HIPAA Risk Assessments

A rigorous and detailed identification and
prioritization of key HIPAA compliant risks.

Ensure your company’s compliance with HIPAA regulations and protect yourself from security breaches and hefty fines.

HIPAA Risk Assessments: A Healthcare Requirement

HIPAA Risk Assessments are a requirement for remaining HIPAA compliant and are designed to help with the identification of potential vulnerabilities within your organization in order to determine how to remediate those vulnerabilities. Working towards remediating any discovered vulnerabilities will help to protect your patients’ information. And, from a business perspective, protect you from costly fines for failing to apply best practice security standards within your organization.

Simplify Your Next HIPAA Risk Assessment with MainNerve

Although conducting regular HIPAA risk assessments may seem to be a hassle, the cost of failing to conduct them and remediate risks is much worse. Penalties can include millions of dollars in fines, civil and criminal litigation, restitution, and damage to institutional and professional reputations. At MainNerve, we make the HIPAA risk assessment process painless and simple. Our team has conducted and successfully delivered numerous HIPAA risk assessments to healthcare organizations of all sizes and types—we can help you as well.

In accordance with the law, you must be compliant with the following:

HIPAA Security Rule

HIPAA Privacy Rule

Breach Notification Rule

Administrative and Simplifications Rules

Medicare and Medicaid Enforced by CMS

State Laws

THE MAIN NERVE PROCESS

MainNerve’s team of highly-qualified and experienced security experts understand what it takes to implement a comprehensive Information Privacy and Security Program—and how to build a culture of compliance.

HIPAA Risk Assessment

As threats to computer systems grow more complex and sophisticated, risk assessments are an important tool for organizations to rely on as part of a comprehensive risk management program. This security risk assessment will help the customer to:

  • Determine the most appropriate risk responses to ongoing cyber-attacks.
  • Guide investment strategies and decisions for the most effective cyber defenses to help protect your organizational operations (including missions, functions, image and reputation), organizational assets, and employees.
  • Maintain ongoing situational awareness of the security state of your organization’s information systems and the environments in which those systems operate.

The risk assessment methodology and approach will be conducted using the guidelines in NIST SP 800-30, “Risk Management Guide for Information Technology Systems”, in addition to 800-66, “An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act” (HIPAA) Security Rule. The assessment is broad in scope and evaluates security vulnerabilities affecting confidentiality, integrity, and availability of information. The assessment report will recommend appropriate security safeguards, permitting customer management to make knowledge-based decisions about security-related initiatives. The following controls are assessed:

  • Administrative Safeguards: This information includes policies and procedures revolving around the administrative side of protecting networks and resources. These policies and procedures may include information about termination procedures and requirements, when training is conducted, sanction policies, etc.
  • Physical Safeguards: This section assess the policies and procedures used to protect the physical networks and resources. These safeguards might include locks on doors to server rooms, how access to said server rooms is granted, and who has the authority to grant access.
  • Technical Safeguards: This information gathered in this sections allows MainNerve to determine how well the networks and resources are protected technically and virtually. This will include procedures on allowing employees access to specific data required to do their jobs, information about encryption, anti-virus and anti-malware software, as well as information gleaned during the vulnerability scan and penetration test.

MainNerve will hold regular status meetings with key personnel to report on progress, discuss any issues that may have been identified, and solicit feedback and guidance related to the engagement. This will ensure that all interested parties are well informed as work progresses and any issues requiring immediate attention or further validation are promptly addressed.

Gap Analysis

MainNerve will interview key personnel identified by the customer either by questionnaire or phone and perform document reviews in accordance with NIST SP800-30. Document reviews will provide the MainNerve risk assessment team with the basis on which to evaluate compliance with policies and procedures in order to ultimately identify potential shortfalls in the administrative, technical, and/or physical security posture.

Deliverables (* Excluded from Gap Analysis)

The following deliverables may be provided as part of the engagement depending upon services chosen:

  • Gap analysis results that include risk rating and assessment of items such as: physical safeguards, network resources inventoried, data protection measures, log monitoring and auditing.
  • *Risk ratings results based on interview or questionnaire (High, Medium, Low, Risk number)
  • *The final report will provide information on current assessment and findings of customers’ security posture, recommended remediation and a description of potential risk due to non-remediation.
  • *A “Crosswalk to Security” report will also be provided to assist customer in how to develop a plan to mitigate risk. The findings will be presented as a strategic “Crosswalk” in the form of recommendations only. These recommendations are intended to assist the customer’s security posture. This includes items such as: recommended security roles, how to evaluate key security policies and controls ongoing, control implementation guidelines and internal review processes.
  • Remediation recommendations.

The deliverables will be provided to the customer via secure e-mail or through a secure website as mutually agreed. All final deliverables are shared only with the customer approved representatives.

VALUE-ADDED SERVICES

Checklist

Network Penetration Testing

Network penetration testing assists with the identification and examination of vulnerabilities for external, Internet-facing and internal, intranet systems. A network pen test will help determine whether an attack can exploit and compromise targeted systems. Take the next step to improving your business’ security with a network pen test.

Checklist

Compliance Solutions

MainNerve’s compliance solutions are designed to help fill one of the biggest challenges for businesses: staying in alignment with the exhaustive list of Governance, Risk Management, and Compliance (GRC) requirements. From PCI DSS and HIPAA, to CJIS and FINRA, MainNerve can help your business navigate the GRC landscape with specialized penetration tests.

Checklist

Social Engineering

Social engineering, in the context of information security, is commonly defined as the of persuasion and/or manipulation techniques in order to influence people into performing actions or divulging confidential information. Ensure that your business is secure by testing and evaluating your employees against general phishing and “spear-phishing” attacks.