Assignment 11 – 570 CT
(Wager et al., 2017, pp. 306-311)
THE HEALTH CARE ORGANIZATION’S SECURITY PROGRAM
The realization of any of the threats discussed in the previous section can cause significant damage to the organization. Resorting to manual operations if the computers are down for days, for example, can lead to organizational chaos. Theft or loss of organizational data can lead to litigation by the individuals harmed by the disclosure of the data and HIPAA violations. Malware can corrupt databases, corruption from which there may be no recovery. The function of the health care organization’s security program is to identify potential threats and implement processes to remove these threats or mitigate their ability to cause damage. The primary challenge of developing an effective security program in a health care organization is balancing the need for security with the cost of security. An organization does not know how to calculate the likelihood that a hacker will cause serious damage, or a backhoe will cut through network cables under the street. The organization may not fully understand the consequences of being without its network for four hours or four days. Hence, it may not be sure how much to spend to remove or reduce the risk. Another challenge is maintaining a satisfactory balance between health care information system security and health care data and information availability. As we saw in Chapter Two, the major purpose of maintaining health information and health records is to facilitate high-quality care for patients. On the one hand, if an organization’s security measures are so stringent that they prevent appropriate access to the health information needed to care for patients, this important purpose is undermined. On the other hand, if the organization allows unrestricted access to all patient-identifiable information to all its employees, the patients’ rights to privacy and confidentiality would certainly be violated and the organization’s IT assets would be at considerable risk. The ONC (2015) publication Guide to Privacy and Security of Electronic Health Information for health care providers includes a chapter describing a seven-step approach for implementing a security management process. The guidance is directed at physician practices or other small health care organizations, and it does not include specific technical solutions. Specific solutions for security protection will be driven by the organization’s overall plan and will be managed by the organizations IT team. Larger organizations must also develop comprehensive security programs and will follow the same basic steps, but it will likely have more internal resources for security than smaller practices. Each step in the ONC security management process for health care providers is listed in the following section.
Step 1: Lead Your Culture, Select Your Team, and Learn This step includes six actions:
1. Designate a security officer, who will be responsible for developing and implementing the security practices to meet HIPAA requirements and ensure the security of PHI.
2. Discuss HIPAA security requirements with your EHR developer to ensure that your system can be implemented to meet the security requirements of HIPAA and Meaningful Use.
3. Consider using a qualified professional to assist with your security risk analysis. The security risk analysis is the opportunity to discover as much as possible about risks and vulnerabilities to health information within the organization.
4. Use tools to preview your security risk analysis. Examples of available tools are listed within Step 3.
5. Refresh your knowledge base of the HIPAA rules.
6. Promote a culture of protecting patient privacy and securing patient information. Make sure to communicate that all members of the organization are responsible for protecting patient information.
Step 2: Document Your Process, Findings, and Actions
Documenting the processes for risk analysis and implementation of safeguards is very important, not to mention a requirement of HIPAA. The following are some examples cited by the ONC of records to retain:
• Policies and procedures
• Completed security checklists (ESET, n.d.)
• Training materials presented to staff members and volunteers and any associated certificates of completion
• Updated business associate (BA) agreements
• Security risk analysis report
• EHR audit logs that show utilization of security features and efforts to monitor users’ actions • Risk management action plan or other documentation that shows appropriate safeguards are in place throughout your organization, implementation timetables, and implementation notes
• Security incident and breach information
Step 3: Review Existing Security of ePHI (Perform Security Risk Analysis)
Risk analysis assesses potential threats and vulnerabilities to the “confi dentiality, integrity and availability” (ONC, 2015, p. 41) of PHI. Several excellent
Table 9.3 Resources for conducting a comprehensive risk analysis
OCR’s Guidance on Risk the HIPAA Rule Analysis Requirements under HIPAA rules | http ://www.hhs.gov/hipaa/for-professionals/security/ guidance/final-guidance-risk-analysis/index.html |
OCR Security Rule Frequently Asked Questions (FAQs) | http://www.hhs.gov/hipaa/for-professionals/faq |
ONC SRA (Security Risk Assessment) Tool for small security-risk-assessment practices | https://www.healthit.gov/providers-professionals/security-risk-assessment |
National Institute of Standards and Technology (NIST) HIPAA Security Rule Toolkit | https://scap.nist.gov/hipaa/ |
government-sponsored guides and toolsets available for conducting a comprehensive risk analysis are listed in Table 9.3 with a corresponding web address. The three basic actions recommended for the organization’s first comprehensive security risk analysis are as follows:
1. Identify where ePHI exists.
2. Identify potential threats and vulnerabilities to ePHI.
3. Identify risks and their associated levels.
Step 4: Develop an Action Plan
As discussed, the HIPAA Security Plan provides flexibility in how to achieve compliance, which allows an organization to take into account its specific needs. The action plan should include five components. Once in place, the plan should be reviewed regularly by the security team, led by the security officer.
1. Administrative safeguards
2. Physical safeguards
3. Technical safeguards
4. Organizational standards
5. Policies and procedures
Table 9.4 lists common examples of vulnerabilities and mitigation strategies that could be employed.
