The Payment Card Industry Data Security Standard (PCI DSS), which applies to all organizations that process, store, or transmit credit card information, was established over a decade ago to reduce the risk of credit fraud. PCI DSS has evolved over the years, but penetration testing was recently incorporated as a requirement.

Yes, they all ask for a risk assessment. If you, as a healthcare covered entity or a healthcare business associate, ever get audited by the Office of Civil Rights (OCR), or if you have already had the pleasure of being audited, you will know that one of the first things OCR will ask you for is a documented risk assessment or risk analysis (these terms are used interchangeably in this post). A documented risk assessment is also a requirement for meaningful use certification and reimbursement.

EXPLANATION OF THE MOST COMMON TYPES OF INFORMATION ASSURANCE RISKS TECHNICAL RISKS Risk: Lack of unique user identification for every workforce member prior to obtaining access to ePHI. Explanation: A user identifier is typically a name or a number or a combination of numbers and characters put together to form a string of characters that uniquely identify a user. This unique user identifier allows the information system to track the activities that a user makes in the information system. This is done so that every user of the system can be held accountable for his/her functions performed on the information…

EXPLANATION OF THE MOST COMMON TYPES OF INFORMATION ASSURANCE RISKS PHYSICAL RISKS Risk: Lack of procedures and contingency plans in the event of an emergency Explanation: In the event of an emergency, a well defined contingency plan helps the team to allow for data restoration in addition to providing physical security. A contingency plan is usually used when there is an emergency, for example when there is an outage. During the crisis it is important that the doctors still have access to ePHI so that the quality of care is not compromised.

EXPLANATION OF THE MOST COMMON TYPES OF INFORMATION ASSURANCE RISKS ADMINISTRATIVE RISKS Risk: Lack of documentation to mitigate threats and vulnerabilities Explanation: Not having a formal, documented program, which is always secondary to thorough risk analysis, might be the reason why you’re not able to implement effective safeguards to protect your ePHI against possible vulnerabilities and security threats. This may compromise your ePHI security in several ways: You may face medical identity theft due to unauthorized access, theft or disclosure of ePHI. Unauthorized access to your practice’s ePHI may leave it inaccessible, compromised and exposed.