Health Care and Life Sciences: Risk Assessment.
#122603380
Topic:
Any topic (writer’s choice)
Type of paper:
Excel sheet risk assesment
Discipline:
Health Care and Life Sciences
Format or citation style:
APA
Pages: 3
Deadine: 10hrs
Identify eighteen (18) areas of risk which are/should be a “top priority” for a medical practice with the following description: The hypothetical physician practice to be used for your assignment is a medium sized pediatric practice consisting of (5 physicians/owners, two billers, 1 practice manager, 2 nurse practitioners and three front desk personnel). The practice maintains its own computer server on-site (the server contains EHR and Practice Management software and is backed up to tape on a local tape drive) and uses workstations throughout the practice. The practice uses a cloud based email system and has a laptop based EKG system. The practice handles has contracted with an outside IT company for “major issues,” but otherwise handles its day-to-day IT support and has implemented HIPAA Privacy Rule requirements as required in April 2003. Additionally, the practice facility has a security system installed ( alarm system, motion detectors, etc.).
Please provide examples and/or provide resource support for the assignment.
USE THIS FORMAT This assignment may be submitted using the column headers/format of the “Sample Physician Practice RA” tab of the HIMMS SAMPLE Risk Assessment Plan
This is just an example please fill out this excel sheet with your own example
| Threat Source | Existing Controls | Likelihood of Occurrence | Impact Severity | Risk Level | Recommended Best Practice Control | Comments |
| Unauthorized and malicious outsiders or insiders | HIPAA Privacy Rule policy manual purchased in 2003 | Medium | High | Medium | Progressive reviews and application of required regulatory privacy and security standards (HIPAA Privacy and Security Rules, Omnibus Rule changes, etc.). Development of compliance plans with help from outside expertise ratherthan self-dependecy | Program update facilitate system efficiency and safety of PHI |
| Users | None | High | High | High | Delegation of duties to ensure tracing back of leaked information and oversight personnel to look out for inside adversaries, use of encryted transfer media, institution of oicies on data editing, storage or deletion. Promotion of data security where access to crucial data can only be aauthorized by more than one individual. | Systems should be screened for any deletions, downloads or transfers. Emplyees should be bared from using personal emails for transfer of official information. |
| Adversarial insider or outsider | Password lenths set at a minimum of six characters | Medium | Medium | Medium | institution of standards where passwords are set at a minimum of 10 characters that strictly include upper and lower case characters and a number or special character. unsuccessfull logins after four trials should block the account and recovery of such accounts should be done through administration office. when changing, verification platforms such as email verification before fiinal changing should be considered | Employees shoud be aleted on the need to create strong passwords and change them regularly |
| Unauthorized and malicious outsiders or insiders | Those with authorized access to PHI have predescribed Personal Identification credentials | Medium | Medium | Medium | Establishment of strong login credentials only known to specific users. There should be regular system audit to establish any intrusions and suspecious activities | The access frequency to crecial information should be limited. It will help identify any unauthorized access from outsiders |
| Authorized and malicious outsiders or insiders | None | Low | Medium | Low | Implement policies that allows access only on location in the facility and deactivate dormant account after a specified time period | A user might continue accessing information, corrupting it or simly intruding the privacy of the employees hence the need to limit and regain access authority after termination |
| Unauthorized and malicious outsiders or insiders | None | Low | High | Low | Implement the “logout” policy after leaving working station, encryptions on crucial documents and secure storage of hard devices | Advanced encryption of ssystems to deny access to outsiders and locking of hard dives reduce the suspectibility of intrusions |
| hardware or sysem failure, disaster incidents | None | High | Medium | Medium | Ensure that incidents recovery and data backup plans are follwed strictly. Regular system updates and testing to gauge capabilities and identify possible loopholes. Regular and effective media backup for reinstallation and program reinstatements. | An efficient user interface ensures effective interactions and executions with the system |
| Unauthorized and malicious outsiders | WAP 2 prootocola are used for wireless networks | Medium | High | Medium | Make upgrades o the protocols and Anti-malware software, include VPNs, avoid transfer of information over public Wi-Fi, | Upgrades and enaction of strong access credentials gives intruders less chances of getting into the system |
| Due to natural disasters or accidents | Computer systems are backed up by tapes tape on a local tape drive | Medium | High | Medium | Conduct sytems audit and anaalysis to identify weaaknesses, ensure that all critical data is included in the Data Backup Plan. The back up plan should be also backed up and the media stored off site to avoid destruction during disasters | The facility holds cruciaal information from different patient and its destruction might lead to massive losses while some distres are not prevenntable, there is always the need to secure it in other places for effective recovery |
| Unauthorized and malicious outsiders | A single security guard | Low | High | Low | Instalation of security systems such as no alarm system, motion detectors and security cameras, proper grills on windows and doors for enhanced security | Adversaries might forcebly or using employees intrude the facilities with motive intentions to take up the PHI. Therefore, apart from security personnel, security systems should also be installed |
| Accidents, Malicious insider or aoutsiders, | Shreders and bins for disposable drives | Low | High | Low | Documents should be well shredded and burnt. If burning is impossible, the documents and drives should strictly be assigned to a trusted disposal institution from whom any retracing of the information can be traced to. | While the facilitty might perieve that the respective PHI has been fully destroyed only to realize there was no full erasure. Therfore, the facility should do it disposal part but still consider a trusted disposal institution to eliminate such chances |
| Ill-intentioned individuals or accidental access | None | Medium | High | Medium | Advanced encryption too secure the information from aaccess to the contractors, strict supervision to ensue they don’t access devices with the respective information | The encryption protects information from ‘normal’ individuals while supervised working conditions help prevets experts from intrution into the database |
| Malicious outsiders and insiders | None | Low | High | Low | Enact regulations on the use of mobile devices in the workplace, either company’s or personal. they should have security controls that prohibitss access from outsiders and tiimed sessions | personal mobile devices are most vulnerable given that the employees could capture information and leave with them from the facility |
| Accidental or environmental | Offices kept clean free from dump and dust; daily cleaning | Medium | Medium | Medium | Proper placement of equipment away from dump areas, protect them when cleaning and avoid spillage | Whenever the equipment are soiled, it might take time before reparing which delays the customer service process. Some informtio might be lost also |
| Unsuspecting or ignorant insiders | Sytems that logs out after 20 minutes of inactivity | High | Medium | Medium | Employee training and awareness on the need to protect information through the provided policies and guidelines | employees should be informed on the need to take measures to protect institutional PHI |
| Malicious outsiders and insiders | There are system and equipment checks whenever problems occur | Low | Medium | Low | Equipments and machines should be replaced approriately and regulary insteadof waiting untill they are disfunctional or broken | Continuous machine replacement ensures the equipment is up-to-date hence safer |
| Malicious outsiders and insiders, technological | Instaled Anti-virus and operating system software | Medium | High | Medium | Regular checks and reviews of OS to update on the advanced ones; the anti-virus and anti-malware programs should be upgraded and updated with special considerations to prvent further ontrusion from non-genuine updates | Security and Anti-malware programs should be installed and updated to reduce intrusion vulnerbilities |
| Malicious insiders and outsiders | Information encryption and firewalls | Low | High | Low | Installation of advanced anti-malware, filters to check on incoming messages and strict usage of secure networks | installation of diagnostic tools would help identify unauthorized access, information editing, transfer or erasure enhancing its security |