Risk Assessments of Information Systems that contain Electronic Protected Health Information (EPHI) must be conducted by System Owners annually.


To identify applications and data which are most important to our mission to aid in the determination of critical applications and data to restore in the event of a disaster and to ensure risk assessments of Information System criticality is reviewed and updated.


This standard applies to Owners of Information Systems.


The Medical Center performs an analysis to identify the most critical applications and data, and understand the impact they have to the overall operations of the organization. NIST Special Publication 800-34 Contingency Planning Guide for Federal Information Systems states that the analysis “helps identify and prioritize information systems and components critical to support the organization’s mission/business process.”

An initial risk assessment of information system criticality must be conducted by owners of Information Systems containing Electronic Protected Health Information (EPHI) with significant involvement from the administrators and users.  The criticality analysis must be reviewed and updated at least every three years, when there are significant changes to the risk environment, or when a major system change occurs, whichever occurs first.  System Owners should follow the framework laid out in the Health System Technology Services (HSTS) Risk Management /Assessment standard or tools provided in the University of Virginia Information Technology Security Risk Management Program.

Document Supporting Resources