What is HIPAA Risk Analysis?
Objective of HIPAA Security Risk Analysis/Assessment:
The key to any effective security program is to understand the risk level in the organization and then to determine how to effectively mitigate that risk. This requires identifying what is the data that your organization needs to protect and where that data lives and moves. This then provides the basis for security policies, practices, and technologies to protect all such data, such as electronic protected health information. Risk analysis requires understanding the core business functions of the enterprise and then analyzing potential threats and vulnerabilities to assets and information. It helps identify critical business assets and associated risks.
HIPAA Risk Assessment Scope
Administrative Safeguards
- Risk analysis procedures and demonstration of a risk management process;
- Policies and procedures relevant to operational security, including business associate security requirements;
- Information access restriction requirements and controls;
- Incident response procedures and disaster recovery plan and;
- Evidence of periodic technical and non-technical reviews.
Physical Safeguards
- Physical access controls, such as building access and appropriate record keeping;
- Policies and procedures for workstation security; and
- Proper usage, storage, and disposal of data storage devices
Technical Safeguards
- Auditing and audit procedures;
- Use of encryption devices and tools;
- Implementation of technology to ensure ePHI confidentiality, integrity, and availability
HIPAA Risk Analysis Methodology
The proprietary Defense first security methodology is utilized which goes beyond the requirements of the HIPAA Security Rule to safeguard not just electronic Protected Health Information (ePHI) but the organization’s information assets as a whole.
The Defense first security methodology provides the framework for protecting enterprise assets and information. This methodology has also been influenced by the domains defined in the ISO 17799 and the BS 7799 security standards as well as the CobIT, NIST, and CMS frameworks. Following steps are followed for the HIPAA Risk Analysis project:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results
HIPAA Security Technical Vulnerability Assessment
External Penetration Testing:
Network Vulnerability Assessment
Wireless/Remote Access Assessment (RAS) Security Assessment
Vulnerability Assessment Tools
. | SamSpade Tools | . | QualysGuard |
. | Nmap | . | STAT Scanner |
. | Nessus Vulnerability Scanner | . | ISS Internet Scanner |
. | Microsoft Baseline Security Analyzer (MBSA) |
Security professionals need to be familiar with using these tools and understand their capabilities for functions such as reporting.
Key Deliverables of HIPAA Security Risk Analysis Report
a. Written documentation of the approach, findings, and recommendations associated with the project, which shall include:
- Matrix of threats and vulnerabilities to client’s electronic data, including probability and impact of each threat and vulnerability based on (a) client’s current security measures and (b) recommended security measures
Supporting detailed exhibits explaining threats and vulnerabilities - List of client’s technical and non-technical deficiencies in comparison with the requirements of HIPAA’s security regulations
- Detailed report of recommended remediation measures for each identified threat, vulnerability, and deficiency
Security policy templates as per HIPAA regulations and recommendations on existing policies
b. Executive summary report summarizing the scope, approach, findings, and recommendations in a manner suitable for senior management; and
c. Formal on-site presentation to client’s senior management of findings and recommendations.
Benefits of HIPAA Security Risk Analysis
• |
Clients gain a full appreciation of the current security vulnerabilities
|
• |
A comprehensive, fully documented solution is provided that helps clients make informed decisions regarding the appropriate actions needed to secure EPHI
|
• |
Additional security involves an additional expense that does not directly generate income; it should always be justified in financial terms. The Risk Analysis process should directly and automatically generate such justification for security recommendations in business terms
|
• |
A definitive plan of action is developed to put clients on the road to full compliance
|
• |
The wide-scale application of a risk assessment program, by actively involving a range of, and a greater number of, staff, will place security on the agenda for discussion and increase security awareness within the enterprise
|
• |
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies to different applications but different types of business system
|
• |
A team experienced with HIPAA regulations that have a track record of successfully implementing solutions and is fully certified in the area of security
|
How can the Supremus Group help your compliance Efforts?
OPTION 1: If you are in a hurry to complete the HIPAA Risk Analysis and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies, and processes.
OPTION 2: If you have internal staff members who can completely devote their time and security & HIPAA knowledge to this project but don’t know the methodology, we will provide a project manager to work with your team and help to complete the compliance project.
OPTION 3: If you have all the necessary resources for the Risk Analysis project but need to save time on documentation, you can use our HIPAA Risk Analysis template documents. These templates will ensure that you gather all the required information before starting the project. The finding and recommendations will be mapped to the HIPAA regulations.
Many IT Security consulting companies and HIPAA consultants are using our HIPAA Risk Analysis templates in their projects to save time and present the findings and recommendations mapped to HIPAA regulation.
Have Already Completed a HIPAA Security Risk Assessment?
Our security team provides independent validation and/or periodic reviews of your progress with ongoing compliance. If necessary, additional focused technical risk testing and mitigation services, as well as specific remediation efforts, are available.
Let us help you with your compliance first step.
Please contact us for more information at Bob@HIPAAcertification.net or call (515) 865-4591.