The key to any effective security program is to understand the risk level in the organization and then to determine how to effectively mitigate that risk. This requires identifying what is the data that your organization needs to protect and where that data lives and moves. This then provides the basis for security policies, practices and technologies to protect all such data, such as electronic protected health information. Risk analysis requires understanding the core business functions of the enterprise and then analyzing potential threats and vulnerabilities to assets and information. It helps identify critical business assets and associated risks.
• Physical access controls, such as building access and appropriate record keeping;
• Policies and procedures for workstation security; and
• Proper usage, storage, and disposal of data storage devices
• Auditing and audit procedures;
• Use of encryption devices and tools;
• Implementation of technology to ensure ePHI confidentiality, integrity, and availability
The proprietary Defensefirst security methodology is utilized which goes beyond the requirements of the HIPAA Security Rule to safeguard not just electronic Protected Health Information (ePHI) but the organization’s information assets as a whole.
The Defensefirst security methodology provides the framework for protecting enterprise assets and information. This methodology has also been influenced by the domains defined in the ISO 27002 and the BS 7799 security standards as well as the CobIT, NIST and CMS frameworks. Following steps are followed for HIPAA Risk Analysis project:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results
|.||Nessus Vulnerability Scanner||.||ISS Internet Scanner|
|.||Microsoft Baseline Security Analyzer (MBSA)|
Security professionals need to be familiar with using these tools and understand their capabilities for functions such as reporting.
a. Written documentation of the approach, findings, and recommendations associated with the project, which shall include:
• Matrix of threats and vulnerabilities to client’s electronic data, including probability and impact of each threat and vulnerability based on (a) client’s current security measures and (b) recommended security measures
• Supporting detailed exhibits explaining threats and vulnerabilities
• List of client’s technical and non-technical deficiencies in comparison with the requirements of HIPAA’s security regulations
• Detailed report of recommended remediation measures for each identified threat, vulnerability, and deficiency
• Security policy templates as per HIPAA regulations and recommendations on existing policies
b. Executive summary report summarizing the scope, approach, findings, and recommendations in a manner suitable for senior management; and
c. Formal on-site presentation to client’s senior management of findings and recommendations.
Clients gain a full appreciation of the current security vulnerabilities
A comprehensive, fully-documented solution is provided that helps clients make informed decisions regarding the appropriate actions needed to secure EPHI
Additional security involves additional expense that does not directly generate income; it should always be justified in financial terms. The Risk Analysis process should directly and automatically generate such justification for security recommendations in business terms
A definitive plan of action is developed to put clients on the road to full compliance
The wide scale application of a risk assessment program, by actively involving a range of, and greater number of, staff, will place security on the agenda for discussion and increase security awareness within the enterprise
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies across different applications, but different types of business system
A team experienced with HIPAA regulations that has a track record of successfully implementing solutions and is fully certified in the area of security
Our security team provides independent validation and/or periodic reviews of your progress with ongoing compliance. If necessary, additional focused technical risk testing and mitigation services, as well as specific remediation efforts, are available.
Let us help you with your compliance first step.
Please contact us for more information at Bob@training-hipaa.net or call (515) 865-4591.