Running Head: ENTERPRISE RISK MANAGEMENT 1
ENTERPRISE RISK MANAGEMENT 9
How Enterprise Risk Management Supports HIPAA Compliance
Student
University
Enterprise Risk Management and HIPAA Compliance
Today, an effective enterprise risk management (ERM) program helps provide a crosscutting method that entails identification, control, and mitigation of risks faced by an organization (Dorsey, 2017). The primary care field has been presented with legal requirements, especially when it comes to the safety of patients’ data. HIPAA is one of the conditions where the data handlers must ensure it is safeguarded from exposure to third parties when stored or when being transferred. In the event of a breach, an organization can be fined heavily, which, must be avoided. For the best outcomes to realized, the ERM efforts need to expand beyond the individual risk, to achieve an integrated ERM that will view all the risks holistically (Hampton, 2009). This creates an environment where all the chances are focused on to reduce their effects on organizational operations. When it’s done, an organization will likely promote compliance with the HIPAA requirement that calls for safe and secure handling of patient data. An integrated ERM supports HIPAA compliance because it allows for a holistic approach against enterprise-level risks.
An integrated ERM means that the focus on risks is collective as opposed to a situation where only the individual risks focused on at the functional or the departmental level. This model also means that there are mutual goals that need to be achieved, which makes the model effective when it comes to realizing mitigation of risks in a manner that meets the regulations put in place such as the HIPAA. An integrated ERM has several attributes and aspects that will ensure that an organization is leveraging the strategies and achieving full compliance with the HIPAA, which is a standard for all organizations in the primary care field.
A vital element of an integrated ERM is a risk assessment that is about identifying all the vulnerabilities in the set IT systems. This is followed by an evaluation of the potential impact that can be caused by the said risks. HIPAA regulation is clearly about safeguarding patient information and ensuring that the confidential data can never exposed to unauthorized third parties (Janssen, Wimmer & Deljoo, 2015). The risks faced by an organization's IT systems must be assessed before the necessary measures can be taken. This is the first step that should be taken so that the specific risks can be identified. This is one of the steps for promoting HIPAA compliance. When the risks have identified, the measures put in place will address them, lowering their potential impact on the organization’s data. Notably, the assessment process should be meticulous to ensure that all the significant risks are identified and communicated to the relevant parties such as the IT teams and the managerial staff.
To.
Incoming and Outgoing Shipments in 1 STEP Using Odoo 17
Running Head ENTERPRISE RISK MANAGEMENT 1ENTERPRISE RISK MANA.docx
1. Running Head: ENTERPRISE RISK MANAGEMENT 1
ENTERPRISE RISK MANAGEMENT 9
How Enterprise Risk Management Supports HIPAA Compliance
Student
University
Enterprise Risk Management and HIPAA Compliance
Today, an effective enterprise risk management (ERM) program
helps provide a crosscutting method that entails identification,
control, and mitigation of risks faced by an organization
(Dorsey, 2017). The primary care field has been presented with
legal requirements, especially when it comes to the safety of
patients’ data. HIPAA is one of the conditions where the data
handlers must ensure it is safeguarded from exposure to third
parties when stored or when being transferred. In the event of a
breach, an organization can be fined heavily, which, must be
avoided. For the best outcomes to realized, the ERM efforts
need to expand beyond the individual risk, to achieve an
integrated ERM that will view all the risks holistically
2. (Hampton, 2009). This creates an environment where all the
chances are focused on to reduce their effects on organizational
operations. When it’s done, an organization will likely promote
compliance with the HIPAA requirement that calls for safe and
secure handling of patient data. An integrated ERM supports
HIPAA compliance because it allows for a holistic approach
against enterprise-level risks.
An integrated ERM means that the focus on risks is collective
as opposed to a situation where only the individual risks
focused on at the functional or the departmental level. This
model also means that there are mutual goals that need to be
achieved, which makes the model effective when it comes to
realizing mitigation of risks in a manner that meets the
regulations put in place such as the HIPAA. An integrated ERM
has several attributes and aspects that will ensure that an
organization is leveraging the strategies and achieving full
compliance with the HIPAA, which is a standard for all
organizations in the primary care field.
