Purpose & Overview
This campus has launched a data risk assessment that is designed to identify and prioritize the areas of highest risk in our business units for remediation, and inform the the overall privacy and IT Security Program and policies at the campus. The IT risk assessment will be used as a guide to further enhance security over protected health information, personally identifiable information, student data and intellectual property. To assist with developing an effective, continuing risk management program, the data network structure, data management practices, data network security, business continuity planning and data privacy security will be assessed. The campus organizational chart and IT organizational chart and reporting lines will also be assessed in order to recommend a model best fit to UIC for ongoing IT risk management that is sustainable. General Components Assessed:
- Assess the activities to manage and control risk
- Review the written information systems policies and procedures, including privacy and security policies and measures in place to protect both physical and logical records and data
- Review the employee training programs specific to HIPAA privacy and security
- Review ongoing testing and compliance program
- Review the orientation program addressing HIPAA privacy and security
This initiative is also a requirement for HIPAA compliance. This risk assessment will seek to identify all potential risks associated with the management of high risk / HIPAA information or IT systems hosting this or sensitive information. Identify appropriate roles and reporting lines that fit legal requirements, policy and how IT risk should be identified to University leadership and coordinate with Enterprise Risk Management as well as University audits and Hospital. Criteria should include identifying the appropriate roles, responsibility, and leveling to achieve continued identification, awareness, and reporting on IT risk to University and campus leadership as appropriate to reduce overall risk through informed acceptance of risk, risk reduction or transference. Each unit will be evaluated to define the applicable risk areas and then be scored according to characteristics defined for the risk area:
- Business risk rates the criticality of information assets and the impact of their loss to the business in terms of financial, operational, strategic, regulatory/legal and reputation risks.
- Data risk concerns the handling, storage and communication of corporate and patient nonpublic/private information, and the impact to the healthcare entity associated with the loss or misuse of such data.
- Threat and vulnerability risk (business continuity/recovery) defines the urgency of recovery and the disaster recovery/business continuity effort related to the information asset and the potential impact if that asset cannot be recovered in a timely manner.
A Risk Management Advisory Group has identified areas of the most risk within IT. In an effort to promote risk reduction and mitigation, the Group will prioritize, communicate, advise, and promote awareness around areas of highest risk to University leadership. Additionally, the team will direct a campus working group within the UIC IT Governance Council’s InfraSec committee to recommend, implement, and provide multi-layered operational support for risk management.