skip to Main Content
Talk to a Security Expert Now: (800) 721-9177

Risk Assessment

Protect PHI, meet HIPAA requirements, and lower your organization’s security risk.

Meet Your Requirements, Lower Your Security Risk

Redspin is a trusted security adviser throughout the healthcare industry. We’ve helped hundreds of covered entities navigate HIPAA security, lower risk, and protect against devastating data breaches.

All covered entities and business associates (BAs) are required to conduct or update an IT security risk analysis on a regular and ongoing basis. This means identifying risks and vulnerabilities that could endanger or expose protected health information (PHI). Then, you must implement policies, procedures, and other measures in order to prevent security violations, and reduce vulnerabilities to an appropriate level.

We provide expert guidance and world-class healthcare security teams on all HIPAA security policy, procedure, and technical assessments. Every engagement is specifically tailored to provide the absolute highest ROI, an accelerate remediation process, and lower security risk.

We provide clear and concise risk rated findings with zero false positives, and our prioritized actionable recommendations solve security issues quickly while maintaining your organization’s connectivity and productivity.


HIPAA Risk Assessment

As the leader in healthcare IT security, Redspin has helped hundreds of covered entities and business associates safeguard PHI while fulfilling their security risk analysis requirements under HIPAA and/or Meaningful Use. Redspin’s HIPAA security risk analysis is conducted as per the Security Rule administrative safeguards 45 CFR 164.308(a) (1) and 45 CFR 164.308(a)(8). It also meets EHR Meaningful Use Incentive Program requirements for eligible hospitals and eligible providers.


This assessment focuses on several key areas of your information technology environment, including:

  • Ensuring your policies and procedures are appropriately developed and implemented.
  • Ensuring you are prepared for security incidents and disasters.
  • Ensuring your sensitive data is secure, with particular focus on your EMR environment and connected applications.
  • Ensuring you have sufficient information to make risk management decisions.
  • Ensuring your network is secure and network connections are well managed.
  • Ensuring you are prepared for migration to SaaS and cloud services.
  • Ensuring your workstations and servers are deployed according to best practices.
  • Ensuring you have adequate physical security controls in areas containing healthcare information and wherever patient privacy is paramount.
  • Ensuring your medical device vendors are securing the devices to HIAE standards and industry best practices

HIPAA Risk Assessment Scope

Each covered entity, from hospitals to service providers, incur different levels of security risk and challenges depending on the nature of their business. While all healthcare organizations need good HIPAA policy and procedures in place, additional areas of risk need to be carefully identified, assessed, and managed.

Redspin’s HIPAA risk assessments are tailored to provide the best return on investment based on your organization’s size, complexity, and capabilities. We not only help you achieve compliance, we deliver the most effective ways to protect confidential information and lower your risk of a breach.

Risk Management

Ensure there is sufficient information and resources to make appropriate risk management decisions.

Policy & Procedures

Ensure ITSEC policies and procedures are appropriately developed and implemented.


Ensure staff is educated and prepared for security incidents and disasters.

Business Associate (BA) Management

Ensure there is appropriate oversight of business partners & associates, including service providers.

Data Security

Ensure PHI and other sensitive data is secure, with particular focus on the EHR environment.

Network Security

Ensure the network is appropriately secured, monitored, and connectivity is well managed & controlled.

Infrastructure Security

Ensure servers, workstations, and services are deployed according to best practices.

Application Security

Ensure web/mobile applications, cloud services, and APIs are deployed according to best practices.


Redspin’s proven methodology brings together the right combination of technical and non-technical analysis to identify vulnerabilities across all areas of the organization. Analysis begins with a planning phase, moving to on-site data discovery, and concluding with off-site analysis and delivery of the final report.

The process of on-site discovery and analysis is iterative where multiple stages are completed as information is gathered and more knowledge of the system builds a context for further evaluation.

Workflow includes the following steps:

  • Identification of existing technical and non-technical controls.
  • Analysis of network, systems, data and business policies and procedures.
  • Reporting recommendations for efficient and cost-effective solutions.

While on-site the security engineering team will use a combination of technical and non-technical methods, including meeting with your team for interviews, physical walk-through of the hospital campus, collecting data via observation, automated and manual network scanning, administrator credentialed network access, configuration reviews, and network flow analysis.

Physical security and the overall security awareness of staff are critical, and linked, elements of the observations and walk-throughs. Walk-throughs typically include relevant buildings, patient areas, and additional areas of importance.

When the engagement is complete, we deliver:

  • Actionable, Risk-Rated, Prioritized Report
    Our comprehensive HIPAA Risk Assessment report details overall risk and potential impact on the organization, as well as ranked recommendations to mitigate vulnerabilities as quickly and as efficiently as possible.
  • Post-Engagement Management Review
    Our security engineers provide more detailed explanations of findings, risk, and recommendations. We also do a Q&A session for any concerns you may have. Redspin offers the opportunity for you to provide formal management responses detailing your organization’s response and follow-up actions, which will be documented alongside each finding in the final report.
Back To Top