What types of “significant events” would trigger a risk assessment? What types of things should an organization consider when conducting a risk assessment involving portable media?
Response: Examples of a “significant event” as indicated in HS 2(a)(i), include a breach of information systems security, system reconfiguration or software update and merging information systems with another company. This standard is consistent with the requirements set forth by the Center for Medicare/Medicaid Services (CMS); however, it is more stringent. Organizations must be aware of their exposure to risk regarding portable media. Either these devices should not contain personal health information or the devices should be encrypted. Given that operating systems often allow for auto-populating passwords, devices containing personal health information, including portable media, should require end-users to enter a password or organizations should, at a minimum, implement second factor authentication.
Related Questions
- What types of "significant events" would trigger a risk assessment? What types of things should an organization consider when conducting a risk assessment involving portable media?
- After conducting a risk assessment, I have determined that the probability of injury is low but the severity of injury is high. Could I still use a Type 2 light screen?
- WHAT TYPES OF RISK ARE EVALUATED IN AN MMR ECOLOGICAL RISK ASSESSMENT?
