What is HIPAA Risk Analysis?

The first step to being HIPAA compliant is an entity’s capacity to run a risk analysis. This is one of the requirements of the HIPAA security rule according to Section 164.308(a)(1) under the Security Management Process standard in the Administrative section. There is more to benefit from the program considering an organization will not only be HIPAA compliant but will also be effective in Risk Management and Analysis. Otherwise, being compliant is not an option but rather compulsory.

Objective of HIPAA Security Risk Analysis/Assessment:

The main goal of running HIPAA Risk Analysis is to assess the possible risks and threats to integrity, privacy, and protection of Electronic Protected Health Information (EPHI) and establish the most appropriate safeguards necessary to ensure that they are at an acceptable level. This will also ensure that all the risks are commensurate to the expenditure and controls to which the organization is exposed to.

One of the most effective ways of carrying out a risk analysis is by assessing potential risks and addressing them efficiently to ensure they are at acceptable levels. This will comprise of the identification of data that needs protection in terms of where it is stored and how it is used.  These assessments are what will form the foundation of technologies, security measures, and practices in which all EPHI should be protected. This also means that there is the need to understand the roles and functions of an organization and identifying possible risks and threats to EPHI and an entity’s assets, especially sensitive ones.

Project Scope

Administrative Safeguards

  1. Risk analysis procedures and demonstration of a risk management process;
  2. Policies and procedures relevant to operational security, including business associate security requirements;
  3. Information access restriction requirements and controls;
  4. Incident response procedures and disaster recovery plan and;
  5. Evidence of periodic technical and nontechnical reviews.

Physical Safeguards

  1. Physical access controls, such as building access and appropriate record keeping;
  2. Policies and procedures for workstation security; and
  3. Proper usage, storage, and disposal of data storage devices

Technical Safeguards

  1. Auditing and audit procedures;
  2. Use of encryption devices and tools;
  3. Implementation of technology to ensure ePHI confidentiality, integrity, and availability

Project Methodology

The utilization of the Proprietary Defense first Security Methodology goes beyond the HIPAA Security Rule requirements on EPHI protection and goes further to address the protection of organization information on its assets.

Therefore, the methodology normally gives an appropriate framework in which the organization can use to protect its information and assets.  The methodology is based on the BS 7790 and ISO 27002 security standard domains and also the CMS, NIST, and CobIT frameworks. The following are the steps used to carry out a HIPAA Risk Analysis.

Step 1 – Inventory & Classify Assets
Step 2 – Document Likely Threats to Each Asset
Step 3 – Vulnerability Assessment
Step 4 – Evaluate Current Safeguards
Step 5 – Document Risks
Step 6 – Recommend Appropriate Safeguards
Step 7 – Create Report of Results


Technical Vulnerability Assessment

External Penetration Testing:

This refers to tests on servers, underlying software, and infrastructure on EPHI. There are two ways this test can be done and that is either with full knowledge of the environment and topology of the site or without any knowledge on the site. This test is normally very comprehensive since it will cover the following areas:

  1. Public information on the clients
  2. Identification and assessment of the target host during the network enumeration phase
  3. Analysis of security devices such as routers and firewalls

Any risks identified, will be verified and have their implication assessed.

Network Vulnerability Assessment

This mainly focuses on assessing all loopholes and weak points a hacker could exploit behind your firewalls. It should conduct a thorough analysis of the computer, server, IP Address, and network devices used on your network. Other places that will need an assessment will include vulnerabilities found within your Operating systems, platforms of your web server, router, mail servers, hub, and switch.  After a comprehensive assessment, you should be issued with details on how to fix each of them.

Wireless/Remote Access Assessment (RAS) Security Assessment

The wireless Security Assessment is mainly to assess the vulnerability of an entity’s wireless AP configurations and test its ranges in terms of its accessibility from an external source. This should also assist in unraveling any unauthorized access from an external source to the client’s network and the client’s EPHI data and more so, to assess the possibility of any access through wireless APS whether authorized or unauthorized.

Vulnerability Assessment Tools

There are a number of tools used for risk analysis and assessment that can be used to assess the vulnerability state of an entity’s networks and systems and some of these are though not limited to:
SamSpade Tools                                                QualysGuard
Nmap                                                                  STAT Scanner
Nessus Vulnerability Scanner                           ISS Internet Scanner
Microsoft Baseline Security Analyzer (MBSA)

Security professionals need to be familiar with using these tools and understand their capabilities for functions such as reporting.

Key Deliverables of HIPAA Security Risk Analysis/Assessment Report

Upon the completion of the project, the client will be an issue with these deliverables:

  1. Written documentation covering the various, recommendations, findings, and approaches relevant to the project and will include:
  1. The matrices of risks and threats surrounding the client’s electronic information or data. This will also include the scope and possibilities of such threats based on an entity’s present safeguard and necessary security measures needed for such.
  2. Detailed exhibits of the risks and threats
  3. Some of the sub-standard technical and non-technical measures of the client in respect to the specification under the HIPAA Security Rule.
  4. A comprehensive report on the necessary corrective measure for identified risks, threats, and vulnerabilities.
  5. Making comparisons of the existing policy templates to the HIPAA rules and regulations templates.
  1. Creation of executive summary which comprises of the approach, scope, findings, as well as recommendations to the senior/executive management.
  2. A formal on-site presentation of the finding and recommendations to the client’s senior management.

Benefits of HIPAA Security Risk Analysis/Assessment

  1. Clients come to appreciate the intricacies of security threats
  2. A client will be able to take necessary measures through the complete documented solution on how they can be successful in protecting EPHI data.
  3. Considering any extra security measures will normally imply spending more on security matters then such an investment should be justified in terms of costs that come with compromising on security.
  4. Clients will also get a comprehensive plan of action on how to be compliant.
  5. The risk assessment program is applicable to a wide range of job classifications in entities that deal with EPHI hence increasing security awareness within an organization’s workforce.
  6. The main attribute of applying a security analysis in any system is that should assist in creating objective security reviews and approaches in an organization that is as well applicable to different business systems.

How can Supremus Group help your Compliance Efforts?

We can help you in three different ways depending on your need, involvement, time, available IT resources, and budget.

  1. OPTION 1: If you are in a hurry to complete the HIPAA Risk Analysis and you don’t have internal resources to completely devote to this project then we can independently complete the project for you. The only involvement required will be providing information about your infrastructure, policies, and processes.
  2. OPTION 2: If you have internal staff members who can completely devote their time and security & HIPAA knowledge to this project but don’t know the methodology, we will provide a project manager to work with your team and help to complete the compliance project.
  3. OPTION 3: If you have all the necessary resources for the Risk Analysis project but need to save time on documentation, you can use our HIPAA Risk Analysis template documents. These templates will ensure that you gather all the required information before starting the project. The finding and recommendations will be mapped to the HIPAA regulations.

Many IT Security consulting companies and HIPAA consultants are using our HIPAA Risk Analysis templates in their projects to save time and present the findings and recommendations mapped to HIPAA regulation.

Have Already Completed a Risk Assessment?

Our security team provides independent validation and/or periodic reviews of your progress with ongoing compliance. If necessary, additional focused technical risk testing and mitigation services, as well as specific remediation efforts, are available.

View HIPAA Security Policies and Procedures

Let us help you with your compliance first step.

Please contact us for more information at Bob@supremusgroup.com or call (515) 865-4591.