Not having a process for periodically reviewing risk analysis policies and procedures and making updates as necessary

Risk: Not having a process for periodically reviewing risk analysis policies and procedures and making updates as necessary

Not-having-a-process-for-periodically-reviewing-risk

Explanation: In something as dynamic as healthcare security, the nature of risks and threats changes with time. That’s why the efficacy of the safeguards you put to mitigate those risks declines with time. The security of your ePHI might be at risk if you fail to periodically assess the nature of risks, the validity of your policies and procedures and undermine the importance of making regular updates for improving the safeguards.

Primary Mitigation: Do a periodic risk analysis to determine the nature and severity of emerging risks to your ePHI. Keeping in mind the result of the analysis, make upgrades in your policies and procedures. Once you’re done with the paperwork, translate what you’ve learned from the risk analysis and the changes you’ve made in your policies into actually strengthening the safeguards of your ePHI.

Secondary Mitigation: Risk analysis and making changes in your policies and procedures is not a one time job. Make sure to repeat the same routine periodically – have daily, weekly, monthly, quarterly, and annual checklists to review different types of risks.

Success Criteria: Successive risk analysis reports will show that the changes made in the policies and subsequently in ePHI safeguards led to significant decrease in security breaches.

Source: www.gpo.gov