HIPAA Security Risk Assessment and Risk Analysis Management
What is the HIPAA Risk Analysis?
Actually one of the first few steps to being HIPAA compliant is by making sure your organization can carry out a risk analysis. In fact, this is one of the key requirements of the Security Management Process standard within Administrative Safeguards under the HIPAA Security Rule, Section 164.308 (a)(1). It is noted that covered entities reap the most benefits since they will not only be HIPAA compliant but will be efficient in Risk Analysis and Management. However, it is important to note that being HIPAA compliant is not an option but a MUST to avoid being penalized.
The HIPAA Security Risk Analysis/Assessment Objective
The core objective of the HIPAA risk analysis is to assess and document any particular weaknesses or risk in regards to the integrity, availability and confidentiality of a patient’s electronic health information. Furthermore, it is also to establish parameters on the ideal security measures to ensure risks are at an appropriate and manageable level. The risk assessments are crucial to an organization since they assist in placing relevant measures and controls to ensure that the organization’s expenditure is commensurate to risks related costs or risks the entity is exposed to.
Therefore, as long as an organization’s security able is to identify the risks levels facing its organization then it may not be effective in addressing them. This means that the security program should not only be able to identify data that needs protection and transmission security measures but should also have policies, technologies and practices that can ensure that. In addition, risk analysis of an organization is also assessing potential risks, threats and weaknesses related to its assets and information.
HIPAA Risk Assessment Scope
- The demonstration and analysis of risk procedures of risk management processes
- Understanding procedures and policies related to operational security which includes the requirements of a business associate security.
- security requirements and controls to information access
- Disaster recovery plans and procedures to incident responses
- Evidence of regular technical and non technical analysis.
- Access controls to buildings and record keeping departments
- Workstation policies and procedures
- Appropriate disposal, usage and storage of data storage gadgets or devices
- Procedures for Auditing and conducting audits
- The use of encryption tools and devices
- The implementation of relevant technology that will ensure the availability, confidentiality of a patient’s e-Health information.
HIPAA Risk Analysis Methodology
This methodology does not only ensure that the HIPAA Security requirements are met by the organization but will also go further in protecting an organization’s information on its assets besides its electronic Protected Health information.
The first thing the Defensefirst security methodology does is give you a framework that will assist you protect your entity’s information and assets. This framework is based on the BS 7799 and ISO 17799 security standard and the CMS, CobIT and NIST frameworks. Some of the steps on the HIPAA Risk Analysis are:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results
HIPAA Security Technical Vulnerability Assessment
External Penetration Testing
These are tests conducted on the infrastructure, servers and related software. However, it is important to note that this maybe done without any knowledge of the site or with full information of the environment and topology. This is a comprehensive test comprising of analysis on the available information of a client, identification and analysis target hosts on the network enumeration phase as well as routers, firewalls and other security devices. After the analysis, any threats or vulnerabilities within your target hosts will be analyzed and their implications assessed.
Network Vulnerability Assessment
This type of assessment will analyze all the facets of your network including those behind your firewall and identify any security risk that a hacker might exploit. The Network Vulnerability Assessment will assess your computer, network, IP address and server device on your network. Other network systems to be analyzed for vulnerabilities will include your Operating systems, mail server and router, web server platforms, hub and switch. Once the vulnerabilities have been identified then you will be given details on how to address and fix them.
Wireless/Remote Access Assessment (RAS) Security Assessment
The main goal of this assessment is to establish the vulnerability state of your wireless APs, it should also assess the accessibility to a client’s property from outside using a wireless network. The bottom line is that this will determine on how much access an external AP to a client’s ePHI network has whether authorized or unauthorized.
Vulnerability Assessment Tools
There are various types of tools that can be used to do a risk analysis and determine the vulnerability levels of an organization’s networks and systems. Some of these tools are as follows.
- SamSpade Tools
- STAT Scanner
- Nessus Vulnerability Scanner
- ISS Internet Scanner
- Microsoft Baseline Security Analyzer (MBSA)
Security staff who will handle these tools need to be familiar with them and understand how they function e.g. reporting.
Key Deliverables of HIPAA Security Risk Anaylsis Report
Upon the completion of the project the client will be issued with the following deliverables:
a. A written document on the various recommendations, approach and findings related to the project which will include:
- Matrix of risks and threats to the client’s electronic data or information which includes the probability and the implications of each threat depending on: (a)Current security measures of the Client (b)Recommended security measures
- Support on detailed documentation on the risks and threats
- A list of missing technical and non-technical requirements as per the HIPAA Security regulations on the client.
- A report on relevant remediation measures and recommendations for the identified threats, risks and loop holes.
- Security policy template based on the HIPAA regulations and recommendations to existing policies.
b. An executive summary report to the senior management that summarizes the approach, findings, recommendations and scope.
c. An official presentation to the client’s senior management on the findings and recommendations.
Benefits of HIPAA Security Risk Analysis
- Client come to fully appreciate the prevailing security issues
- The clients will be issued with comprehensive documented solution that should assist in the employment of necessary measures towards a secure EPHI
- Most of the time, when it comes to employing security measures in an organization it usually means an extra expense to the organization’s budget therefore this process should be able to justify the risk’s relevance in business terms.
- A plan of action is usually put in place to ensure clients are on a road to HIPAA compliance.
- There are numerous ways of applying the risk assessment program and relaying its significance to various staff members effectively.
- In addition, the application of a HIPAA security Risk Analysis is that it will comprehensively address all security issues in an objective and consistent manner to all business systems.
- Furthermore, the training will be conducted by experienced HIPAA trained professionals who have a track record of successful implementation of solutions and who are certified in this security area.
How Supremus Group can assist you in becoming Compliant
There are normally three different ways we can help in meeting this objective and this will be determined by your time, available IT resources, involvement, and your budget.
- The first option is having us do the project for you especially if you need to clear your HIPAA risk analysis fast and you do not have the internal resources to do so. All we will need from you is personal information regarding your policies, processes and infrastructure.
- The second option is hiring a project manager from our team especially if you have a number of workers/employees who can dedicate their time to learning risk analysis but do not have the methodology.
- The third option is by using any of our HIPAA Risk Analysis template documents since you have all the necessary resources to do this but you wish to save on time. The templates contain comprehensive information on how you can be HIPAA compliant and will have various recommendations on how you should be able to do just that.
There are many people who have used these HIPAA Risk Analysis templates in their projects especially IT security consulting firms and HIPAA consultants and have come to realize that they can learn how to remain HIPAA compliant and still save on time since the templates are based on HIPAA regulations.
Have already cleared the HIPAA security Assessment?
Our HIPAA security team will normally issue you with an independent and/or periodic review on your progress to being HIPAA compliant. If required, there will be additional technical risk testing, improvement services and remediation efforts where applicable.
Let us help you with your compliance first step.
View HIPAA Security Policies and Procedures
Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591.