Safe teleradiology: information assurance as a project planning methodology

Abstract The Department of Radiology, Georgetown University Medical Center executed OCTAVEsm, a self-directed information security risk assessment process, as a method for comprehensively planning a new teleradiology system. Originally designed to evaluate retrospectively the organizational and technical risks to the confidentiality, integrity and availability of existing information management programs, Georgetown surmised that OCTAVEsm should be useful as a prospective planning tool to build information assurance into the teleradiology program from its start. Georgetown also wondered how approaching system planning from the perspective of information assurance would affect the general program planning and development. Implementing the OCTAVEsm process, Georgetown identified the teleradiology program's critical assets, described threats to the assurance of those assets, developed and ran vulnerability scans of a system pilot, evaluated the consequences of security breaches for patients, the teleradiology program and Georgetown and developed a risk management plan to mitigate threats to program assets and implement good information assurance practices in program management. As a result, Georgetown built a teleradiology program that complies with regulatory efforts such as the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and integrates health information assurance into the program's core.