elements of a risk analysis1090 .pdf
Original filename: elements of a risk analysis1090.pdf
This PDF 1.4 document has been generated by / iTextSharp™ 5.4.1 ©2000-2012 1T3XT BVBA (AGPL-version), and has been sent on pdf-archive.com on 18/02/2018 at 06:01, from IP address 154.16.x.x.
The current document download page has been viewed 154 times.
File size: 3 KB (1 page).
Privacy: public file
Download original PDF file
elements of a risk analysis
There are many techniques of performing risk analysis and there is no distinct approach or "best
practice" that ensures compliance with the Security Rule. A few examples of measures that might
be applied in a risk analysis process are outlined in NIST SP 800-30.6. The rest of this guidance
paper explains more than a few elements a risk analysis must have, regardless of the mode
Scope of the Analysis
The scope of risk analysis that the Security Rule employs comprises of the probable risks and
vulnerabilities to the confidentiality, availability and integrity of all e-PHI that an establishment
produces, receives, maintains, or transmits. (45 C.F.R. § 164.306(a).) This consists of e-PHI in all
types of electronic storage, such as hard drives, floppy disks, CDs, DVDs, smart cards or other
storage devices, PDAs, transmission
media, or portable digital media. Digital media includes a only workstation as well as complex
networks associated involving several places. Consequently, an organization's risk analysis
should take into account all of its e-PHI, despite of the specific electronic method in which it is
fashioned, received, maintained or transmitted or the source or place of its e-PHI.
An establishment should identify where the e-PHI is stored, received, maintained or transmitted.
An society may possibly get together important facts by: reviewing past and/or existing projects;
performing interviews; reviewing documentation; or using other facts gathering systems. The
statistics by e-PHI gathered via these strategies have to be accepted. (See 45 C.F.R. §§
164.308(a)(1)(ii)(A) and 164.316(b)(1).) Ascertain and Authenticate Potential Risks and
Organizations must spot and record logically anticipated dangers to e-PHI. (See 45 C.F.R. §§
164.306(a)(2) and 164.316(b)(1)(ii).) Organizations might identify different risks that are unique to
the state of affairs of their setting. Organizations have got to too see and document vulnerabilities
which, if triggered or exploited by a danger, would make a threat of inappropriate access to or
disclosure of e-PHI. (See 45 C.F.R. §§164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).) continue