What is HIPAA Risk Analysis?
Risk Analysis is often regarded as the first step towards HIPAA
compliance. Risk analysis is a required implementation specification
under the Security Management Process standard of the Administrative
Safeguards portion of the HIPAA Security Rule as per Section
164.308(a)(1). Covered entities will benefit from an effective
Risk Analysis and Risk Management program beyond just being
HIPAA compliant. Compliance with HIPAA is not optional... it
is mandatory, to avoid penalties. Objective of HIPAA Security Risk Analysis/Assessment:
The overall objective of a HIPAA risk analysis is to document
the Potential risks and vulnerabilities to the confidentiality,
integrity, or availability of electronic protected health information
(ePHI) and determine the appropriate safeguards to bring the
level of risk to an acceptable and manageable level. HIPAA risk assessment helps
in ensuring that controls and expenditure are fully commensurate
with the risks to which the organization is exposed.
The
key to any effective security program is to understand the
risk level in the organization and then to determine how to
effectively mitigate that risk. This requires identifying
what is the data that your organization needs to protect and
where that data lives and moves. This then provides the basis
for security policies, practices and technologies to protect
all such data, such as electronic protected health information.
Risk analysis requires understanding the core business functions
of the enterprise and then analyzing potential threats and
vulnerabilities to assets and information. It helps identify
critical business assets and associated risks.
HIPAA Risk Assessment Scope
Administrative Safeguards
• Risk analysis procedures and demonstration of a risk
management process;
• Policies and procedures relevant
to operational security, including business associate security
requirements;
• Information access restriction requirements
and controls;
• Incident response procedures and disaster
recovery plan and;
• Evidence of periodic technical
and non technical reviews.
Physical Safeguards
• Physical access controls, such as building access and
appropriate record keeping;
• Policies and procedures
for workstation security; and
• Proper usage, storage,
and disposal of data storage devices
Technical Safeguards
• Auditing and audit procedures;
• Use of encryption
devices and tools;
• Implementation of technology to ensure ePHI confidentiality,
integrity, and availability
HIPAA Risk Analysis Methodology
The proprietary Defensefirst security methodology is utilized
which goes beyond the requirements of the HIPAA Security Rule
to safeguard not just electronic Protected Health Information
(ePHI) but the organization’s information assets as
a whole.
The Defensefirst security methodology provides the framework
for protecting enterprise assets and information. This methodology
has also been influenced by the domains defined in the ISO
17799 and the BS 7799 security standards as well as the CobIT,
NIST and CMS frameworks. Following steps are followed for
HIPAA Risk Analysis project:
Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results
HIPAA Security Technical Vulnerability Assessment
External Penetration Testing:
This testing is focused on the servers, infrastructure and the
underlying software comprising the target. It may be performed
with no prior knowledge of the site or with full disclosure
of the topology and environment. This type of testing will typically
involve a comprehensive analysis of publicly available information
about the client, a network enumeration phase where target hosts
are identified and analyzed, and the behavior of security devices
such as screening routers and firewalls are analyzed. Vulnerabilities
within the target hosts should then be identified, verified
and the implications assessed.
Network Vulnerability Assessment
A Network Vulnerability Assessment checks all aspects of your
network from behind the firewall and identifies any potential
holes a hacker could exploit. A Network Vulnerability Assessment
will analyze IP address, computer, server, and network device
on your network. Operating systems, web server platforms, mail
servers, and router, switch, and hub on your network are carefully
checked for vulnerabilities. Once we identify those vulnerabilities,
you’ll get a detailed explanation of the recommended fix
for each one.
