Want create site? With Free visual composer you can do it easy.

HIM 650 Security Risk Analysis

Privacy and security within data and health care records are essential aspects of health
information technology for healthcare organizations and providers. The frequency of healthcare
data breaches, level of exposed records and information, and resultant financial losses are rising
exponentially (Abouelmehdi et al., 2018). Healthcare data is considered highly valuable and
health organizations need risk management protocols to ensure that no breaches occur.
Healthcare data security issues affect an organization’s full compliance to legal requirements
based on the provisions of Health Insurance Portability and Accountability Act (HIPAA). Data
security and privacy threats can be external and internal (Wager et al., 2017). The purpose of this
paper is to offer an analysis of risk assessments and their impact within healthcare organizations
like my current organization.
Top Three Internal and External Risks Threatening PHI Data within the Organization
Researchers assessing the Verizon’s 2018 protected health information data breach found
that close to 60% of healthcare security incidents entailed internal breaches while the rest
emanated from external sources (Verizon, 2018). Healthcare staff for different reasons violate
HIPAA and cause data breaches that compromise protected health information (PHI). The
implication is that healthcare is the only sector where internal risks to PHI data is highest with
the internal breaches constituting the greatest threat to private and confidential information.
The top three internal risks that threaten PHI data within the organization include weak
passwords by healthcare employees, poor disposal of PHI like inability to shred the information,
and employees and business associates deliberately taking advantage of their access to the vital
patient details for personal and selfish reasons (Jiang & Bai, 2019). Employees and vendors can

also access information in the organization through lost and stolen mobile devices as they
contain stored and old login credentials.
External data breaches in the organization emanate from outside sources who may have
interest with the stored PHI. These include hackers using malware to access the system to steal
vital PHI, and disgruntled former employees who may have knowledge on the working of the
organization’s system. Hackers may also use phishing attempts that plan malicious scripts to
steal login credentials to compromise the entire system. The third external threat include vendors
working with the organization and have access to PHI because of the nature of their contractual
engagements with the facility.

Risk Assessment within the Organization

Organizational risk management on PHI is essential as it identifies areas of weakness and
vulnerability that individuals can use to access patient data. More than 50% of healthcare data
breaches are attributed to malicious insiders (Freundlich et al., 2018). Therefore, having a risk
assessment protocols within the organization is essential to improving security and protection of
the critical health information. Risk assessment in the organization occurs through mapping out
the flow of PHI and it allows the system to know the generation, transfer, and transmission of
data. Through this approach, the organization can identify potential vulnerabilities. Further,
knowledge on the procedures that patients undertake in filling information, its processes and
storage is vital. Common storage places include computers, cloud-based servers and even
dedicated cabinets which are all at risk of exposure and accessibility.
The second aspect entails identification of threats and risks as the possibility of threats
depends on the workplace environment and access protocols of PHI. Vulnerabilities consist of
absence of policies, computing devices in open areas like reception and poorly-structured

measures like lack of CCTVs. The third aspect is to analyze the level of risk (Jiang & Bai, 2019).
Considering the possibility of a data breach occurring is a critical measure in the development of
a risk plan since it shows the degree of susceptibility and potential effects. The potential impacts
include losses that may be incurred if the breach occurs. Such risks can include leakage or
exposure of confidential information to the public. Other risks can lead to the collapse of an
organization and its reputation.
The next step in IT risk assessment and management to protect patient information is
developing a plan. The plan entails how to conduct an analysis and implement security controls.
It also entails development of measures to address the greatest vulnerabilities and testing if the
security controls can mitigate their occurrence based on their effectiveness (Pussewalage &
Oleshchuk, 2017). The final step is documentation of risk analysis for future use and reference as
the standard measure and compliance to HIPAA and other HIT provisions.
Conducting the Assessment and Frequency

Assessing systems’ vulnerabilities and potential harm is essential to ascertaining the
protection of PHI. HIPAA provisions mandate health care organizations to conduct an annual
assessment of their IT systems to identify weak and vulnerable areas. However, frequent and
programmed assessments are vital to the data security in the organization. In this case, the IT
personnel and department are responsible for the assessment. These professionals also enlist
vendors’ services to conduct the assessment based on set protocols and processes (Jiang & Bai,
2019). The assessment focuses on improving the system, reducing vulnerabilities, and training
employees on emerging trends and potential threats and risks from both internal and external
sources. The organization conducts these assessments after two months based on internal reports
and any new information or requirements by regulatory bodies. The assessment can also happen

when there is a large scale breach in the industry targeting multiple organizations. Therefore, the
IT personnel conduct assessment based on the set protocols, compliance requirements, and on a
needs-based model.

Assessments Mitigating Identified Risks

The assessments are critical in reducing and mitigating the identified risks since they
allow the organization to prepare for any susceptibilities and place in measures to protect PHI.
The assessments also identify new areas that require employees’ training on aspects like
developing strong passwords, adherence and compliance to hospital policies and in disposing
PHI wastes. The assessments evaluate the level of involvement and loyalty of different
stakeholders that include vendors in following the set protocols to reduce risk exposure
(Pussewalage & Oleshchuk, 2017). Engagement of all stakeholders, both internal and external, is
important as it allows the organization to develop better security controls for long-term data


Common breaches in health information systems occur mainly from internal breaches.
Hospital systems can mitigate the occurrence of these breaches by having risk assessments and
effective personnel to identify vulnerabilities and train employees. Risk assessments occur in the
organization based on existing legal health provisions by HIPAA and organizational policy
mandates to protect PHI. The implication is that assessments should occur more frequently to
secure vital data to avoid both internal and external violations.



Abouelmehdi, K., Beni-Hessane, A., & Khaloufi, H. (2018). Big healthcare data: preserving
security and privacy. Journal of Big Data, 5(1), 1-18. DOI:
Bowman, M. A., & Maxwell, R. A. (2018). A beginner’s guide to avoiding protected health
information (PHI) issues in clinical research–with how-to’s in Redcap data management
software. Journal of biomedical informatics, 85, 49-55.
Freundlich, R. E., Freundlich, K. L., & Drolet, B. C. (2018). Pagers, smartphones, and HIPAA:
finding the best solution for electronic communication of protected health information.
Journal of medical systems, 42(1), 1-3. https://doi.org/10.1007/s10916-017-0870-9.
Jiang, J. X., & Bai, G. (2019). Evaluation of causes of protected health information breaches.
JAMA internal medicine, 179(2), 265-267.
Pussewalage, H. S. G., & Oleshchuk, V. A. (2017). Privacy preserving mechanisms for enforcing
security and privacy requirements in E-health solutions. International Journal of
Information Management, 36(6), 1161-1173.
Verizon (2018). Whiter Paper: Protected Health Information Data Breach Report.
Wager, K. A., Lee, F. W., & Glaser, J. P. (2022). Health care information systems: a practical
approach for health care management. John Wiley & Sons.

Did you find apk for android? You can find new Free Android Games and apps.