Once deficiencies have been identified from the Risk Assessment(s) Carosh focuses on implementing the requirement for a management process “to be put in place to correct security and privacy deficiencies, and to track progress towards that goal.” For each risk identified, risk mitigation strategies are developed and controls implemented. HIPAA recognizes that different organizations have different abilities to address and manage risk, there are a variety of options are available to address each deficiency:
- Risk assumption accepts the risk. Controls may be used to lower risk, but not to the extent they could be if more resources are applied. This may be an acceptable strategy if risk is determined to be low and the cost of mitigation is high.
- Avoiding Risk by forgoing certain functions as a way of eliminating the risk. Generally, this means forgoing certain functions in the system or shutting the system down. This strategy is not often used, but may be necessary on a temporary basis.
- Limiting Risk through implementing controls that minimize the adverse impact of a threat exploiting vulnerability. These controls would help deter, detect, and react to a potential threat.
- Risk planning to manage the risk by prioritizing, implementing, and maintaining controls. This is essentially the process of conducting risk analysis and risk remediation as outlined here.
- Research and acknowledge the Risk, that vulnerabilities exist and research appropriate controls. This is considered a temporary strategy reserved for use during the implementation phase of the security rule, the implementation of a new information system, or when a completely new threat becomes known.
- Transfer the Risk by selecting other options to compensate for loss, such as purchasing insurance or outsourcing certain business functions. This generally will be used in combination with other strategies.
Carosh Compliance Solutions works with you to determine the appropriate remediation strategy for each identified deficiency, design a remediation plan, which includes the risk, the proposed remediation, and the responsible party assigned for mitigating each risk; A completion date is also assigned. The plan is codified and tasks distributed to responsible parties.