![Page 1: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/1.jpg)
1
HIPAA Security Compliance:The critical role of Risk Analysis
and Risk Management
April 22, 2002
Tom Grove, DirectorPhoenix Health Systems
![Page 2: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/2.jpg)
2
Today’s Presentation
• Introduction to Risk• Understanding Risk• Assessing Risk• Using Risk to Make Decisions• Building the Risk Management
Process
![Page 3: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/3.jpg)
3
An Introduction to Risk
![Page 4: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/4.jpg)
4
What is Risk?
• Risk is the possible loss of something of value
• Risk is a combination of a vulnerability and a threat– How likely?– How bad?
• Risks can be quantified, ranked, assessed, mitigated, and used as opportunities
![Page 5: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/5.jpg)
5
The Risk Equation
Vulnerability
Thr
eat
Low Medium High
High
Medium
Low
HighRisk
MediumRisk
LowRisk
![Page 6: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/6.jpg)
6
Risk vs. Problem
• If the event is a certainty, you don’t have a risk, you have a problem
• This includes the problems of non-compliance. For example:– HIPAA Security demands unique user
identification. Group accounts are not a risk, they are a problem.
![Page 7: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/7.jpg)
7
Risk Assessment
• The purpose of a risk assessment is to identify potential areas of loss
• Loss is usually measured as monetary, but is often indirect, such as loss of reputation
• A risk assessment provides the basis for security spending decisions
![Page 8: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/8.jpg)
8
Risk Management
• Risk management is a formal process– Ongoing
• Risk management uses the identified risks as key drivers of the decision making process to mitigate the risks
![Page 9: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/9.jpg)
9
Why do we care?
• HIPAA says we need to care• Risk management is how to balance
risks with resources to justify appropriate security decisions
• Well thought out risk decisions are the best defense against claims that your decisions don’t meet the rules
![Page 10: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/10.jpg)
10
Cautions about measuring risk
• Project risk vs. Security risk– HIPAA requires a risk assessment of
security risk, such as the risk of a computer virus that emails patient data
– Project risk is the risk that the remediation plan selected cannot be completed.
– Both are valuable
• Continuous process required
![Page 11: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/11.jpg)
11
Understanding the Components of Risk
![Page 12: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/12.jpg)
12
Threat
• Threats are actions or events which might violate the security of an environment
• There are three components of threat– Targets– Agents– Events
![Page 13: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/13.jpg)
13
Targets
• The target of a threat is one of the security services– Confidentiality– Integrity– Availability– Accountability
• The target corresponds to the motivation behind the threat
• A threat may have multiple targets
![Page 14: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/14.jpg)
14
Assets as potential targets
• Information• Hardware• Software
• Facilities• People• Documentation• Supplies
• Any of these assets have varying value to your mission
![Page 15: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/15.jpg)
15
Agents
• An agent of threat is an individual who wishes to do the harm
• To be a credible threat, an agent must have three characteristics– Access– Knowledge– Motivation
![Page 16: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/16.jpg)
16
Potential Agents
• Employees• Ex-Employees• Hackers• Commercial
Rivals• Terrorists
• Criminals• General Public• Vendors• Customers• Visitors• Disasters
![Page 17: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/17.jpg)
17
Some Statistics
• In 2001, half of companies had their web servers attacked
• Almost 90% percent experienced worms, viruses, or Trojans
• Almost 40 percent suffered denial of service attacks,
• Nearly 1/3 faced buffer overflow attacks• Cyber-terrorism is on the rise
![Page 18: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/18.jpg)
18
But …
• The overwhelming majority of security breaches are internal– A key risk is that your users don’t
understand their responsibilities well enough to cooperate with your guidelines
– Disgruntled employees are a major risk. Not all are ex-employees
![Page 19: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/19.jpg)
19
Events
• Events are the mechanism that an agent can cause the harm
• The event must cause the appropriate harm to the target
• The agent must have the appropriate knowledge and access to perform the event
![Page 20: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/20.jpg)
20
Potential Eventsl Misuse of authorized
accessl Malicious alteration of
informationl Accidental alteration of
informationl Unauthorized accessl Malicious destructionl Accidental destruction
l Malicious physical interference
l Accidental physical interference
l Natural physical events
l Introduction of malicious software
l Disruption of communications
l Passive eavesdropping
l Theft
![Page 21: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/21.jpg)
21
Countermeasures
• Vulnerabilities cannot be examined in a vacuum
• Countermeasures must be taken into account– Firewalls– Anti-virus Software– Access Controls– Authentication– Physical Security– Employee Training
![Page 22: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/22.jpg)
22
The Big Picture
OrganizationalRisk Levels
IdentifiedVulnerabilities
IdentifiedThreats
ExistingCountermeasures
Cost of
Successful Exploitation
MeasuredRiskTo
TheOrganization
![Page 23: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/23.jpg)
23
Measuring Risk
• Existing vulnerabilities, threats, and countermeasures provide part of the story
• Risk should also be measured in terms of the harm that can be done if the risk is realized
![Page 24: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/24.jpg)
24
Risk Can be Measured• Money
– Real financial loss
• Time– Lost time of staff or capabilities
• Resources– The amount of resources needed to
correct the situation
• Reputation– Lost trust in the organization or business
• Lost Business– Loss of potential business
![Page 25: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/25.jpg)
25
The Risk Assessment Process
![Page 26: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/26.jpg)
26
First, Identify all the risks
• Start with a brainstorming session• Accept any possible risks at first• Walk through the categories of
targets, agents, and events to trigger the thinking process
• Accept people’s “pet risks” without comment
• No recriminations for identifying risks
![Page 27: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/27.jpg)
27
Capture enough data
• Include both condition and consequence• Use the form:
– Given that … there is concern that …– Example: Given that there are PCs on
our network running PC-Anywhere without password protection there is concern that war dialers could penetrate our network and compromise the confidentiality of our data
![Page 28: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/28.jpg)
28
Next, Process the risks
• Separate out the problems• Separate out the “project risks”• Combine equivalent risk statements
– Don’t combine equivalent causes
• Group related risks– Index card sorting– Use whatever grouping is logical
![Page 29: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/29.jpg)
29
Caution
• Don’t try to solve risks now• Don’t make excuses now• Don’t evaluate severity now
![Page 30: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/30.jpg)
30
Rank the Risks
• Numbers have more force• Allows you to identify top-N risks• A limited set of numbers produces
more relevant numbers– Rankings can always be refined– Resist the temptation to rank on a scale
of 10. Use a scale of 5 and multiply by 2 if needed.
