In order to help the government and private industry standardize on a risk management process NIST created the RMF - Risk Management Framework. The framework into 6 steps:
- Categorize the information systems
- Select security controls
- Implement security controls
- Access security controls
- Authorize information systems
- Monitor security controls
At the 2010 NIST HIPAA Security Conference presentation, Pat Toth, a computer scientist working for NIST , discussed the importance of the integrating risk management and security into your enterprise computing environment. Security is often thought of as an after-the-fact process that becomes important after IT systems and applications are deployed. Toth pointed out that our perception of security’s role needs to change in order to protect the our healthcare information systems.
The HIPAA security rule specifically requires that a risk assessment be performed on IT systems that contain PHI (protected health information). Rather than creating the assessment from scratch the RMF is a great place to start your research and perhaps implement the steps recommended by NIST to secure your HIT systems.
.
The RMF is of particular importance for helping to obtain a safe harbor from penalties in the HIPAA security rule, particularly when deciding to implement (or not implement) technologies like data encryption. For example: if you decide that encryption is not needed in your environment and an incident happens where PHI is breached you will need to show the reason behind your decisions to HHS OCR (U.S Department of Health and Human Services, Office of Civil Rights).
