Security incident response: rethinking risk management

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 establishes a standard of care for healthcare data security, outlining a set of technical, physical, and administrative security practices intended to protect electronic patient data. The regulation requires organizations to conduct information-security risk assessments to ensure that their security programs effectively mitigate their risks. Because the regulation does not mandate a specific technique, many variants of risk assessments have been employed to satisfy the requirement. This paper examines limitations in process-based risk assessments used by many healthcare organizations to comply with the HIPAA risk assessment requirement. It specifically focuses on the following three limitations: (1) lack of detailed operational context, (2) limited analysis of combinatorial effects of risk conditions, and (3) the tendency for local optimization of risk mitigation efforts. (C) 2004 CARS and Elsevier B.V. All rights reserved.