HIPAA Security Risk Assessment and Risk Analysis Management

What is HIPAA Risk Analysis?

One of the first few steps to being HIPAA compliant is by making sure your organization can carry out a risk analysis. This is one of the critical requirements of the Security Management Process standard within Administrative Safeguards under the HIPAA Security Rule, Section 164.308 (a)(1). It is noted that covered entities reap the most benefits since they will not only be HIPAA compliant but will be efficient in Risk Analysis and Management. However, it is essential to note that being HIPAA compliant is not an option but a MUST to avoid being penalized.

The HIPAA Security Risk Analysis/Assessment Objective

The core objective of the HIPAA risk analysis is to assess and document any particular weaknesses or risks in regards to the integrity, availability, and confidentiality of a patient’s electronic health information. Furthermore, it is also to establish parameters on the ideal security measures to ensure risks are at an appropriate and manageable level. The risk assessments are crucial to an organization since they assist in placing relevant standards and controls to ensure that the organization’s expenditure is commensurate to risks related to costs or risks the entity is exposed to.

Therefore, as long as an organization’s security can identify the risk levels facing its organization, then it may not be effective in addressing them. This means that the security program should not only be able to identify data that needs protection and transmission security measures but should also have policies, technologies, and practices that can ensure that. Risk analysis of an organization is also assessing potential risks, threats, and weaknesses related to its assets and information.

Use our free high-level self-assessment HIPAA risk analysis tool to see where you are with your compliance efforts.

Already cleared the HIPAA Security Assessment?

Our HIPAA security team will generally issue you with an independent and/or periodic review of your progress to being HIPAA compliant. If required, there will be additional technical risk testing, improvement services, and remediation efforts where applicable.

HIPAA Risk Assessment Scope

Administrative Safeguards

The demonstration and analysis of risk procedures of the risk management process
Understanding procedures and policies related to operational security which includes the requirements of a business associate security.
security requirements and controls to information access
Disaster recovery plans and procedures to incident responses
Evidence of regular technical and non-technical analysis.

Physical Safeguards

Access controls to buildings and record-keeping departments
Workstation policies and procedures
Appropriate disposal, usage, and storage of data storage gadgets or devices

Technical Safeguards

Procedures for Auditing and conducting audits
The use of encryption tools and devices
The implementation of relevant technology will ensure the availability, confidentiality of a patient’s e-Health information.

HIPAA Risk Analysis Methodology
This methodology does not only ensure that the HIPAA Security requirements are met by the organization but will also go further in protecting an organization’s information on its assets besides its electronic Protected Health information.

The first thing the Defense first security methodology does is give you a framework that will assist you to protect your entity’s information and assets. This framework is based on the BS 7799 and ISO 27002 security standards and the CMS, CobIT, and NIST frameworks. Some of the steps on the HIPAA Risk Analysis are:

Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results

HIPAA Security Technical Vulnerability Assessment

External Penetration Testing

These are tests conducted on the infrastructure, servers, and related software. However, it is important to note that this is maybe done without any knowledge of the site or with full information of the environment and topology. This is a comprehensive test comprising of analysis on the available information of a client, identification, and analysis target hosts on the network enumeration phase as well as routers, firewalls, and other security devices. After the analysis, any threats or vulnerabilities within your target hosts will be analyzed and their implications assessed.

Network Vulnerability Assessment

This type of assessment will analyze all the facets of your network including those behind your firewall and identify any security risk that a hacker might exploit. The Network Vulnerability Assessment will assess your computer, network, IP address, and server device on your network. Other network systems to be analyzed for vulnerabilities will include your Operating systems, mail server, and router, web server platforms, hub, and switch. Once the vulnerabilities have been identified then you will be given details on how to address and fix them.

Wireless/Remote Access Assessment (RAS) Security Assessment

The main goal of this assessment is to establish the vulnerability state of your wireless APs, it should also assess the accessibility to a client’s property from outside using a wireless network. The bottom line is that this will determine how much access an external AP to a client’s ePHI network has whether authorized or unauthorized.

Vulnerability Assessment Tools

There are various types of tools that can be used to do a risk analysis and determine the vulnerability levels of an organization’s networks and systems. Some of these tools are as follows.

SamSpade Tools
QualysGuard
Nmap
STAT Scanner
Nessus Vulnerability Scanner
ISS Internet Scanner
Microsoft Baseline Security Analyzer (MBSA)

Security staff who will handle these tools need to be familiar with them and understand how they function e.g. reporting.

Key Deliverables of HIPAA Security Risk Analysis Report

Upon the completion of the project the client will be issued with the following deliverables:

a. A written document on the various recommendations, approaches, and findings related to the project which will include:

Matrix of risks and threats to the client’s electronic data or information which includes the probability and the implications of each threat depending on (a)Current security measures of the Client (b)Recommended security measures
Support on detailed documentation on the risks and threats
A list of missing technical and non-technical requirements as per the HIPAA Security regulations on the client.
A report on relevant remediation measures and recommendations for the identified threats, risks, and loopholes.
Security policy template based on the HIPAA regulations and recommendations to existing policies.

b. An executive summary report to the senior management that summarizes the approach, findings, recommendations, and scope.
c. An official presentation to the client’s senior management on the findings and recommendations.

Benefits of HIPAA Security Risk Analysis

The client comes to fully appreciate the prevailing security issues
The clients will be issued with a comprehensively documented solution that should assist in the employment of necessary measures towards a secure EPHI
Most of the time, when it comes to employing security measures in an organization it usually means an extra expense to the organization’s budget, therefore, this process should be able to justify the risk’s relevance in business terms.
A plan of action is usually put in place to ensure clients are on a road to HIPAA compliance.
There are numerous ways of applying for the risk assessment program and relaying its significance to various staff members effectively.
In addition, the application of a HIPAA Security Risk Analysis is that it will comprehensively address all security issues in an objective and consistent manner to all business systems.
Furthermore, the training will be conducted by experienced HIPAA-trained professionals who have a track record of successful implementation of solutions and who are certified in this security area.

How Supremus Group can assist in becoming Compliant

There are normally three different ways we can help in meeting this objective and this will be determined by your time, available IT resources, involvement, and your budget.

The first option is having us do the project for you especially if you need to clear your HIPAA risk analysis fast and you do not have the internal resources to do so. All we will need from you is personal information regarding your policies, processes, and infrastructure.
The second option is hiring a project manager from our team especially if you have a number of workers/employees who can dedicate their time to learning risk analysis but do not have the methodology.
The third option is by using any of our HIPAA Risk Analysis template documents since you have all the necessary resources to do this but you wish to save on time. The templates contain comprehensive information on how you can be HIPAA compliant and will have various recommendations on how you should be able to do just that.

There are many people who have used these HIPAA Risk Analysis templates in their projects especially IT security consulting firms and HIPAA consultants and have come to realize that they can learn how to remain HIPAA compliant and still save on time since the templates are based on HIPAA regulations.

Have you already cleared the HIPAA security Assessment?

Our HIPAA security team will normally issue you with an independent and/or periodic review of your progress to being HIPAA compliant. If required, there will be additional technical risk testing, improvement services, and remediation efforts where applicable.

Let us help you with your compliance first, step.

Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591.

View HIPAA Security Policies and Procedures

USER RATING: HIPAA Risk Assessment and Management Consultant is rated 4.8 out of 5 by 1503 users.