necessary for healthcare organizations? A compliance and security approach.
This document will walk you through the necessary steps to prepare your company.