(913) 396-8321

Risk Analysis and Management

Risk analysis and risk management is critical to effectively plan an information security risk management program. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, CMS HHS Electronic Health Record Incentive Program (Meaningful Use Stages 1, 2 and 3), MACRA Merit-based Incentive Payment System (MIPS), and the Payment Card Industry Data Security Standard (PCI DSS) all require organizations to maintain their information security programs by periodically assessing their information risks, identifying compliance gaps, and correcting security deficiencies as part of their risk management process. 

\"Icon\" For many organizations, conducting a risk analysis can be a daunting task. Our approach to risk analysis is based upon the guidance from the National Institute of Standards and Technology (NIST) and documents created by the Department of Health and Human Services (HHS) and/or the Centers for Medicare and Medicaid (CMS)

HIPAA and HITECH Risk Analysis Requirement

Regardless of the size, each organization is required to comply with HITECH and the HIPAA Security Rule risk analysis requirement. The Rule requires a risk analysis of all applications including bio-medical devices that store ePHI to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate, or on behalf of the covered entity or business associate.

Risk analysis is the process of identification of threats, controls, vulnerabilities, and the rating of potential risks so that limited resources (people, time, money) can be applied where most needed. 

"compliance based" with the HIPAA Security Rule. Our approach to risk analysis is not  found in the HIPAA Security Rule either represent a threat, an area of risk concern, or a control:

  • Hack, hacking, hacker
  • Cyber attack, phishing, ransomware
  • Text, texting, text messaging
  • Phishing
  • Ransomware
  • Portal, protocol, VPN, https
  • System administrator
  • Configuration management
  • Leakage (data leakage)
  • Biomed, biomedical
  • Mobile, mobile devices, mobile device management, bring your own device (BYOD)
  • Data loss prevention / Data loss protection
  • Change control, change management
  • Scanning, intrusion, penetration testing
  • Telecommute, telemedicine, teleradiology
  • Remote access, two-factor or dual-factor authentication
  • Firewall, wireless
Our Risk Analysis and Risk Management services include:
  • Conducting a risk analysis for applications, biomedical devices, and the general support systems
  • Creating risk analysis documentation and reports
  • Providing an objective assessment of the current security environment
  • Providing knowledge transfer and training on the risk analysis and risk management process
  • Meeting with key stakeholders to make recommendations, and obtain a commitment for security safeguards
  • Facilitating remediation planning to identify specific tasks, resources, and timelines required to address risks
  • Providing recurring  risk management assistance to support the process of trying to reduce, mitigate, or manage risk to an acceptable level as determined by the business/process owners
  • Defining and implementing an information security management system (ISMS)
  • Assessing the risk and compliance prior to acquiring a new entity – part of the due diligence 
  • Developing risk analysis/risk management process to be followed organization-wide
  • Conducting risk analysis at the enterprise and/or at the entity level
  • Maintaining the risk register using any OTC risk tool(s) or help develop one


Latest News