HIPAA Risk Assessment

Home>Cyber Security Services>HIPAA Risk Assessment
HIPAA Risk Assessment

HIPAA Risk Assessment Services

The U.S. Department of Health and Human Services (HHS) says, “Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.” To be compliant, it should be conducted or reviewed annually and revisited any time there is a change in the operating or technical environment. Conducting a HIPAA Risk Assessment supports awareness and development of data security programs, allowing you to achieve business goals. 

NIST-Based Methodology

CynergisTek uses a NIST-based methodology when conducting a HIPAA Risk Assessment, as OCR’s guidance on requirements for risk analysis points to recommendations and guidelines established by NIST for conducting a risk analysis. CynergisTek’s stand-alone assessment combines several of our individual security and technical tests into a single engagement aimed specifically at addressing the requirement for a risk assessment and ongoing risk management. We also offer a HIPAA Risk Assessment as part of a comprehensive compliance management program, Compliance Assist Partner Program (CAPP).

Report of Findings & Trending Data

After data collection, we provide a detailed report of findings, observations, recommendations, and remediation steps. CynergisTek also provides personalized trending data for our repeat customers that will help assess the overall program maturity.

Our Experts are Waiting!

Contact us to learn more about our HIPAA risk assessment and how we can help your organization.

HIPAA Risk Assessment Components

As part of the requirements under HIPAA and the “technical controls evaluation” (see § 164.312(b) and others), our HIPAA Risk Assessment includes a vulnerability assessment to document the current state of your technical environment, through vulnerability scanning (we use QualysGuard). This external and internal assessment will identify and rank the vulnerabilities based on your preference (by asset, IP, type, etc.) and allow your team to address them through your risk management process. For organizations that do not have a formal program, this is a great solution to see where your processes currently sit, but also document and help justify a potential purchase or managed service relationship.

Learn More

Our philosophy for evaluating how your overall technical environment is being managed includes the EAA to look at the root causes that might be creating issues or risks in your environment. Some vendors just do a simple scan, which is a point-in-time review that does not address what root causes may be the source of your vulnerabilities. In our assessment, we will interview the key stakeholders, review your processes and document our findings. In addition, we will review the maturity of your program to determine areas of improvement but also help with a peer comparison against organizations of your size and business type.
Learn More

During the course of conducting the Wireless Security Assessment, CynergisTek will look for and enumerate access points across your environment. We will document everything we find, both known and unknown access points, and evaluate your overall management of your Wireless infrastructure against best practices and your compliance requirements.

Learn More

The Cybersecurity Program Assessment serves as a foundation portion of the Risk Assessment process and evaluates your administrative and physical safeguards against the HIPAA Security Rule. However, this is not just a simple gap analysis. We evaluate the maturity of your controls against the NIST CSF, using the COBIT Maturity Model (similar to the CMMI and other models), to document your compliance and your overall maturity. This additional level of review, that is gained through evidence collection and onsite interviews, gives your organization much more information and knowledge to make better decisions about what risks to focus on first.

Learn More

CynergisTek’s Meaningful Use EHR Technical Security Controls Assessment, in conjunction with a Risk Assessment, will provide you with a deliverable you can use for your attestation process. To gather data for the assessment CynergisTek will conduct interviews and working sessions with key stakeholders as part of an independent verification and validation of each of the privacy and security controls associated with the certified EHR necessary to demonstrate meaningful use. Interviews and working sessions focus on the demonstration of compliance that each functionality exists, is enabled, performs properly, and that there is a documented process around it to ensure its use.

Learn More

What Our Clients Say

A CIO’s mission should be to protect patient privacy through the continual improvement of security programs. Having CynergisTek conduct an annual risk assessment supports my team as we work towards this mission by identifying vulnerabilities, analyzing risk, and revealing trends that might have gone unnoticed without them.

Chuck Podesta, Chief Information Officer, University of California, Irvine

Related Resources