HIPAA Security Risk Assessment

Security threats find and exploit specific flaws in your system to access Protected Health Information (PHI).

Our team uses advanced threat identification to identify potential issues and remediate them before they affect your business. 

As part of our HIPAA security risk assessment services, we divide threats into three categories:

• Human threats created or instigated by human beings
• Natural threats caused by what insurance companies call “Acts of God”
• Environmental threats that arise from the inherent nature of information systems

Partner with us and benefit from a risk based network and security risk assessment that provides valuable insight into these and other threats.

Vulnerabilities exist in technology (unpatched servers), processes (inadequate termination of accounts) or people (shared passwords).

As a result, a “system characterization”, or inventory of how your information flows and is used within your organization, is vital for a security assessment. 

If your systems have been defined and analyzed well, the vulnerability assessment process becomes much easier to perform on a regular basis.

A control analysis assesses the capabilities of your existing set of controls to meet your environment’s needs. 

It can identify vulnerabilities within existing policies, procedures or standards that may be in violation.

There are typically three types of controls for identified risks:

• Preventative: Lowers the likelihood of the threat exploiting the vulnerability
• Mitigating: Lowers the impact should the threat exploit the vulnerability
• Detective: Alerts management that the threat has exploited the vulnerability

Likelihood determination considers the threat motivation and ability, the nature of the vulnerability, and current and planned controls. 

Our HIPAA security risk assessment uses a three-tiered risk analysis assessment to determine likelihood:

• High: The threat will successfully exploit the vulnerability more than once a year.
• Medium: The threat will successfully exploit the vulnerability less than once a year, but more than once every five years.
• Low: The threat will successfully exploit the vulnerability less than once every five years.

In the absence of any historical data, our team will use its expertise to identify vulnerabilities.

Our risk management experts analyze that impact of lost confidentiality, data integrity, and the effect of any current or planned mitigating controls. 

For a recent client, we suggested a three-tiered risk analysis methodology that determines the impact of security vulnerabilities:

• High: The impact will cost more than 0.1% of covered entity revenue in financial outlays, require more than 400 hours of labor to repair, endanger patient safety, or damage a covered entity’s reputation for security.
• Medium: The threat will cost more than 0.01% of revenue in financial outlays or require more than 40 hours of labor to repair.
• Low: The threat will cost less than 0.01% of revenue or require less than 40 hours of labor to repair.

Risk determination is a combination of the impact rating and the likelihood determination. 

When we conduct our vulnerability assessment in network security, we use a three-tiered approach to quickly make decisions. 

Response speed is critical when an incident occurs, and having a ready way to gauge identified risks is crucial.

The area marked with an asterisk (*) is potentially problematic. These are low-likelihood, high-impact events that are more difficult to predict. 

As part of the risk management process, the Compliance Group, IT Security Committee or the Audit Committee should review all risks assigned to this area.

Our security vulnerabilities review determines if risks are appropriately ranked. It also identifies additional controls required to avoid data breaches.

Based on the determination of risk, your organization will need a roadmap for future implementation of security measures. 

Our network and security assessment empowers your management team to make educated decisions about security. 

They can either accept each network security risk as it stands or alleviate some of the risk by imposing additional controls. 

This is an especially useful exercise since it includes approvals, scheduling, and budgeting for additional control implementation.

It is vital to document all results of your network vulnerability assessment.

As compliance experts who prepare numerous clients for HIPAA audits, we understand the value of excellent documentation for a security assessment. 

Our team will work with you to produce a well-written, readily available document that describes your entire risk analysis process to foster confidentiality and integrity for your organization.