A vital element of an integrated ERM is a risk assessment that
is about identifying all the vulnerabilities in the set IT systems.
This is followed by an evaluation of the potential impact that
can be caused by the said risks. HIPAA regulation is clearly
about safeguarding patient information and ensuring that the
confidential data can never exposed to unauthorized third
parties (Janssen, Wimmer & Deljoo, 2015). The risks faced by
an organization's IT systems must be assessed before the
necessary measures can be taken. This is the first step that
should be taken so that the specific risks can be identified. This
is one of the steps for promoting HIPAA compliance. When the
risks have identified, the measures put in place will address
them, lowering their potential impact on the organization’s data.
Notably, the assessment process should be meticulous to ensure
that all the significant risks are identified and communicated to
the relevant parties such as the IT teams and the managerial
staff.
To ensure continued HIPAA compliance, the risk assessment
3. processes should be a routine where they will be carried out
after a stipulated period. This is because risks are evolving as
per the rapid evolution of hacking tools (Janssen et al., 2015).
Hackers and other cybercriminals are continually targeting
primary care providers, which introduce new risks every day.
As such, the risk assessment process must be a routine to enable
the realization of the desired results and outcomes.
Besides, the risk assessment process should be a routine to
ensure that the involved teams and parties can monitor and
continually evaluate the tools that have been put in place. There
have been situations where the parties involved did not examine
put in place an effective plan for making follow-ups and
evaluations. This leads to a job where the system is not
maintained correctly, leading to obsolete applications and
outdated hardware components. Such outcomes should be
avoided if the desired results are to be realized.
Further, the risk assessment process can focus on the
requirements and regulations outlined in HIPAA compliance.
For instance, it has described the physical and technical
safeguards that should be met by the primary care providers.
One of the technical safeguards entails ensuring that data has
been encrypted before storage or transmission (Janssen et al.,
2015). When doing the risk assessment, the team can determine
whether there is a possibility of work teams sending or
transferring data without encrypting it first. It is one example
that indicates how the risk assessment process can be carried
out in a manner that looks into the requirements outlined in the
HIPAA Law.
Gap analysis is a critical element of an integrated ERM that also
helps with promoting HIPAA compliance. It refers to the
evaluation of the ERM program against the industries and
regulation standards. This is an additional practice that a team
can carry out after putting in place an ERP program. Its
components and elements will be measured against specific
standards that already exist, especially when it comes to
regulations (Janssen et al., 2015). First, a gap analysis carried
4. out against HIPAA requirements can be done. Typically, this is
about looking into the specific needs and establishing whether
the ERM program has met them. For instance, if the HIPAA
requirement calls for integrity control and device security, the
team can evaluate whether the program meets such
requirements. In essence, a gap analysis is an essential element
of an integrated ERM and can promote HIPAA compliance. It
should be carried out after a program has been put in place in a
bid to ascertain there are no weaknesses that could amount to a
failure to meet HIPAA violations.
An additional element of an integrated ERM is risk mitigation
that is about lowering the potential impacts of the identified
risks concerning safeguarding data from incidents. First, it is
worth noting that HIPAA law is mainly about achieving
mitigation of risks that data faces when stored or being
transmitted. The law requires the data handlers to effect
measures that ensure the information is not exposed to third
parties. In light of this, risk mitigation will be about measures
that reduce the risks in line with HIPAA compliance as well as
doing even more (Janssen et al., 2015). For instance, the
encryption of data that is required under HIPAA can be done
using more sophisticated technologies through the deployment
of the latest encryption key. This is an effort for achieving even
a better outcome when it comes to avoiding exposure of data in
the event of an unforeseen security incident.
Besides, an integrated ERM ensures that risk mitigation efforts
are in line with the requirements of the existing laws. There
have been numerous cases where some organizations have
employed methodologies that have been rendered ineffective.
