In this worksheet, you will rank risks and practice determining potential areas of noncompliance with HIPAA privacy and security regulations.
Submit your assignment here. Make sure you’ve included all the required elements by reviewing the guidelines and rubric.
|Risk Assessment Vulnerability Name||Threat Source||Departments Impacted||Noncompliance||Likelihood of Occurrence||Impact Severity||Risk Level||Recommended Best Practice|
|Unencrypted data||Malware, ransomware, phishing||The HIM department
|HIPAA requires that all data be encrypted when it is at rest (being at rest means being under storage on a disk or drive)||High||Medium||High||Use AES 256-bit encryption, which has been cited as a very strong and robust standard for encryption that is availed to computer users commercially
Ensure all the plain text passwords are in cipher text form; encrypt the plain text with keys
|Security logging failure||Low instances of logging and monitoring the systems||HIM and IT department||The healthcare facility is supposed to collect information, handle the information closely and regulate the manner of handling this information.||High||Medium||Medium||The medical facility needs to audit its logs frequently and properly; there is a need to compile, store and assess the logs|
|Sharing of PHI information||The hard drives of the company were stolen by outsiders||IT Department||The question of non-compliance comes from the violation of the privacy rule; the identifiers of patients reach players who are not concerned with the health of the patient. Patient information needs to be kept within the facility and be used by those who are in charge of the health of the patient||Low||Medium||Medium||Requires setting up physical security in which to place the hard drives and prevent them from getting into the hands of external personal|
Modified from HIMSS Security Risk Assessment Guide/Data Collection Matrix with permission of HIMSS.
Highest Priority Vulnerability
The highest priority vulnerability to address for compliance with HIPAA
The highest priority vulnerability is the use of unencrypted data concerning patients in storage drives. The data stolen may end up in the hands of those who may want to cause actual harm to the patients identified by stolen information. For instance, those that took information regarding patients from BlueCross BlueShield of Tennessee (BCBST) used the information for activities other than promoting the health of the patient. if this information finds its way into the hands of an individual who does not care about the well-being of the listed individuals, they may cause more damage than using the information for marketing.
Use your risk assessment to justify why this is the highest priority:
There are three risks present in the scenario. From the risks that are present, the stolen unencrypted data presented the highest risk priority and impact severity considering that not much is known concerning the possible use of the data stolen from the facility