Please choose your delivery country and your customer group
The Health Insurance Portability and Accountability Act (HIPAA) of 1996 effectively establishes a standard of due care for healthcare information security. One of the challenges of implementing policies, procedures, and practices consistent with HIPAA requirements in the Department of Defense Military Health System (MHS) is the need for a method that can tailor the requirements to a variety of organizational contexts. This paper describes a self-directed information security risk evaluation that will enable military healthcare providers to assess their risks and to develop mitigation strategies consistent with HIPAA guidelines. The self-directed risk assessment can be tailored for the ranges of operating environments found in the MHS. It focuses on both organizational and technological improvements using the HIPAA regulations as a benchmark for information security readiness. The evaluation utilizes a interdisciplinary team in an organization to oversee the process and apply recommendations generated by the team. In addition, staff from multiple organizational levels in the organization will contribute their unique knowledge of the enterprise's operations. This information combined with technology-based vulnerabilities yields the organization's risks. This paper also describes the results of early field tests of the evaluation and provides a summary of lessons learned.