464 A Practical Guide to Security Assessments
ii. Applications and Data Criticality Analysis
“Assess the relative criticality of specific applications and data in support of other
contingency plan components.”
27
This requirement is essentially calling for conducting an assessment to determine
criticality and risk related to specific applications and data.
Guidance: Although this is listed as a separate specification, the criticality
of applications and data should be reviewed when performing the Risk
Analysis — one of the first Administrative requirements in the HIPAA se-
curity regulations. As a best practice, however, the criticality of applica-
tions and data should be evaluated on a regular basis. Often, as new
applications are rolled out, security and contingency plans are not always
given consideration and are treated as afterthoughts. The person owning
the plan should be active in the process of understanding the criticality of
data and applications.
Client Response:
8. STANDARD — EVALUATION (REQUIRED)
“Perform a periodic technical and non-technical evaluation, based initially upon the
standards implemented under this rule and subsequently, in response to environmental
or operational changes affecting the security of electronic protected health information,
that establishes the extent to which an entity’s security policies and procedures meet
the requirements of this subpart.”
28
1. Does the client perform any type of ongoing security assessment?
Guidance: This requirement is essentially an ongoing assessment for
which the initial risk analysis can be used as a baseline. The goal of this
requirement is to ensure that entities do not just implement HIPAA securi-
ty requirements and then forget about them. The reality is that operations
change and as a result, the IT environment changes and the risks change.
Notwithstanding HIPAA, ongoing security assessments should be done for
any entity to ensure that the information security program is properly
aligned with the risks the company is facing. Some ways to comply with
this requirement include ongoing IT audits or regular security assessments
(using internal or external resources). Some aspects of this requirement,
based on the comments received during the comment phase of the HIPAA
security legislation process, include:
AU1706_book.fm Page 464 Tuesday, August 17, 2004 11:02 AM