Versions Compared

Old Version 1

changes.mady.by.user Adam Slagell

Saved on

compared with

New Version 2

changes.mady.by.user Adam Slagell

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

Purpose

To establish This document establishes guidelines for risk analysis and management of ePHI (Electronic Personal Health Information). Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities. Information produced during the risk assessment will be utilized used to determine and manage countermeasures critical security controls for assurance of our ePHI resources.

Scope

This risk management program applies to resources with ePHI that are managed by the NCSA Health Care Component and ACHE, including those in the Advanced Computational Health Enclave.

Standards

Risk Assessment Frequency

A risk assessment will be performed every two years

exception substantial environment changes means new impact analysis

with coordination of the NCSA Security Office and the NCSA HIPAA liaison. Exceptions to this include (i) substantial infrastructure/environment changes that would require a new impact analysis and (ii) a security incident that warrants reevaluation of risks.

...

Risk Assessment Components

Assets identification

Data criticality analysis

threat assessments

risk determination

mitigation strategy

Records of RA changes for past 6 years or since program inception

Process

RA

submit findings to security office in 30 days, who sends to HIPAA officers

with security office work to remdiate vulnerabilities and reduce risk within 90 days

request exemption in writing if not feasible, approved by security office and HIPAA officer

Document remediation activities

submit remediation plan to security , who sends to HIPAA officers

Privacy 

A risk assessment contains the following components: asset identification, data/service criticality analysis, threat assessment, risk determination, and a mitigation strategy. Risks will be recorded in the NCSA risks register, and risk assessments will be saved for 6 years or from the inception of the NCSA Health Care Component.

Risk Management Process

The risk assessment is part of an on-going process to understand and manage risk. The broader process contains the following steps.

  1. A risk assessment performed.
  2. Findings are submitted to the NCSA Security Office within 30 days, and the Security Office forwards it to the HIPAA liaison.
  3. The NCSA Security Office works with the project(s) to remediate vulnerabilities and mitigate risks within 90 days of finishing the assessment. If this is not possible for all risks, an exemption must be requested in writing to the Security Office and HIPAA liaison.
  4. Remediation activities are documented in a remediation plan.
  5. The remediation plan is sent to the Security Office, who sends it to the HIPAA liaison.

Privacy

All data from the risk assessment is kept confidential and not shared without written approval from the NCSA Security Office and HIPAA liaison.

Consequences

Violations can result in disciplinary action as described in the University of Illinois HIPAA policies.

...