Team or Individual Project Health First Case Study

Overview

In the US, many doctor’s offices or clinics are considered small businesses, as the Health First clinic introduced in the case study. These clinics must also adhere to federal laws governing privacy and security of patient information including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and its related security and privacy rules.

To help lead us through the case studies, a Security Workbook has been developed that guides small businesses through the process of organizing a security program. The Security Workbook provides a procedure for building security plans for a generic small business. In combination, the Health First Case Study and Security Workbook introduce a realistic organizational setting.

For this project:

We will only take two components of the Security Workbook to work with – HIPAA and Security Metrics. Two sets of slides as supplementary information are available. Materials are based on the information provided in ISACA’s CISA and CISM exam review books

Two components of the project:

HIPAA Adherence: HIPAA compliance is a necessary aspect of being in the medical profession. Summarize what all employees shall do, according to which HIPAA rule or standard, to maintain privacy of a patient’s health information, patient’s rights, and PHI disclosure. The workbook on “HIPAA Adherence” is on page 2.

Defining Security Metrics: Metrics are part of the Monitoring and Compliance function, and help to indicate whether controls and compliance are effective or not. While metrics are not absolutely necessary for the average small organization, any organization that is subject to regulation (e.g., HIPAA, SOX, FISMA) should take this section very seriously. In fact, most organizations would benefit from a few carefully selected metrics. The workbook on “Metrics” is on page 3-4.

HIPAA Adherence

Question: HIPAA compliance is a necessary aspect of being in the medical profession. Summarize what all employees shall do, according to which HIPAA rule or standard, to maintain privacy of a patient’s health information, patient’s rights, and PHI disclosure.

Step 1 Question. What are the most important areas to monitor in your organization? What threats and legislation are you most concerned with? You may want to review risk and policies to help define the most important areas to monitor.

Step 2 Question. After listing the most important threats, consider which metrics make the most sense to collect. Since automated metrics are doable in a busy world, is there an easy way to collect these metrics?

Step 3 Question. Consider the following three perspectives and different audiences:

Strategic: Management level: audit, policy; may discuss annually.

Tactical: Observe how you are performing; view trends; may discuss every six months.

Operational: Gather metrics and look at them; may discuss weekly or monthly.

Attachment:- Case Study.rar