MRO’s Anthony Murray, CISSP, Vice President of Information Technology, offers insight on risk analysis.

Completing a risk analysis can be a tall order for most organizations. A significant amount of work is required before the risk analysis can even be started—and more work must be done afterward to address the vulnerabilities identified by the risk analysis.

Although the same requirements apply to all entities covered by HIPAA, whether they’re covered entities (CE) or business associates (BA), multistate health systems or new health IT startups, the type and structure of the organization will influence how the risk analysis plays out. A smaller organization might have fewer data assets but could also have fewer staff available to conduct the risk analysis. Or, a BA might work with multiple CEs, each with different processes and
expectations for the risk analysis.

A thorough, compliant risk analysis is a cornerstone of a sound security program. Although the scope of a risk analysis might appear daunting, security officers can turn to HIPAA’s guidance to structure preparation, execution, and follow-up.