![Page 31: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/31.jpg)
31
Ranking the Risks
4321Minor(1)
8642Significant (2)
12963Serious(3)
161284Critical(4)
High (4)
Med-High (3)
Med-Low (2)
Low (1)
Probability
Impact
![Page 32: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/32.jpg)
32
Adjust for countermeasures
• Adjust identified risk scores as needed to address countermeasures that already exist
• You probably have already accounted for this somewhat with your probability scores
• This step is important enough to address on it’s own
• You will be asked about existing countermeasures at the board when you ask for money
![Page 33: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/33.jpg)
33
Practical Modifications
• After ranking, you still may want to vote. (4-n or 5-n systems still lack some granularity)
• Have the entire committee adjust the ordered risk list
![Page 34: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/34.jpg)
34
Using Risk to make decisions
![Page 35: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/35.jpg)
35
Making HIPAA-confident decisions
• HIPAA mandates reasonable efforts to protect the privacy and security of individuals’ information
• The solution is to get the most “bang for the buck” with the security dollars you can afford to spend (read as scrape together)
• Back up with auditing and extensive training efforts
![Page 36: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/36.jpg)
36
Maximizing the Bang/Buck ratio
• Make decisions that:– Address known problems– Respond to biggest risks– Respond to significant risks with
minimal cost to implement– Respond to as many issues as possible
![Page 37: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/37.jpg)
37
Things to think about
• Training dollars are often the best spent dollars in the budget
• Must keep the short and long run in view at all times.
• Never lose sight of hard numbers. If you can place hard numbers behind a solution, it’s salability goes way up.
![Page 38: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/38.jpg)
38
Formal bang/buck evaluation
• Re-rank risks assuming that the solution is deployed– Watch out for increases in some areas
• Score the decrease in risk scores for each solution being evaluated vs. cost– May be best to evaluate cost on a simple scale– Don’t forget workflow costs
![Page 39: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/39.jpg)
39
Taking it to the board
• Major role of the board of directors is to manage organizational risk
• Present requests for spending to address an unacceptable level of risk
• Risk “numbers” with hard data backup sell better
• Hard to say no to a spending request that addresses a top-N risk (or more than one!)
![Page 40: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/40.jpg)
40
Example Decision
• Identified top-N risk: External access via non-controlled dial in.
• Solution evaluated: Strong-authentication remote connect utility– Inside vs. outside (other risks and
business problems)– Expandable (short vs. long term)
![Page 41: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/41.jpg)
41
Designing the Risk Management Process
![Page 42: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/42.jpg)
42
The Plan
• Assess risks• Respond to the risks
– Technical and administrative solutions
• Reassess the risks– Changing environments– New solutions– Results of audits
![Page 43: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/43.jpg)
43
Who
1. Senior Management (Other than CIO)2. Security Officer3. Chief Information Officer4. Risk Manager5. HIM Director or Privacy Officer6. Compliance Officer or other Legal7. CliniciansNote: Doesn’t this look like your steering
committee???
![Page 44: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/44.jpg)
44
Team Startup Tasks
• Establish a charter• Clearly defined scope• Regular meeting times• Reporting structures and formats• Documentation tools
– Forms– Minutes
![Page 45: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/45.jpg)
45
First Risk Assessment
• Perform tasks from the previous risk assessment slides
• More important to develop a good process that get the results absolutely perfect
![Page 46: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/46.jpg)
46
Ongoing Activity
• Regular meetings to:– Introduce new risks– Revisit existing risks– Evaluate remediation strategies
• Consider the effects of:– External changes– Internal changes
![Page 47: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/47.jpg)
47
Conclusions
![Page 48: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/48.jpg)
48
Conclusions
• Risk Analysis and Risk Management are required by HIPAA
• The risk methods represent a solid basis for quality security decision making
• Basic analysis methods are well within reach of the average covered entity
![Page 49: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/49.jpg)
49
Questions?
![Page 50: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/50.jpg)
Additional Resources
• www.hipaadvisory.com
• DHHS/HIPAA: aspe.hhs.gov/admnsimp
• WEDi/SNIP Web site: snip.wedi.org
• Transactions and Code Sets including
implementation guides: www.wpc-edi.com/hipaa
• Draft HIPAA Security Imp. Guide: www.wedi.org
• NCHICA www.nchica.org
• ASC X12N Standards: www.wpc-edi.com/hipaa
• Practices: www.mgma.com
![Page 51: HIPAA Security Compliance · 2002-07-21 · HIPAA Security Compliance: The critical role of Risk Analysis and Risk Management April 22, ... computer virus that emails patient data](https://reader034.vdocuments.mx/reader034/viewer/2022050113/5f4a91da4e71e3673c7814e1/html5/thumbnails/51.jpg)
51
Tom Grove, DirectorPhoenix Health Systems9200 Wightman Road, Suite 400Montgomery Village, MD 20886Telephone: 301-869-7300 [email protected]
Any further questions?