Actually one of the first few steps to being HIPAA compliant is by making sure your organization can carry out a risk analysis. In fact, this is one of the key requirements of the Security Management Process standard within Administrative Safeguards under the HIPAA Security Rule, Section 164.308 (a)(1). It is noted that covered entities reap the most benefits since they will not only be HIPAA compliant but will be efficient in Risk Analysis and Management. However, it is important to note that being HIPAA compliant is not an option but a MUST to avoid being penalized.
The core objective of the HIPAA risk analysis is to assess and document any particular weaknesses or risk in regards to the integrity, availability, and confidentiality of a patient’s electronic health information. Furthermore, it is also to establish parameters on the ideal security measures to ensure risks are at an appropriate and manageable level. The risk assessments are crucial to an organization since they assist in placing relevant measures and controls to ensure that the organization’s expenditure is commensurate to risks related costs or risks the entity is exposed to.
Therefore, as long as an organization’s security able is to identify the risks levels facing its organization then it may not be effective in addressing them. This means that the security program should not only be able to identify data that needs protection and transmission security measures but should also have policies, technologies, and practices that can ensure that. In addition, risk analysis of an organization is also assessing potential risks, threats, and weaknesses related to its assets and information.
This methodology does not only ensure that the HIPAA Security requirements are met by the organization but will also go further in protecting an organization’s information on its assets besides its electronic Protected Health information.
The first thing the Defense first security methodology does is give you a framework that will assist you to protect your entity’s information and assets. This framework is based on the BS 7799 and ISO 27002 security standard and the CMS, CobIT and NIST frameworks. Some of the steps on the HIPAA Risk Analysis are:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results
These are tests conducted on the infrastructure, servers and related software. However, it is important to note that this maybe done without any knowledge of the site or with full information of the environment and topology. This is a comprehensive test comprising of analysis on the available information of a client, identification, and analysis target hosts on the network enumeration phase as well as routers, firewalls, and other security devices. After the analysis, any threats or vulnerabilities within your target hosts will be analyzed and their implications assessed.
This type of assessment will analyze all the facets of your network including those behind your firewall and identify any security risk that a hacker might exploit. The Network Vulnerability Assessment will assess your computer, network, IP address and a server device on your network. Other network systems to be analyzed for vulnerabilities will include your Operating systems, mail server, and router, web server platforms, hub and switch. Once the vulnerabilities have been identified then you will be given details on how to address and fix them.
The main goal of this assessment is to establish the vulnerability state of your wireless APs, it should also assess the accessibility to a client’s property from outside using a wireless network. The bottom line is that this will determine on how much access an external AP to a client’s ePHI network has whether authorized or unauthorized.
There are various types of tools that can be used to do a risk analysis and determine the vulnerability levels of an organization’s networks and systems. Some of these tools are as follows.
Security staff who will handle these tools need to be familiar with them and understand how they function e.g. reporting.
Upon the completion of the project the client will be issued with the following deliverables:
a. A written document on the various recommendations, approach, and findings related to the project which will include:
b. An executive summary report to the senior management that summarizes the approach, findings, recommendations, and scope.
c. An official presentation to the client’s senior management on the findings and recommendations.
There are normally three different ways we can help in meeting this objective and this will be determined by your time, available IT resources, involvement, and your budget.
There are many people who have used these HIPAA Risk Analysis templates in their projects especially IT security consulting firms and HIPAA consultants and have come to realize that they can learn how to remain HIPAA compliant and still save on time since the templates are based on HIPAA regulations.
Have already cleared the HIPAA security Assessment?
Our HIPAA security team will normally issue you with an independent and/or periodic review on your progress to being HIPAA compliant. If required, there will be additional technical risk testing, improvement services and remediation efforts where applicable.
Let us help you with your compliance first, step.
Please contact us for more information at Bob@hipaatraining.net or call (515) 865-4591.