Conducting a Risk Analysis to Comply with Meaningful Use, HIPAA and HITECH

This webinar will discuss how to do a security risk analysis to meet the requirements of HIPAA, HITECH and Meaningful Use attestation. It will describe ways for effectively completing a risk analysis at the organizational level, the network level and the application level.

Why Should You Attend:

Risk analysis and risk management plans are the foundation of a HIPAA compliance program and should be complete and provide the documentation that an examiner may ask for. Risk assessments are a key part of effective risk management and facilitate decision making at all three tiers in the risk management hierarchy including the organization level, network level, and information system level. Completing a risk analysis will guide an organization to make cost effective, risk based decisions and provide an enhanced security environment to protect data and reduce the risk of a reportable security breach.

This webinar will guide the user on the principles of risk analysis and risk management to prioritize risks. It will rely heavily on the NIST 800-30 which is mentioned in the preamble of the original rule and the OCR issued guidance on risk analysis (as revised and finalized on 09/18/2012.)

This session will:

• Focus on the key factors in determining and documenting the controls to be implemented regardless of the size of the organization.
• Explore the processes and methods that can assist organizations prioritize IT security projects by addressing the highest risks to the organization.
• Review the regulatory requirements for security risk analysis and management.
• Provide an overview of the types of risk analysis that can be performed.
• Offer a practical approach on how to comply with regulatory requirements for security risk analysis.
• Provide information about how to determine where the risks to the organization exist and point organizations to where to look for this information.

Areas Covered in the Webinar:

• Requirements of the HIPAA risk analysis security rule
• Meaningful use requirements and application certification criteria.
• How risk analysis helps a business make risk based decisions to prioritize security controls and make decisions.
• How to conduct a HIPAA security risk analysis using NIST 800-30 as a guide
• How to locate and document the location of protected data
• How to conduct a risk analysis and how to accomplish the requirement

1. Risk Analysis Steps
   1. Identify the scope of the specific analysis;
   2. Gather data;
   3. Identify and document potential threats and vulnerabilities;
   4. Assess and document current security measures;
   5. Determine the likelihood of threat occurrence;
   6. Determine the potential impact of threat occurrence;
   7. Determine the level of risk;
   8. Identify potential security measures and finalize documentation.
2. Risk Management Steps
   1. Develop and implement a risk management plan;
   2. Implement security measures; and
   3. Evaluate (monitor) and maintain security measures.
3. Risk Mitigation or Acceptance Options

• Size, complexity, and capabilities of the covered entity
• The covered entity's technical infrastructure, hardware, and software security capabilities
• Costs of security measures
• Probability and criticality of potential risks to EPHI

Who Will Benefit:

This webinar will provide valuable assistance to all personnel in medical offices, practice groups, hospitals, academic medical centers, insurers, business associates (shredding, data storage, systems vendors, billing services, etc). The titles are:

• Compliance Officer
• Chief Information Officer
• CEO, CFO
• Privacy Officer
• Security Officer
• Information Systems Managers (Network and Applications)
• HIPAA Officer
• Health Information Manager
• Healthcare Counsel/lawyer
• Office Manager

Instructor Profile:

William Miaoulis, CISA, CISM, is a senior healthcare information system (IS) professional with more than 20 years of healthcare Information Security experience. Mr. Miaoulis is the founder and primary consultant for HSP Associates. Prior to starting HSP Associates in January of 2013, Bill was the Chief Information Security Officer (CISO) and led the HIPAA security and privacy consulting efforts for Phoenix Health Systems for over 11 years and also was the HIPAA Consulting Manager for SAIC for 18 months. For seven years, he was the University of Alabama Birmingham (UAB) Medical Center’s Information Security Officer, where he instituted the first security and privacy programs at UAB starting in October 1992.