Risk Assessment

HIPAA Risk Assessment

Comprehensive Security Risk Assessment

Our Security Risk Assessment service marries rich subject matter expertise in the fields of healthcare operations, information security, and regulatory compliance using industry recognized frameworks and risk analysis methods. This independent, third-party assessment, provides your leadership with a clear picture of cyber risk, recommendations to improve your overall risk posture, and a measure of compliance against regulatory obligations.

Risk Assessment Methodology

CynergisTek uses a NIST-based methodology when conducting a Risk Assessment, which combines a security program and technical assessment into a single engagement aimed specifically at addressing the regulatory requirements for a risk assessment and ongoing risk management. Our assessments are never performed by contractors, and our consultants are experts in the healthcare space who are experienced in the nuances of the industry.

Report of Findings & Trending Data

After data collection, we provide a detailed report of findings that includes observations, and recommendations, and a risk analysis workbook that provides overall risk determination based on the likelihood and impact of your vulnerabilities.  CynergisTek also provides a peer comparison of other similar healthcare organizations derived from the many assessments we perform each year. Repeat customers will receive personalized trending data that will help assess the overall program maturity.

We also offer this Security Risk Assessment as part of a comprehensive compliance management program, Compliance Assist Partner Program (CAPP).

Our Experts are Waiting!

Contact us to learn more about our risk assessment service and how we can help your organization.

Program Assessment Components

The Cybersecurity Program Assessment serves as a foundation of the Risk Assessment process and evaluates your security controls against the HIPAA Security Rule or other requested compliance standards. However, this is not just a simple gap analysis, we evaluate your controls against the NIST CSF and provide a maturity score using the COBIT Maturity Model (similar to the CMMI and other models). This additional level of review, gained through evidence collection, onsite interviews, and physical walk-throughs, gives your organization the knowledge to make better risk-based decisions.

CynergisTek’s Promoting Interoperability (formerly Meaningful Use) Security Controls Assessment , in conjunction with a Risk Assessment, will provide you with a deliverable you can use for your attestation process. To gather data for the assessment, CynergisTek will conduct interviews and working sessions with key stakeholders as part of an independent verification and validation of each of the privacy and security controls associated with the certified EHR necessary to demonstrate meaningful use. Interviews and working sessions focus on the demonstration of compliance that each functionality exists, is enabled, performs properly, and that there is a documented process around it to ensure its use.

Technical Assessment Components

The Enterprise Architecture Assessment will look at how your organization builds, hardens, deploys, and patches assets such as network equipment, servers, workstations, printers, mobile devices, bio-medical devices, etc. In our assessment, we will interview key stakeholders, review your processes, and document our findings. In addition, we will review the maturity of your program to determine areas of improvement based on industry best practice recommendations.
During the course of conducting the Wireless Security Assessment, CynergisTek will look for and enumerate access points across your environment. We will document known and unknown access points, validate wireless security configurations, and evaluate the overall management of your wireless infrastructure against best practices and your compliance requirements.

The vulnerability assessment documents the current state of your technical environment, both internally and externally. The scans identify both confirmed and potential vulnerabilities and ranks them by criticality based on your preference (by asset, IP, type, etc.) For organizations that do not have a formal program, this is a great solution to not only see where your processes currently sit, but to also document and help justify a potential purchase or managed service relationship. For organizations that have formal vulnerability programs, our process can validate the effectiveness of your current processes and procedures.

What Our Clients Say

A CIO’s mission should be to protect patient privacy through the continual improvement of security programs. Having CynergisTek conduct an annual risk assessment supports my team as we work towards this mission by identifying vulnerabilities, analyzing risk, and revealing trends that might have gone unnoticed without them.

Chuck Podesta, Chief Information Officer, University of California, Irvine

CynergisTek’s risk assessment services are vital for us. The vendor helps us meet a major HIPAA requirement; they help us do risk-based analysis of our programs and figure out where we stand. Their overall assessments of the maturity of our programs are very useful. These assessments let my management see what we are doing, where our strengths are, and where we need to improve.

KLAS performance report, Cybersecurity Services 2018: Achieving Outcomes Through Healthcare Knowledge and Tailored Services

Related Resources