HIPAA Security Risk Analysis

Redspin's HIPAA Security Risk Analysis and Internal Security Assessment utilizes a risk-based approach to manually identify critical infrastructure vulnerabilities throughout your entire enterprise. This assessment focuses on six primary areas of your control environment:
Ensuring you are protected from short and long term disasters
Ensuring your sensitive data is secure
Ensuring you have sufficient information to make risk management decisions
Ensuring your network is secure
Ensuring your business associates are sufficiently protecting your ePHI
Ensuring your workstations and servers are deployed according to best practices

The goal of this assessment is to accurately and cost-effectively isolate areas of risk and provide actionable recommendations (both strategic and technical) for improvement.

This assessment sends expert security engineers into your environment to talk with key system owners to understand your business, leverage a risk-based approach to focus on areas that are most critical to your operations, and to validate all implemented technical and non-technical controls are configured as expected.

Why perform a HIPAA Security Risk Analysis and Internal Security Assessment?

  • To initiate a HIPAA Security Risk Analysis by performing a gap analysis to the standards defined in the Security Rule of the Administrative Provisions in Title II of HIPAA.
  • Provide a "fresh set of information security eyes" to review infrastructure and policies and procedures.
  • Deliver benchmarks to help compare your Information Security Program to your peers.
  • Satisfy the meaningful use requirement to "Protect electronic health information."
  • Know the high-risk issues on which your organization needs to focus.
Scope

The scope of our HIPAA Security Risk Analysis and Internal Security Assessment is informed by a variety of sources:

  • Experienced Redspin Personnel and our proprietary list of infrastructure vulnerabilities and control deficiencies collected during our work on hundreds on information security assessments over the last ten years.
  • Best Practices — Redspin uses our own independent research, professional exchanges, industry and other recognized standards including ISO 27001 and NIST federal guidelines to keep our scope in line with the latest IT security, availability, and operational analysis appropriate for the size, business operations complexity, and technology presence for any organization.
  • HIPAA — "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule", NIST Publication 800-66 Revision 1, October 2008.
  • NIST — Risk Management Guide for Information Technology Systems (Special Publication 800-30), NIST (National Institute of Standards and Technology), October 2001.

Performing this assessment on a periodic basis will also help address specific HIPAA/HITECH regulatory requirements.

HIPAA Healthcare Assessment Diagram

View Full HIPAA Healthcare Assessment Diagram

Some of the Questions a HIPAA Security Risk Analysis and Internal Security Assessment Answers Include: Business Associate Oversight —
Do you trust your vendors with your sensitive information?
  • Have the necessary reports been collected and reviewed from each business associate that demonstrates they are safeguarding the ePHI?
Business Continuity —
What will happen during the next natural disaster?
  • Has the criticality of ePHI applications and their supporting infrastructure been defined and documented?
Data Security —
Is ePHI sufficiently protected?
  • Is all sensitive information stored on portable media, such as laptops, adequately protected?
  • Have procedures been implemented to verify that a person or entity seeking access to ePHI is the one claimed?
  • Is a record maintained of the movements of hardware and electronic media that contain ePHI and the person responsible?
Information Security Program —
Can I manage my risk better?
  • Have all information systems, including software and hardware that store, process, or transmit ePHI been identified and documented?
  • Has an accurate and thorough assessment (Risk Assessment) of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity been performed? Is it up-to-date?
  • Has an individual been assigned the final responsibility for security? If so, are these responsibilities documented in his or her job description?
  • Have policies and procedures been put in place to identify and respond to suspected or known security incidents?
Network Analysis —
Is our network secure?
  • Are the firewalls and other network devices actually configured to implement the domains the way we think they are?
  • Do we allow remote access in a secure way that minimizes risk?
  • What cost-effective actions can we take to improve logging and monitoring?
Personnel Security —
Do you trust your employees with your sensitive information?
  • Has a security awareness and training program for all members of the workforce (including management) been implemented including periodic security updates?
Physical Security —
Who can access our network?
  • Have procedures to control and validate a person's access to facilities based on their role or function, including visitor control, been implemented?
System Analysis —
Are our workstations and servers configured securely?
  • Do we have appropriate password requirements?
  • Do our users have the capability to override the security configurations of their workstations?
  • Are unique names and/or numbers assigned for identifying and tracking user identity on all electronic information systems that process ePHI?
Twitter Facebook