Abstract The Department of Radiology, Georgetown University Medical Center executed OCTAVEsm, a self-directed information security risk assessment process, as a method for comprehensively planning a new teleradiology system. Originally designed to evaluate retrospectively the organizational and technical risks to the confidentiality, integrity and availability of existing information management programs, Georgetown surmised that OCTAVEsm should be useful as a prospective planning tool to build information assurance into the teleradiology program from its start. Georgetown also wondered how approaching system planning from the perspective of information assurance would affect the general program planning and development. Implementing the OCTAVEsm process, Georgetown identified the teleradiology program's critical assets, described threats to the assurance of those assets, developed and ran vulnerability scans of a system pilot, evaluated the consequences of security breaches for patients, the teleradiology program and Georgetown and developed a risk management plan to mitigate threats to program assets and implement good information assurance practices in program management. As a result, Georgetown built a teleradiology program that complies with regulatory efforts such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and integrates health information assurance into the program's core.
[1]
Scott D. Sagan.
The Limits of Safety: Organizations, Accidents, and Nuclear Weapons
,
1993
.
[2]
K. Weick.
FROM SENSEMAKING IN ORGANIZATIONS
,
2021,
The New Economic Sociology.
[3]
Christopher J. Alberts,et al.
Managing Information Security Risks: The OCTAVE Approach
,
2002
.
[4]
Jeff Collmann,et al.
Developing and theoretically justifying innovative organizational practices in health information assurance
,
2003,
SPIE Medical Imaging.
[5]
Bayla Singer.
Trapped in the Net: The Unintended Consequences of Computerization
,
1999
.
[6]
M. O'hare,et al.
Searching for Safety
,
1990
.