15.11 SUMMARY


15.11 SUMMARY

Continuing compliance with the HIPAA security rules is an exercise in risk management. An effective risk management strategy is a substantial undertaking for any organization that affects virtually every part of the organization. It is critical that this effort be carefully coordinated, adequately resourced and sustained. Devoting so many resources may seem like a costly, time consuming endeavor, but over time, the rewards will outweigh the initial investment. A properly implemented risk management system will reduce costs through better training, smooth transitions, reduced risk exposure and more effective handling of security related incidents. In this section, we discussed how to create the foundations for your risk management program using recognized standards such as NIST and ISO 17799. Standards based risk management ensures that your organization is operating under a defensible set of practices and that all contingencies are covered. Another facet of risk management covered here are the various roles that individuals should have in your security organization. The security organization's structure is essential in that security related decisions often have far reaching impacts throughout the organization, so the security organization must have representation at the highest levels.

Next, we discussed vulnerability management and patch management. Both of these items are essential in terms of managing risk in the enterprise. Most organizations take these tasks on in an ad hoc manner, but effective programs use planning, prioritization and metrics to guide their actions. User account management is another critical activity associated with risk management in the enterprise. This takes on special significance with respect to HIPAA because several of the HIPAA standards focus specifically on this issue. This is an area of particular concern as well because user account weaknesses are so easy to exploit. Even an unsophisticated attacker can easily leverage a generic user account to hide his or her malicious activities.

Another area of concern discussed in this section is disaster recovery planning. Despite our best efforts, things that are beyond our control will happen. Fortunately, devastating occurrences are rare, but how such incidents are handled can mean the difference between an organization that resumes operations in a timely and organized manner while incurring minimal costs and an organization that struggles to get back in business with deep impacts that may even affect the future viability of the organization. Healthcare in particular is greatly affected in that poor execution of disaster plans can have impacts beyond costs as people's lives can be put at risk as well.

Lastly we discussed a variety of regulatory and legal compliance issues that extend beyond the mandates of HIPAA. For example, every organization is affected by copyright law and the potential impacts if the organization is found to be non-compliant in this regard. Compliance can also mean how well your own organization is abiding by the policies and practices that your organization may have implemented in HIPAA compliance efforts. Another challenge in this regard is the threat posed by third parties. Those vendors and visitors should not only be aware of your security polices, but should also be expected to abide by them as well. It is not uncommon for an organization that has fairly rigid internal controls to still be vulnerable to malicious code attacks because a visitor to your facility plugged in a machine that didn't meet your own standards for virus controls.

Again, risk management is an endeavor that is very broad in scope. But a solid program is the best way to ensure that your organization maintains HIPAA compliance once the initial round of remediation efforts has been accomplished.




HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net