For instance, some institutions have failed to encrypt data
before transmission, arguing that it was only transmitted within
their private networks. This was found to assume that such data
is not under threat of exposure, which is untrue. Today, there
are hackers able to intercept data being transmitted even in
private networks. As such, all data being transferred should be
encrypted first as required under the law. This indicates the risk
5. mitigation process should adhere to the requirements of the set
law. The risk mitigation strategies must conform to the
conditions before any new or more measures, and procedures
can be put in place.
Today, integrated ERM has assurance and support of the
relevant parties, such as the top management. Studies have
shown that an ERM’s success is dependent upon the help of
senior management with the required resources and motivation
(Shostack, 2014). A lack of an integrated ERM means that risks
are mitigated at the departmental or functional level, meaning
that the top management teams are not directly involved. This
creates organizations with independent goals and objectives,
which leads to a situation that lacks uniformity in risk
mitigation. Such challenges are addressed through an integrated
ERM that seeks assurance and support of the top management.
This enables the allocation of sufficient resources for
addressing the risks and vulnerabilities. This is an essential
effort towards the mitigation of risks in line with the
requirements of the HIPAA law.
Monitoring the current IT system is a critical element of an
integrated ERM. It was earlier noted that some processes are
routine to enable identification of new risks before they can
escalate. An IT system faces a host of risks, including hardware
malfunction and infiltration. Though there are tools put in place
against such outcomes, it is worth noting that monitoring the
system is critical. A team of experts and professionals should be
set up and assigned the responsibility where any performance
issues and risks will be identified before they can escalate
(Toohey, 2014). A sophisticated IT system requires active
monitoring where every aspect of the order will be evaluated
and performance against the expected outcomes measured. This
helps meet the requirements of the HIPAA law, which calls for
audit controls whose aim is to identify new risks and address
them.
Further, an integrated ERM allows for internal mechanisms for
ensuring that private parties such as users do not pose risks to
6. the IT system. In IT, the user domain presents the weakest link,
and internal controls are required to mitigate the risks. Some
institutions have already invested in efforts such as training
workers and putting in place user policies (Shostack, 2014).
These are vital efforts whose aim is to realize safe and secure
use of the system by the workers among other users. An
integrated ERM treat users as sources of risks in a bid to
minimize all the risks faced by a system. Some workers are not
knowledgeable about the safe use of networks and may be
targeted by cybercriminals through phishing attacks. They might
end up clicking on links or downloading files that contain
infected content. As such, even users can be a source of threats.
Efforts to control the behaviors of the user aligns with the
requirements of HIPAA. Under the law, a primary care
organization is supposed to have policies for use and access to
the workstations and electronic media. The users should only be
allowed to access the resources they need with no privileges
(Shostack, 2014). This should also apply when it comes to
physical access to electronic media. Physical and access
controls are vital in meeting HIPAA requirements, where the
risks associated with the private parties are sufficiently
minimized. In essence, this indicates that an integrated ERM
enables an organization to deal with threats related to the use of
the system, which complies with the HIPAA requirements.
As it was earlier noted, the users pose significant risks, and the
organization must ensure that no vulnerabilities are being
created. It is worth noting that under HIPAA, an organization
should prevent not only access to patient data by the external
parties but also the private parties who may be unauthorized. In
response, it is deemed a good practice if there are proper access
controls such as access control policies that will block access to
data by any unauthorized internal parties. In so doing, the
requirements under HIPAA willfully complied with.
To promote compliance with HIPAA, which applies to all the
organizations in the primary care and associated fields, an
integrated ERM approach must be taken. The reasons for this
7. are as follows. First, the path leads to a holistic approach to
risks being faced by an organization. This is a better approach
when compared to the traditional model that was mainly about
looking into risks from a functional or a departmental level.
This approach ensures that all risks, especially in the IT sector,
have been identified and addressed. The requirements of the
HIPAA law are met in the process.
Besides, it was earlier shown that the integrated ERM model
enables the team to adopt risk mitigation strategies that align
with the requirements of a particular standard such as the
HIPAA. This can be done by first selecting policies that are
required from the standard before any new or more procedures
can be put in place. This is an important attribute that will
enable an organization to adhere to the requirements, hence
promoting the overall performance of the IT system.