Table 9.4 Common examples of vulnerabilities and mitigation strategies
Security component | Examples of vulnerabilities | Examples of security mitigation startigies |
Administrative safeguards | No security officer is designated.Workforce is not trained or is unaware of privacy and security issues. | Security offers is designed and publicized.Workforce training begins at hire and is conducted on a regular and frequent basis.Security risk analysis is performed periodically and when a change occurs in the practice or the technology |
Physical safeguards | Facility has insufficient locks and other barriers to patient data access.Computer equipment is easily accessible by the public.Portable devices are not tracked or not locked up when not in use | Building alarm system are installed.Offices are locked.Screens are shielded from secondary viewers. |
Technical safeguards | Poor controls enable inappropriate access to EHR.Audit logs are not used enough to monitor users and other HER activities.No measures are in place to keep electronic patient data from improper changes.No contingency plan exists.Electronic exchanges of patient information are not encrypted or otherwise secured. | Secure users’ IDs, passwords and appropriate role-based access are used.Routine audits of access and changes to EHR are conducted.Anti-hacking and anti-malware software are installed.Contingency plans and data backup plans are in place.Data are encrypted. |
Organizational standards | No breach notification and associated policies exist.BA agreements have not been updated in several years. | Regular reviews of agreements are conducted, and updates made accordingly. |
Policies and procedures | Generic written policies and procedures to ensure HIPAA security compliance were purchased but not followed.The manager performs ad hoc security measures. | Written policies and procedures are implemented, and staff members are trained.Security team conducts monthly review of user activities.Routine updates are made to document security measures. |
Step 5: Manage and Mitigate Risks
The security plan will reduce risk only if it is followed by all employees in the organization. This step has four actions associated with it.
1. Implement your plan.
2. Prevent breaches by educating and training your workforce.
3. Communicate with patients. 4. Update your BA contracts.
Step 6: Attest for Meaningful Use Security Related Objective
Organizations can attest to the EHR Incentive Program security-related objective after the security risk analysis and correction of any identified deficiencies.
Step 7: Monitor, Audit, and Update Security on an Ongoing Basis
The security officer, IT administrator, and EHR developer should work together to ensure that the organization’s monitoring and auditing functions are active and configured appropriately. Auditing and monitoring are necessary to determine the adequacy and effectiveness of the security plan and infrastructure, as well as the “who, what, when, where and how” (ONC, 2015, p. 54) patients’ ePHI is accessed.
Assignment
Information Security
· The healthcare organization’s security program (Wager et al., 2017, pp. 306-311), is a critical component to compliance with regulations as well as HIPAA.
· Describe the steps involved in a security program.
· Evaluate the risk analysis requirements for HIPAA using the websites furnished in the text.
· Discuss the security components, vulnerabilities, and security mitigation strategies.
· Summarize the management action plan and the ultimate goal of conducting such an assessment.
Outline:
· Introduction
· Team Selection
· Documentation
· Security Risk Analysis
· Action Plan
· Manage and Mitigate Risks
· Conclusion
Your paper should include the following:
· 5 pages in length, not including the title and reference pages.
· 6 references cited in the assignment above the text. Remember, you must support your thinking/statements and prior knowledge with references; all facts must be supported; in-text references used throughout the assignment must be included in an APA-formatted reference list.
· Be formatted according to APA writing guidelines.
· Add more citation through the text.
· No plagiarism at all.
· The references not older than 5 years back.
Try it now!
How it works?
Follow these simple steps to get your paper done
Place your order
Fill in the order form and provide all details of your assignment.
Proceed with the payment
Choose the payment system that suits you most.
Receive the final file
Once your paper is ready, we will email it to you.
Our Services
Ace Writing Center has stood as the world’s leading custom essay writing services providers. Once you enter all the details in the order form under the place order button, the rest is up to us.
Essays
At Ace Writing Center, Nowadays, students normally have extremely busy schedules. You will note that some of them have to take on some evening or weekend jobs in order to get some income that can help them to sustain in college or in the university. This can deny them a chance to write all the essays given. Others usually get bombarded with a lot of work by their lecturers. This can still delay such students from working on all their essays. However, some of them usually try to work on all these essays but end up delivering their work late. This can prevent them from graduating since most lecturers are strict on deadlines. If you want to write a business essay, the wise way is to hire an outstanding essay writing service like us, so that you can get the best results. If you are keen, you will note that many companies usually overcharge their customers. Some of them are there only to make money. And in reality, they really don’t care to build a long term commitment with students. You should not choose such companies. You should take your time and choose a reliable company to work with. Ace Writing Center is the ultimate solution for you. We have been offering our writing service for more than 7 years. This is a clear indication that you will get quality essay writing service. We have a wide range of writers who can work on any business essay that you might have. We believe in doing extensive research so that we can provide quality work to all our clients. .
Admissions
Admission and Business Papers
Have you ever had to write an admission essay for college? The majority of students face the same issues when applying to a university or college and many in such situations decide they need professional help to cope with this matter. They get in a situation when the deadline keeps coming closer but lack motivation to start because they are just not sure if their writing skills are strong enough. We have a solution for you! Ace Writing Center is the best admission essay writing service with a large professional team and years of experience in providing high-quality papers to students of all levels and faculties. The mission of our team is to help students make their dreams of entering a good college come true and that’s what we offer!.
Editing
Editing and Proofreading
Sometimes all the words for your paper just flow out of your mind and into your fingers. You type quickly at your keyboard and there they are, your beautiful words right there on the screen. But you have no idea how to polish it up. You may be wishing there was a paper writing service that offered this type of writing service. Look no more! Here at Ace Writing Center, we offer you an editing and proofreading option that you can't find anywhere else..
Coursework
College Essay Writing
In case you are familiar Ace Writing Center, you know the way to distinguish a better company from a cheap one exactly. First of all, poor service website does not have a sufficient support. We think support team is an essential part of success; it has to answer all clients’ questions and be a connecting link between clients and their writers. On our web-service you will get answers about anything you need and your writer will receive all your instructions, assignments and requirements exactly and swiftly. A writing service that we run has got a flexible pricing system that will save you from senseless wastes and many bonus systems that let you sparing money for something important for you.