Georgetown University's Health Systems Administration

 

National Database on Incidence
of Unauthorized Disclosures
 

Survey of Privacy Hazards

In this section, you report the risk and hazards at your organization.  You can do so by using our online survey instrument or by printing out the survey form and sending it by facsimile to 703 993 1953.. 

Why do this?

George Mason's survey of Privacy Hazard is based on the National Database of Unauthorized Disclosures; thus the hazards assessed are not imagined but are experienced and real -- they have occurred in a health care organization.  Usually, vulnerability assessments are based on imagined risks; many scenarios are examined to see how external threats or internal weaknesses might lead to unauthorized disclosures.  Unfortunately, when assessments are based on imaginary threats and vulnerabilities, you waste precious resources securing against events that are not probable.  Even worst, despite the expenditures, since imagination is limitless, when another consultant (with more active imagination) shows, you are catapulted to invest more chasing elusive and esoteric security targets.  Like a child, you end up fighting imaginary foes. In contrast, when analysis is based on real vulnerabilities that have led to privacy violations, then you can focus on what matters. 

George Mason's survey of Privacy Hazards produces a quantitative estimate of the risk of unauthorized disclosure within your organization.  Many vulnerability assessments classify the risk into categories and fail to provide a quantitative estimate.  In contrast, our method of assessment produces a numerical probability of unauthorized disclosure; this information can be used to benchmark the organization against its peer or to track improvements in origination's security over time.

Finally, the data collection burden of the George Mason University's Survey of Privacy Hazards is minimal.  Because we focus on hazards that have occurred in at least one health care organization, the number of hazards we look at is fewer than most vulnerability assessments.  But since hazards are rare, many organization do not have sufficient data to accurately estimate data needed by the survey.  Too reduce the data collection burden, we examine time to the hazard (e.g. time to computer theft inside an organization) and estimate the probability of the hazard from  time to the event.  Thus we are able to accurately estimate probability of events that are quite rare..

Survey of Risks


For the complete survey instrument please click here.  This instrument is in public domain and available free of charge.  Please let us know if you plan to use this instrument.

Risk Benchmarks

This section is under development.  As additional data become available, please return here to see security benchmarks.

Description of Method of Risk Assessment

For a detailed description of how you can use the National Incidence of Unauthorized Disclosures to conduct a comprehensive risk assessment, click here.
 

This page was first created on April 4th 2004.  Most recent revision 10/21/2011.  For assistance write to Farrokh Alemi, Ph.D.  This work has been supported by grant from Critical Infrastructure Protection project.