Risk analysis and risk management is critical to effectively plan an information security risk management program. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, CMS HHS Electronic Health Record Incentive Program (Meaningful Use Stages 1, 2 and 3), MACRA Merit-based Incentive Payment System (MIPS), and the Payment Card Industry Data Security Standard (PCI DSS) all require organizations to maintain their information security programs by periodically assessing their information risks, identifying compliance gaps, and correcting security deficiencies as part of their risk management process.
For many organizations, conducting a risk analysis can be a daunting task. Our approach to risk analysis is based upon the guidance from the National Institute of Standards and Technology (NIST) and documents created by the Department of Health and Human Services (HHS) and/or the Centers for Medicare and Medicaid (CMS)
HIPAA and HITECH Risk Analysis Requirement
Regardless of the size, each organization is required to comply with HITECH and the HIPAA Security Rule risk analysis requirement. The Rule requires a risk analysis of all applications including bio-medical devices that store ePHI to assess the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI held by the covered entity or business associate, or on behalf of the covered entity or business associate.
Risk analysis is the process of identification of threats, controls, vulnerabilities, and the rating of potential risks so that limited resources (people, time, money) can be applied where most needed.
Risk management is the process of trying to reduce, mitigate, or manage risk to an acceptable level as determined by the business/process owners (which in most cases, should not be IT folks).
A common abbreviation used today is GRC. Stands for: Governance, Risk, and Compliance. Any safeguards and controls applied should be based upon one of those three drivers.
All of tw -Security’s risk analysis customers that have undergone a Meaningful Use audit have passed the security risk analysis requirement! Therefore, consider the advantages of engaging a certified security professional with a proven repeatable process, associated tools, and experience to assist you. Our risk analysis deliverables have been described as 'elegant'.
Some organizations are conducting an "analysis" that is primarily "compliance based" with the HIPAA Security Rule. Our approach to risk analysis is "risk based." Note that the following key words not found in the HIPAA Security Rule either represent a threat, an area of risk concern, or a control:
- Hack, hacking, hacker
- Cyber attack, phishing, ransomware
- Text, texting, text messaging
- Portal, protocol, VPN, https
- System administrator
- Configuration management
- Leakage (data leakage)
- Biomed, biomedical
- Mobile, mobile devices, mobile device management, bring your own device (BYOD)
- Data loss prevention / Data loss protection
- Change control, change management
- Scanning, intrusion, penetration testing
- Telecommute, telemedicine, teleradiology
- Remote access, two-factor or dual-factor authentication
- Firewall, wireless
Our Risk Analysis and Risk Management services include:
- Conducting a risk analysis for applications, biomedical devices, and the general support systems
- Creating risk analysis documentation and reports
- Providing an objective assessment of the current security environment
- Providing knowledge transfer and training on the risk analysis and risk management process
- Meeting with key stakeholders to make recommendations, and obtain commitment for security safeguards
- Facilitating remediation planning to identify specific tasks, resources, and timelines required to address risks
- Providing recurring risk management assistance to support the process of trying to reduce, mitigate, or manage risk to an acceptable level as determined by the business/process owners