HIPAA Security Risk Assessment and Risk Analysis Management

What is HIPAA Risk Analysis?

Risk Analysis is often regarded as the first step towards HIPAA compliance. Risk analysis is a required implementation specification under the Security Management Process standard of the Administrative Safeguards portion of the HIPAA Security Rule as per Section 164.308(a)(1). Covered entities will benefit from an effective Risk Analysis and Risk Management program beyond just being HIPAA compliant. Compliance with HIPAA is not optional… it is mandatory, to avoid penalties.

Objective of HIPAA Security Risk Analysis/Assessment:

The overall objective of a HIPAA risk analysis is to document the Potential risks and vulnerabilities to the confidentiality, integrity, or availability of electronic protected health information (ePHI) and determine the appropriate safeguards to bring the level of risk to an acceptable and manageable level. HIPAA risk assessment helps in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.

The key to any effective security program is to understand the risk level in the organization and then to determine how to effectively mitigate that risk. This requires identifying what is the data that your organization needs to protect and where that data lives and moves. This then provides the basis for security policies, practices, and technologies to protect all such data, such as electronic protected health information. Risk analysis requires understanding the core business functions of the enterprise and then analyzing potential threats and vulnerabilities to assets and information. It helps identify critical business assets and associated risks.

HIPAA Risk Assessment Scope

Administrative Safeguards

  • Risk analysis procedures and demonstration of a risk management process;
  • Policies and procedures relevant to operational security, including business associate security requirements;
  • Information access restriction requirements and controls;
  • Incident response procedures and disaster recovery plan and;
  • Evidence of periodic technical and non-technical reviews.

Physical Safeguards

  • Physical access controls, such as building access and appropriate record keeping;
  • Policies and procedures for workstation security; and
  • Proper usage, storage, and disposal of data storage devices

Technical Safeguards

  • Auditing and audit procedures;
  • Use of encryption devices and tools;
  • Implementation of technology to ensure ePHI confidentiality, integrity, and availability

HIPAA Risk Analysis Methodology

The proprietary Defense first security methodology is utilized which goes beyond the requirements of the HIPAA Security Rule to safeguard not just electronic Protected Health Information (ePHI) but the organization’s information assets as a whole.

The Defense first security methodology provides the framework for protecting enterprise assets and information. This methodology has also been influenced by the domains defined in the ISO 17799 and the BS 7799 security standards as well as the CobIT, NIST, and CMS frameworks. Following steps are followed for the HIPAA Risk Analysis project:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results

HIPAA Security Technical Vulnerability Assessment

External Penetration Testing:

This testing is focused on the servers, infrastructure, and the underlying software comprising the target. It may be performed with no prior knowledge of the site or with full disclosure of the topology and environment. This type of testing will typically involve a comprehensive analysis of publicly available information about the client, a network enumeration phase where target hosts are identified and analyzed, and the behavior of security devices such as screening routers and firewalls are analyzed. Vulnerabilities within the target hosts should then be identified, verified and the implications assessed.

Network Vulnerability Assessment

A Network Vulnerability Assessment checks all aspects of your network from behind the firewall and identifies any potential holes a hacker could exploit. A Network Vulnerability Assessment will analyze IP address, computer, server, and network device on your network. Operating systems, web server platforms, mail servers, and router switches, and hubs on your network are carefully checked for vulnerabilities. Once we identify those vulnerabilities, you’ll get a detailed explanation of the recommended fix for each one.

Wireless/Remote Access Assessment (RAS) Security Assessment

The goal of Wireless Security Assessment is to quantify the vulnerability state of the wireless APs configurations, test the range of the wireless networks to see whether access could be gained outside of the client’s property. It also helps to discover whether there were any rogue (unauthorized) APs on the client’s network and mainly to determine whether it was possible to gain internal access to ePHI via the wireless APs both authorized and unauthorized.

Vulnerability Assessment Tools

A number of tools may be used in assessing the vulnerability of an organization’s systems and networks. Examples of tools that may be used for risk analysis and vulnerability assessment include (but are not limited to):
. SamSpade Tools . QualysGuard
. Nmap . STAT Scanner
. Nessus Vulnerability Scanner . ISS Internet Scanner
. Microsoft Baseline Security Analyzer (MBSA)    

Security professionals need to be familiar with using these tools and understand their capabilities for functions such as reporting.

Key Deliverables of HIPAA Security Risk Analysis Report

The client will be provided with the following deliverables upon completion of the project:

a. Written documentation of the approach, findings, and recommendations associated with the project, which shall include:

  • Matrix of threats and vulnerabilities to client’s electronic data, including probability and impact of each threat and vulnerability based on (a) client’s current security measures and (b) recommended security measures
    Supporting detailed exhibits explaining threats and vulnerabilities
  • List of client’s technical and non-technical deficiencies in comparison with the requirements of HIPAA’s security regulations
  • Detailed report of recommended remediation measures for each identified threat, vulnerability, and deficiency
    Security policy templates as per HIPAA regulations and recommendations on existing policies

b. Executive summary report summarizing the scope, approach, findings, and recommendations in a manner suitable for senior management; and

c. Formal on-site presentation to client’s senior management of findings and recommendations.

Benefits of HIPAA Security Risk Analysis

Clients gain a full appreciation of the current security vulnerabilities
A comprehensive, fully documented solution is provided that helps clients make informed decisions regarding the appropriate actions needed to secure EPHI
Additional security involves an additional expense that does not directly generate income; it should always be justified in financial terms. The Risk Analysis process should directly and automatically generate such justification for security recommendations in business terms
A definitive plan of action is developed to put clients on the road to full compliance
The wide-scale application of a risk assessment program, by actively involving a range of, and a greater number of, staff, will place security on the agenda for discussion and increase security awareness within the enterprise
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies to different applications but different types of business system
A team experienced with HIPAA regulations that have a track record of successfully implementing solutions and is fully certified in the area of security

How can the Supremus Group help your compliance Efforts?

We can help you in three different ways depending on your need, involvement, time, available IT resources, and budget.
OPTION 1: If you are in a hurry to complete the HIPAA Risk Analysis and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies, and processes.
OPTION 2: If you have internal staff members who can completely devote their time and security & HIPAA knowledge to this project but don’t know the methodology, we will provide a project manager to work with your team and help to complete the compliance project.
OPTION 3: If you have all the necessary resources for the Risk Analysis project but need to save time on documentation, you can use our HIPAA Risk Analysis template documents. These templates will ensure that you gather all the required information before starting the project. The finding and recommendations will be mapped to the HIPAA regulations.
Many IT Security consulting companies and HIPAA consultants are using our HIPAA Risk Analysis templates in their projects to save time and present the findings and recommendations mapped to HIPAA regulation.

Have Already Completed a HIPAA Security Risk Assessment?

Our security team provides independent validation and/or periodic reviews of your progress with ongoing compliance. If necessary, additional focused technical risk testing and mitigation services, as well as specific remediation efforts, are available.

Let us help you with your compliance first step.

Please contact us for more information at Bob@HIPAAcertification.net or call (515) 865-4591.

View HIPAA Security Policies and Procedures