Document Name: Risk Management Program for the Advanced Computational Health Enclave |
This document establishes guidelines for risk analysis and management of ePHI (Electronic Personal Health Information). Risk management is an ongoing process to determine the value of assets and the corresponding exposure to threats and vulnerabilities. Information produced during the risk assessment will be used to determine and manage security controls for our ePHI resources.
This risk management program applies to resources with ePHI that are managed by the NCSA Health Care Component, including those in the Advanced Computational Health Enclave.
A risk assessment will be performed every year with coordination of the NCSA Security Office and the NCSA HIPAA Liaison. Exceptions to this include (i) substantial infrastructure/environment changes that would require a new impact analysis and (ii) a security incident that warrants reevaluation of risks.
A risk assessment contains the following components: asset identification, data/service criticality analysis, threat assessment, risk determination, and a mitigation strategy. Risks will be recorded in the NCSA risks register, and risk assessments will be saved for 6 years or from the inception of the NCSA Health Care Component.
The risk assessment is part of an on-going process to understand and manage risk. The broader process contains the following steps.
All data from the risk assessment is kept confidential and not shared without written approval from the NCSA Security Office and HIPAA Liaison.
Violations can result in disciplinary action as described in the University of Illinois HIPAA policies.