Security risk assessment
McMillan introduces the conference call participants and poses the question: What do we need to do to help organizations in terms of where they stand with risk analysis and risk assessment?
McMillan describes the current climate of risk analysis in healthcare as well as introduces a critical question about the Office of Civil Right's new risk assessment tool.
McMillan asks Green for his perceptions of how his clients are performing and risk assessments. Green outlines the many considerations that must be made when evaluating dissimilar organizations and environments.
McMillan makes the claim that risk analysis is a process.
McMillan asks Finney if he is "overly simplifying" risk analysis and whether or not the source of so much confusion in the industry is based upon members "overly complicating" the discussion and practice of risk analysis.
Finney states that while healthcare is historically appreciative of patient care risk assessment, it is not easily to "seamlessly transfer" the same processes to the worlds of technology security and privacy.
McMillan asks for Green's and Finney's impressions regarding the new HHS security risk assessment tool.
Green states his thoughts on the benefits of the tool for smaller organizations but he raises the concern that the tool "set the concept of risk analysis under HIPAA back about four years or so."
McMillan concurs with Green and states the new HHS tool is "more of a compliance tool." He goes on to ask Finney if "her large system" has found the new HHS tool useful.
Finney describes the "layered approach" her system takes relative to risk assessment.
McMillan asks if "third-party specialists" should be used more often by healthcare organization when conducting a security risk analysis.
Green states his case for a "hybrid approach" of using both "internal resources" and "external resources" when conducting a risk assessment.
Finney agrees that third-parties can make strong partners for many types of healthcare businesses and technologies. A "collaborative effort" is the best approach.
McMillan asks if the industry is suffering due to a lack of an "over-arching structure" when it comes to security risk analysis.
Finney gives her thoughts on the need for a framework "from a hospital perspective."
Green gives his legal perspective and past experiences on the "friction within frameworks."
McMillan claims the misconception of how frameworks are to be used is at the heart of many organization's difficulties when dealing with risk analysis. He asks the final question of how the healthcare industry ought to address these complicated and, often unique circumstances, surrounding risk analysis issues.
Finney provides her final thoughts on the need for additional resources for the various types and sizes of organizations.
Green provides his final thoughts on the need for a "more traditional risk analysis tool" for smaller practices.
McMillan concludes the conference call by tracing some of his experience conducting risk analysis, and by surmising that simplicity has always been a preferred path when dealing with security risk assessments.
Mac McMillan, Chair of the HIMSS Privacy and Security Policy Task Force and CEO, CynergisTek, Inc.
Adam Green, Partner, Davis Wright Tremaine
Sharon Finney, Corporate Data Security Officer, Adventist healthcare system