2-2 Milestone One: Complete a risk assessment for Shoreline Health System

Question: Complete a risk assessment for Shoreline Health System

In this milestone, you will complete a risk assessment for Shoreline Health System. To complete this assignment, you will use the Shoreline Health System case study as your base. In addition, you will provide recommendations on best practices for the identified vulnerabilities.

To complete this assignment, review the following documents:

Don't use plagiarized sources. Get Your Custom Essay on
Need an answer from similar question? You have just landed to the most confidential, trustful essay writing service to order the paper from.
Just from $11/Page
Order Now

1-2 Worksheet: risks and practice determining potential areas of noncompliance with HIPAA privacy and security regulations



HIM 680 Final Project Milestone One Worksheet

Risk Assessment


In this milestone, you will conduct a risk assessment for Shoreline Health System. To complete this assignment, you will use the Shoreline Health System case study in the Final Project Case Study document as your base. You will also conduct research to supplement the case study information and to determine common vulnerabilities and threats related to ransomware attacks, the departments impacted by these vulnerabilities and threats, the risk to noncompliance, and the likelihood, severity, and risk level of the vulnerabilities. Finally, you will also recommend best practices to address the identified vulnerabilities.


The information within the tabs of the Risk Assessment Report file will help you complete this milestone and fill in the assessment located on the next page.


Vulnerability Name: Describe particular weaknesses or flaws in your security that could be exploited by a threat source to cause a security violation or breach.


Threat Source: Describe the threats that could take advantage of the vulnerabilities. Consider the four categories of threats—adversarial, accidental, structural, and environmental—as well as more specific examples such as external and internal threats, users, visitors, viruses, natural hazards, and so on.


Departments Impacted: Identify the departments impacted by the crisis with a brief explanation of how each is impacted.


Noncompliance: Explain how the identified vulnerabilities lead to risks of potential noncompliance with HIPAA privacy and security regulations.


Likelihood of Occurrence: Determine if the likelihood of occurrence is high, medium, or low, and explain your reasoning.


Impact Severity: Determine if the impact severity is high, medium, or low, and explain your reasoning.


Risk Level: Determine if the risk level is high, medium, or low, and explain your reasoning.


Recommended Best Practice: Give recommendations for the best new safeguard(s) that can reduce further risk from this vulnerability. These safeguards may include policies, procedures, software, and so on.

 Risk Assessment

Vulnerability Name Threat Source Departments Impacted Noncompliance Likelihood of Occurrence Impact Severity Risk Level Recommended Best Practice
Unencrypted data Malware, ransomware, phishing The HIM department


IT department

HIPAA requires that all data be encrypted when it is at rest (being at rest means being under storage on a disk or drive) High Medium High Use AES 256-bit encryption, which has been cited as a very strong and robust standard for encryption that is availed to computer users commercially.


Ensure all the plain text passwords are in cipher text form; encrypt the plain text with keys

Security logging failure Low instances of logging and monitoring the systems HIM and IT department The healthcare facility is supposed to collect information, handle the information closely and regulate the manner of handling this information. High Medium Medium The medical facility needs to audit its logs frequently and properly; there is a need to compile, store and assess the logs
Sharing of PHI information The hard drives of the company were stolen by outsiders IT Department The question of non-compliance comes from the violation of the privacy rule; the identifiers of patients reach players who are not concerned with the health of the patient. Patient information needs to be kept within the facility and be used by those who oversee the health of the patient Low Medium Medium Requires setting up physical security in which to place the hard drives and prevent them from getting into the hands of external personal

Modified from HIMSS Security Risk Assessment Guide/Data Collection Matrix with permission of HIMSS.


Highest Priority Vulnerability

What is the highest priority vulnerability the organization needs to address to ensure compliance with HIPAA privacy and security regulations?

The highest priority vulnerability is the use of unencrypted data concerning patients in storage drives. The data stolen may end up in the hands of those who may want to cause actual harm to the patients identified by stolen information. For instance, those that took information regarding patients from BlueCross BlueShield of Tennessee (BCBST) used the information for activities other than promoting the health of the patient. If this information finds its way into the hands of an individual who does not care about the well-being of the listed individuals, they may cause more damage than using the information for marketing.



Use your risk assessment to justify why this is the highest priority:

There are three risks present in the scenario. From the risks that are present, the stolen unencrypted data presented the highest risk priority and impact severity considering that not much is known concerning the possible use of the data stolen from the facility.