What is HIPAA Risk Analysis?
Objective of HIPAA Security Risk Analysis/Assessment:
The key to any effective security program is to understand the risk level in the organization and then to determine how to effectively mitigate that risk. This requires identifying what is the data that your organization needs to protect and where that data lives and moves. This then provides the basis for security policies, practices, and technologies to protect all such data, such as electronically protected health information. Risk analysis requires understanding the core business functions of the enterprise and then analyzing potential threats and vulnerabilities to assets and information. It helps identify critical business assets and associated risks.
HIPAA Risk Assessment Scope
- Risk analysis procedures and demonstration of a risk management process;
- Policies and procedures relevant to operational security, including business associate security requirements;
- Information access restriction requirements and controls;
- Incident response procedures and disaster recovery plan and;
- Evidence of periodic technical and nontechnical reviews.
- Physical access controls, such as building access and appropriate record keeping;
- Policies and procedures for workstation security; and
- Proper usage, storage, and disposal of data storage devices
- Auditing and audit procedures;
- Use of encryption devices and tools;
- Implementation of technology to ensure ePHI confidentiality, integrity, and availability
HIPAA Risk Analysis Methodology
The proprietary Defensefirst security methodology is utilized which goes beyond the requirements of the HIPAA Security Rule to safeguard not just electronic Protected Health Information (ePHI) but the organization’s information assets as a whole.
The Defensefirst security methodology provides the framework for protecting enterprise assets and information. This methodology has also been influenced by the domains defined in the ISO 27002 and the BS 7799 security standards as well as the CobIT, NIST, and CMS frameworks. Following steps are followed for the HIPAA Risk Analysis project:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results
HIPAA Security Technical Vulnerability Assessment
External Penetration Testing:
Network Vulnerability Assessment
Wireless/Remote Access Assessment (RAS) Security Assessment
Vulnerability Assessment Tools
|.||Nessus Vulnerability Scanner||.||ISS Internet Scanner|
|.||Microsoft Baseline Security Analyzer (MBSA)|
Security professionals need to be familiar with using these tools and understand their capabilities for functions such as reporting.
Key Deliverables of HIPAA Security Risk Analysis Report
a. Written documentation of the approach, findings, and recommendations associated with the project, which shall include:
• Supporting detailed exhibits explaining threats and vulnerabilities
• List of client’s technical and non-technical deficiencies in comparison with the requirements of HIPAA’s security regulations
• Detailed report of recommended remediation measures for each identified threat, vulnerability, and deficiency
• Security policy templates as per HIPAA regulations and recommendations on existing policies
b. Executive summary report summarizing the scope, approach, findings, and recommendations in a manner suitable for senior management; and
c. Formal on-site presentation to client’s senior management of findings and recommendations.
Benefits of HIPAA Security Risk Analysis
Clients gain a full appreciation of the current security vulnerabilities
A comprehensive, fully documented solution is provided that helps clients make informed decisions regarding the appropriate actions needed to secure EPHI
Additional security involves an additional expense that does not directly generate income; it should always be justified in financial terms. The Risk Analysis process should directly and automatically generate such justification for security recommendations in business terms
A definitive plan of action is developed to put clients on the road to full compliance
The wide-scale application of a risk assessment program, by actively involving a range of, and a greater number of, staff, will place security on the agenda for discussion and increase security awareness within the enterprise
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies to different applications but different types of business system
A team experienced with HIPAA regulations that have a track record of successfully implementing solutions and is fully certified in the area of security
How can Supremus Group help your compliance Efforts?
OPTION 2: If you have internal staff members who can completely devote their time and security & HIPAA knowledge to this project but don’t know the methodology, we will provide a project manager to work with your team and help to complete the compliance project.
OPTION 3: If you have all the necessary resources for the Risk Analysis project but need to save time on documentation, you can use our HIPAA Risk Analysis template documents. These templates will ensure that you gather all the required information before starting the project. The finding and recommendations will be mapped to the HIPAA regulations.
Many IT Security consulting companies and HIPAA consultants are using our HIPAA Risk Analysis templates in their projects to save time and present the findings and recommendations mapped to HIPAA regulation.
Have Already Completed a HIPAA Security Risk Assessment?
Our security team provides independent validation and/or periodic reviews of your progress with ongoing compliance. If necessary, additional focused technical risk testing and mitigation services, as well as specific remediation efforts, are available.
Let us help you with your compliance first, step.
Please contact us for more information at Bob@training-hipaa.net or call (515) 865-4591.