The Medical Center performs an analysis to identify the most critical applications and data, and understand the impact they have to the overall operations of the organization. NIST Special Publication 800-34 Contingency Planning Guide for Federal Information Systems states that the analysis “helps identify and prioritize information systems and components critical to support the organization’s mission/business process.”
An initial risk assessment of information system criticality must be conducted by owners of Information Systems containing Electronic Protected Health Information (EPHI) with significant involvement from the administrators and users. The criticality analysis must be reviewed and updated at least every three years, when there are significant changes to the risk environment, or when a major system change occurs, whichever occurs first. System Owners should follow the framework laid out in the Health System Technology Services (HSTS) Risk Management /Assessment standard or tools provided in the University of Virginia Information Technology Security Risk Management Program.