by: Evan Sweeney @ Fierce Healthcare

Under HIPAA, healthcare organizations are required to conduct a periodic security risk analysis, but one executive says health systems should do a more comprehensive self-assessment that pulls in a broader scope of data.

A HIPAA-mandated risk analysis requires health systems to focus on security mechanisms that address patient health information (PHI), but a security self-assessment can pull important information that falls outside of the PHI classification, David Loewy, CISO at SUNY Downstate Medical Center, told Information Security Media Group. Fortunately, organizations can do both simultaneously by recruiting the organization’s audit team and tapping into resources offered by the Centers for Medicare and Medicaid Services (CMS) and the National Institutes for Standards and Technology (NIST).

Read the entire article: Fierce Healthcare