According to the Office of Civil Rights, "organizations frequently underestimate the proliferation of ePHI within their environments," often leading them to be noncompliant with HIPAA. Just think of the use of various applications within a hospital, for example; not to mention the increased popularity of mobile and BYOD. OCR said that healthcare organizations must identify all of the ePHI created, maintained, received or transmitted by the organization in order to be HIPAA compliant and maintain effective healthcare risk management processes.
Furthermore, investigations done by OCR revealed that, in several instances, when an organization was breached, it was due to risks that had been identified in a risk analysis, but for which the organization failed to act accordingly.
The National Institute of Standards and Technology (NIST) suggests six steps for a healthcare risk management process:
- Categorize information systems
- Select security controls
- Implement security controls
- Access security controls
- Authorize information systems
- Monitor security controls