11.10 STANDARD: SECURITY EVALUATION


11.10 STANDARD: SECURITY EVALUATION

The Security Evaluation Standard has no implementation specification, but it is a required standard.

This standard dictates a covered entity perform periodic technical and non-technical evaluations that determine the extent to which the CE's security policies and procedures meet the ongoing requirements of the Security Rule.

This evaluation may be done internally, but the rule gives no specifics as to how to do this. As always, the covered entity should document the process and decisions made to comply with this rule.

To accomplish this, the covered entity could certainly perform an additional, on-going, or semi-annual risk analysis. As the rules require an initial risk analysis be performed, this could be the basis for the periodic evaluation.

Since security threats are ever evolving, growing and expanding, the covered entity will never be able to eliminate all threats. The Security Evaluation must contrast threats with known vulnerabilities to produce a true picture of the risk. The rule makes this an ongoing process and not a one-time occurrence. InfoSec best practices demands constant vigilance in this regard, and the HIPAA Security regulations reflect the need for continued periodic evaluations.




HIPAA Security Implementation, Version 1.0
HIPAA Security Implementation, Version 1.0
ISBN: 974372722
EAN: N/A
Year: 2003
Pages: 181

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net