fundamentals of a risk analysis1484 .pdf
Original filename: fundamentals of a risk analysis1484.pdf
This PDF 1.4 document has been generated by / iTextSharp™ 5.4.1 ©2000-2012 1T3XT BVBA (AGPL-version), and has been sent on pdf-archive.com on 15/02/2018 at 06:02, from IP address 104.223.x.x.
The current document download page has been viewed 129 times.
File size: 3 KB (1 page).
Privacy: public file
Download original PDF file
fundamentals of a risk analysis
There are plentiful methods of performing risk analysis and there is no particular technique or
"best practice" that ensures fulfillment with the Security Rule. Various examples of tips that might
be practical in a risk analysis process are made public in NIST SP 800-30.6. The remainder of
this guidance paper explains some elements a risk analysis must have, not considering of the
Scope of the Analysis
The scope of risk analysis that the Security Rule employs comprises the potential risks and
vulnerabilities to the secrecy, availability and integrity of all e-PHI that an group produces, gets,
maintains, or transmits. (45 C.F.R. § 164.306(a).) This features e-PHI in all types of electronic
storage devices, such as hard drives, floppy disks, CDs, DVDs, smart cards or other storage
devices, PDAs, transmission
media, or portable electronic media. Digital media involves a lone workstation as well as complex
networks associated between several locations. Thus, an organization's risk analysis ought to
take into account all of its e-PHI, not considering of the exact electronic mode in that it is formed,
received, maintained or transmitted or the source or position of its e-PHI.
An establishment should identify where the e-PHI is saved, received, maintained or transmitted.
An establishment possibly will assemble applicable statistics by: reviewing former and/or existing
projects; performing interviews; reviewing documentation; or using extra records accumulating
means. The records on e-PHI gathered using these strategies be required to be acknowledged.
(See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1).) Ascertain and Write down Prospective
Dangers and Vulnerabilities
Organizations be obliged to categorize and verify rationally anticipated terrors to e-PHI. (See 45
C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations possibly will see dissimilar risks that
are rare to the position of their location. Organizations be obliged to too make out and
authenticate vulnerabilities that , if triggered or exploited by a danger, would create a peril of
inappropriate entrance to or disclosure of e-PHI. (See 45 C.F.R. §§164.308(a)(1)(ii)(A) and