Meaningful Use Calls for Meaningful Risk Analysis

It's a good time to check on this, and if you haven't done so, use these three tips provided by Ruelas to get your organization's risk assessment going:

Don't overthink it. Decide if this is something you will do in-house or externally. "Too often people get stuck deciding how they wish to proceed, including at the beginning," Ruelas says. "Sometimes doing some basic homework, such as reading through the CMS Security Series newsletters, can help people decide which route to take."

Be realistic. If a covered entity is located in the middle of the desert, the folks doing the analysis don't need to spend much time evaluating the threat potential of floods caused by a hurricane or power disruption to the utility lines caused by heavy snowstorms. When putting together a list of risks, weed out those that have no applicability. Often, people put together their initial lists of potential threats through brainstorming sessions. "Don't delete anything from these lists until after brainstorming is completed since during brainstorming the goal is to generate as many ideas as possible," Ruelas says.

Try to involve all layers of individuals that may be affected (IT administrators, techs, end users). Often different people will offer different perspectives based on their experience. The more perspectives offered, the better chances of getting a finer picture of how folks may perceive similar threats. For example, an IT infrastructure that allows for power failures to be backed up by uninterrupted power supplies may appear seamless to an end user who may not ever know that power had been disrupted.