In the U.S., the HIPAA Security Rule requires that covered entities (CEs) and their business associates (BAs) conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI). The Office for Civil Rights (OCR) states that “conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule”. The Centers for Medicare & Medicaid Services (CMS) also stress the importance of performing a security risk analysis to safeguard ePHI and require it for incentive payment programs.
Risk analyses help organizations track access to ePHI, understand threats and vulnerabilities in the environment, evaluate the effectiveness of security measures put in place and identify risks to ePHI and patient safety. They should be conducted or reviewed annually and revisited any time there is a change in the environment.
Some organizations may have internal risk management teams that perform regular risk analyses but want to engage a third party to perform the analysis on alternate years for an objective perspective on their risk exposure. Others may use a third party to conduct their annual risk analysis. Either way, a risk analysis for covered entities should include key elements in the environment such as medical devices and vendor risk.
Business associates need to comply with the risk analysis requirement for HIPAA, but they also need to meet customer requirements in business associate agreements and can use a risk analysis to demonstrate their security posture and improve their competitive position in the market. Both CEs and BAs need to demonstrate due diligence in case of a data breach or an OCR audit to show proof of risk analysis. Failure to conduct an adequate risk analysis is one of the common findings in OCR audits.
Performing an accurate and thorough risk analysis requires deep understanding of cybersecurity threats and vulnerabilities as well as the knowledge of healthcare environment and associated applications. Organizations can leverage Coalfire’s healthcare experience and technical expertise to perform risk analyses. Our approach leverages the NIST 800-30 risk assessment guidance and is customized based on our in-depth knowledge of threats and vulnerabilities impacting health IT environments.
Risk analysis service include:
- Interviews with the organization’s subject matter experts
- An examination of documents, systems and facilities to determine and document the organization’s security risk exposure
- Technical testing of systems and application to determine vulnerabilities
- An assessment of current security measures to determine likelihood and potential impact of threat occurrence
- A determination of risk level
- An executive summary report detailing Coalfire’s findings and remediation actions
- A detailed report describing threats and vulnerabilities assessed along with a risk register for remediation tracking and risk management
- A periodic review and update to the risk analysis
Healthcare Risk Advisory Services
Coalfire provides advisory services to help remediate identified gaps and offers ongoing guidance on the security risk management of health data and medical devices. Our experts help augment risk management efforts to ensure best practices are followed and HIPAA risk analysis requirements are properly addressed.
Why Choose Coalfire for Healthcare Security Risk Analysis and Advisory?
- Coalfire’s risk management experts specialize in the healthcare industry, which provides a deep understanding of the risks facing healthcare organizations today.
- Our professionals maintain multiple security-related certifications including HITRUST, HCISPP, CISSP, CRISC, CISA, etc. that provide the technical expertise for understanding HIPAA and other relevant regulations.
- Many of our risk analyses for covered entities and business associates have been reviewed and accepted during OCR audits.
- Our team participates in HHS, DHS, FBI (InfraGard) and FDA working groups to advance cybersecurity in healthcare at the federal level.
- Our experience working with hundreds of commercial and government organizations allows us to apply best practices in risk management to satisfy regulatory requirements.
- As part of our methodology, we leverage an understanding of data complexity across all engagements, which provides confidence that sensitive data is assessed in the most thorough and comprehensive manner for all environments.
- Coalfire is one of the original HITRUST CSF Assessor firms with years of experience certifying hundreds of healthcare organizations. This allows our practitioners to bring a more prescriptive approach to security risk analysis engagements.
- Our proven expertise in standards such as NIST, HITRUST, ISO, PCI, SOC and other frameworks, plus knowledge of regulations that may overlap with the HIPAA Security Rule, enables us to leverage existing efforts whenever possible to reduce duplication of effort and audit fatigue.