basics of a risk analysis1330 .pdf
Original filename: basics of a risk analysis1330.pdf
This PDF 1.4 document has been generated by / iTextSharp™ 5.4.1 ©2000-2012 1T3XT BVBA (AGPL-version), and has been sent on pdf-archive.com on 14/02/2018 at 21:16, from IP address 107.172.x.x.
The current document download page has been viewed 142 times.
File size: 3 KB (1 page).
Privacy: public file
Download original PDF file
basics of a risk analysis
There are numerous strategies of performing risk analysis and there is no specific approach or
"best practice" that guarantees fulfillment with the Security Rule. Various examples of measures
that might be useful in a risk analysis process are outlined in NIST SP 800-30.6. The remainder of
this guidance document explains more than a few elements a risk analysis must hold, at any rate
of the means carried out.
Scope of the Analysis
The scope of risk analysis that the Security Rule uses features the possible risks and
vulnerabilities to the secrecy, availability and integrity of all e-PHI that an business results in, gets,
maintains, or transmits. (45 C.F.R. § 164.306(a).) This comes with e-PHI in all kinds of electronic
storage, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage devices,
personal digital assistants, transmission
media, or portable digital media. Electronic media involves a particular workstation as well as
complex networks related among several places. Consequently, an organization's risk analysis
must take into account all of its e-PHI, apart from of the individual electronic method in that it is
produced, received, maintained or transmitted or the source or locality of its e-PHI.
An establishment ought to identify where the e-PHI is kept, received, maintained or transmitted.
An establishment may perhaps collect important numbers by: reviewing past and/or existing
projects; performing interviews; reviewing documentation; or using other information gathering
approaches. The data lying on e-PHI gathered with these methods have to be acknowledged.
(See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).) Ascertain and Record Possible Risks
Organizations must recognize and document realistically anticipated risks to e-PHI. (See 45
C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may possibly recognize separate
risks that are unique to the conditions of their situation. Organizations be obliged to too spot and
verify vulnerabilities which, if triggered or exploited by a risk, would create a threat of
inappropriate admission to or disclosure of e-PHI. (See 45 C.F.R. §§164.308(a)(1)(ii)(A) and
164.316(b)(1)(ii).) risk assessment for eclinicalworks