Moreover, the integrated ERM model allows for a practical gap
analysis that is about comparing the program to the
requirements contained in the HIPAA requirements. This means
that an organization can determine whether the application
meets the desired performance outcomes and whether the
required strategies have been put in place (Smallwood, 2014). If
all the requirements have not been met, the organization can
modify or adjust its program to meet the needs. This can
quickly be done when using an ERM program because assurance
and support are guaranteed through the direct involvement of
the top management.
In summary, an effective ERM program can be used to leverage
HIPAA compliance, especially in this age where information
security is becoming a significant hurdle for most organizations.
The requirements outlined in the HIPAA are direct, and an
organization can realize them when putting in place an
integrated HIPAA program. An integrated ERM means that all
teams can work together in the realization of a secure IT system
with minimal vulnerabilities and risks, especially when it comes
to the user domain. Going forward, business organizations in
the primary care field should focus on implementing an
8. integrated ERM that will help them attain full compliance with
HIPAA.
References
Dorsey, R. (2017). Data Analytics. New York, NY: CreateSpace
Independent Publishing Platform.
Hampton, J. (2009). Fundamentals of Enterprise Risk
Management. New York, NY: AMACOM.
Janssen, M., Wimmer, M. A., & Deljoo, A. (2015). Policy
Practice and Digital Science. New York, NY: Springer.
Shostack, A. (2014). Threat Modeling: Designing for Security.
New York, NY: Wiley.
Smallwood, R. F. (2014). Information Governance. New York,
NY: Wiley & Sons.
Toohey, T. J. (2014). Understanding Privacy and Data
Protection. New York, NY: Thomson Reuters.
Project Evaluation Rubric
Component
Exemplary (3)
Adequate (2)
Inadequate (1)
Score
Project overview
Effectively and insightfully develops a set of testable,
supportable and impactful study hypotheses.
Develops a set of testable and supportable hypotheses.
Hypotheses are not testable or justifiable.
Justification for hypotheses
The introduction section provides a cogent overview of
conceptual and theoretical issues related to the study
hypotheses. Demonstrates outstanding critical thinking.
The introduction section provides a logical overview of
conceptual and theoretical issues related to the study
9. hypotheses. Demonstrates competent critical thinking.
Very little support for the conceptual and theoretical relevant to
the study hypotheses was provided. Provides little evidence of
sound critical thinking.
Supporting evidence
Provides clearly appropriate evidence to support position
Provides adequate evidence to support position
Provides little or no evidence to support position
Review of relevant research
Sophisticated integration, synthesis, and critique of literature
from related fields. Places work within larger context.
Provides a meaningful summary of the literature. Shows
understanding of relevant literature
Provides little or no relevant scholarship.
Maintains purpose/focus
The project is well organized and has a tight and cohesive focus
that is integrated throughout the document
The project has an organizational structure and the focus is
clear throughout.
The document lacks focus or contains major drifts in focus
Methodology
· Sample
· Procedures
· Measures
· Data analytic plan
Identifies appropriate methodologies and research techniques
(e.g., justifies the sample, procedures, and measures). Data
analytic plan is suitable to test study hypotheses. Provides
appropriate justification for controls. Project is feasible
Identifies appropriate methodologies and research techniques
but some details are missing or vague.
The methodologies described are either not suited or poorly
10. suited to test hypotheses. The methodology is under-developed
and/or is not feasible.
Grammar, clarity, and organization
The manuscript is well written and ideas are well developed and
explained. Sentences and paragraphs are grammatically correct.
Uses subheadings appropriately.
The manuscript effectively communicates ideas. The writing is
grammatically correct, but some sections lack clarity.
The manuscript is poorly written and confusing. Ideas are not
communicated effectively.
References and citations
Properly and explicitly cited. Reference list matches citations
Properly cited. May have a few instances in which proper
citations are missing.
The manuscript lacks proper citations or includes no citations.
Overall Total: ______________