Wireless/Remote Access Assessment (RAS) Security Assessment
The goal of Wireless Security Assessment is to quantify the
vulnerability state of the wireless APs configurations, test
the range of the wireless networks to see whether access could
be gained outside of client’s property. It also helps
to discover whether there were any rogue (unauthorized) APs
on client’s network and mainly to determine whether it
was possible to gain internal access to ePHI via the wireless
APs both authorized and unauthorized
Vulnerability Assessment Tools
A number of tools may be used in assessing the vulnerability
of an organization’s systems and networks. Examples of
tools that may be used for risk analysis and vulnerability assessment
include (but are not limited to):
| . |
SamSpade Tools |
. |
QualysGuard |
| . |
Nmap |
. |
STAT Scanner |
| . |
Nessus Vulnerability Scanner |
. |
ISS Internet Scanner |
| . |
Microsoft Baseline Security Analyzer (MBSA) |
|
|
Security professionals need to be familiar with using these
tools and understand their capabilities for functions such
as reporting.
Key Deliverables of HIPAA Security Risk Analysis
Report
Client will be provided with the following deliverables upon
completion of the project:
a. Written documentation of
the approach, findings, and recommendations associated with
the project, which shall include:
• Matrix of threats and vulnerabilities to client’s
electronic data, including probability and impact of each
threat and vulnerability based on (a) client’s current security measures and (b) recommended security measures
• Supporting detailed exhibits explaining threats and
vulnerabilities
• List of client’s technical and non-technical
deficiencies in comparison with the requirements of HIPAA’s
security regulations
• Detailed report of recommended remediation measures
for each identified threat, vulnerability, and deficiency
• Security policy templates as per HIPAA regulations
and recommendations on existing policies
b. Executive summary report summarizing the scope, approach,
findings, and recommendations in a manner suitable for senior
management; and
c. Formal on-site presentation to client’s senior management
of findings and recommendations.
Benefits of HIPAA Security Risk Analysis
| • |
Clients gain a full appreciation of the current
security vulnerabilities |
| • |
A comprehensive, fully-documented
solution is provided that helps clients make informed decisions
regarding the appropriate actions needed to secure EPHI |
| • |
Additional security involves additional expense that does not directly generate income; it should always be justified in financial terms. The Risk Analysis process should directly and automatically generate such justification for security recommendations in business terms |
| • |
A definitive plan of action is developed to put clients on the road to full compliance |
| • |
The wide scale application of a risk assessment program, by actively involving a range of, and greater number of, staff, will place security on the agenda for discussion and increase security awareness within the enterprise |
| • |
A major benefit of the application of Risk Analysis is that it brings a consistent and objective approach to all security reviews. This not only applies across different applications, but different types of business system |
| • |
A team experienced with HIPAA regulations that has a track record of successfully implementing solutions and is fully certified in the area of security |
How can Supremus Group help your compliance Efforts?
We can help you in three different ways depending on your
need, involvement, time, available IT resources and budget.
OPTION 1: If you are in a hurry to
complete the HIPAA Risk Analysis and you don’t have internal
resources to completely devote to this project then we can independently
complete the project for you. The only involvement required
will be providing information about your infrastructure, policies
and processes.
OPTION 2: If you
have internal staff members who can completely devote their
time and security & HIPAA knowledge to this project but
don’t know the methodology, we will provide a project
manger to work with your team and help completing the compliance
project.
OPTION 3: If you have
all the necessary resources for Risk Analysis project but need
to save time on documentation, you can use our
HIPAA Risk Analysis
template documents. These templates will ensure that you gather
all the required information before starting the project. The
finding and recommendations will be mapped to the HIPAA regulations.
Many IT Security consulting companies and HIPAA consultants
are using our HIPAA Risk Analysis templates in their projects
to save time and present the findings and recommendations mapped
to HIPAA regulation.
Have Already Completed a HIPAA Security Risk Assessment?
Our security team provides independent validation and/or
periodic reviews of your progress with ongoing compliance.
If necessary, additional focused technical risk testing and
mitigation services, as well as specific remediation efforts,
are available.
Let us help you with your compliance first step.
Please contact
us for more information at Sales@training-HIPAA.net or call (515) 865-4591.
|
