As an independent provider of security assessments, we are keenly aware of the 2 primary drivers of anobjective security assessment
security or compliance. Roughly, these two views of risk management can bethought of as follows:
Security: For organizations in this camp, ensuring that ePHI is protected is mission critical to the business. Anyimpact to data security would be viewed as negatively impacting business value: whether it be monetary, brandvalue or customer loyalty, and minimizing the risk of a data breach is the goal of an assessment
this is pure riskmanagement.
Compliance: On the other hand, organizations that are driven by compliance
while they don’t necessarily feel
that data security is unimportant
the primary driver for doing a security assessment is to “check
a HIPAA Security Risk Analysis has been completed per HIPAA or to address HITECH meaningful use objectives.
In reality, of course, both of these objectives often factor into the need to perform a HIPAA Security Risk
Analysis. However, it’s important for healthcare organizations to be able to differentiate between these
drivers, because the value of a risk assessment can be maximized if the effort is guided properly. In fact, withthe right guidance a risk analysis can achieve both.Security vs. Compliance
To understand this, it’s important to understand how compliance relates to security; note the Venn diagram at
left. If one focuses purely on compliance during a risk analysis, then likely there will be a lot of residual riskthat is not identified during the analysis. In fact, there might be some wasted effort as a pure complianceeffort may place too much emphasis on certain areas of analysis that are not necessarily relevant to theenvironment in question (the light blue area of the diagram).
WEB PHONE EMAIL