The Datamax Thinking Blog

Educating, collaborating, and sparking ideas for maximizing the technology that matters.

Who Needs a Cybersecurity Risk Assessment? You.


You want to be HIPAA-compliant? You need to perform a risk assessment with the help of a Certified HIPAA Professional (CHP).

It's impossible to watch the news without weekly revelations of some new data breach – Target, Equifax, the WannaCry virus, and even teddy bears have been in the news.

As cybercrime continues to pay, attacks and breaches will continue and will especially affect unprepared businesses.

One industry is squarely in the crosshairs of hackers – healthcare.

Healthcare providers, payers, clearinghouses, and business associates and their subcontractors all must comply with HIPAA.

There is no HIPAA-in-a-box solution!

There are technologies that can help you implement your HIPAA-compliance strategy, but you can't buy HIPAA compliance.

And breaches that affect patients are starting to cause real pain for organizations. A quick look at the Healthcare IT News site reveals a growing number of fines, including a $2.5 million fine for CardioNet. A stolen laptop from an employee's car contained data for 1,391 patients. The company had not implemented – or even completed – plans for safeguarding protected health information (PHI).

Do you have $2.5 million to spare on paying a fine for policies you could implement for less than that?

Assess Your Risk

Many companies don't know how at risk they are – a lot? Hardly at all? Somewhere in between?

That's why a cybersecurity assessment is so useful. By discovering gaps and cracks in your security and potential to lose PHI (personal health information) to a data breach, you can prioritize and take steps to present a nearly-impenetrable wall to hackers (I say “nearly” because there is no such thing as 100% information security – it doesn't exist, regardless of what advertising and marketing might try to convince you of).

How important is assessing risk? The HIPAA Security Rule mandates it, “Organizations must conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of its electronic PHI.”

This isn't just an exercise performed on paper or whiteboards, a technical review needs to be completed.

ecfirst, a provider of compliance and security training and solutions, outlines seven steps to enterprise HIPAA compliance:

  1. Security responsibility
  2. Risk analysis
  3. Security strategy and policies
  4. Remediate
  5. BA supply chain
  6. Training
  7. Evaluate

Assessing Risk: Getting Started

The first step is to gather documentation (a partial list includes):

  • Security plan
  • Any previous risk analysis
  • Vulnerability planning and most recent scan results
  • Network penetration testing policy and procedure and most recent results
  • Encryption measures
  • User access rules and processes
  • Physical security
  • Data backup strategy and procedures
  • PII policies and procedures, including staff org chart with compliance responsibilities

Risk Assessment: What Needs to Be Assessed?

Great, you're thinking. What specifically do I need to assess? Here's a list:

  1. Document regulations and standards that your business is mandated to comply with (privacy, security, Federal or state)
  2. Assess policies
  3. Assess procedures
  4. Review asset management process and documents
  5. Review vendor agreements
  6. Assess deployed security controls
  7. Identify missing security controls
  8. State of encryption implementation
  9. Review cloud security for deployed apps and PII/PHI
  10. Conduct a technical vulnerability assessment for both external and internal threats
  11. Conduct wireless assessment
  12. Review firewall architecture and configuration
  13. Review mission-critical applications and their security
  14. Assess requirements for penetration testing
  15. Evaluate risk management program
  16. Assess quality and depth of security awareness training
  17. Review information security skill capabilities
  18. Assess executive priority and reporting structure for security and compliance

Next Steps

I know; the preceding is an intimidating list, but a Datamax Certified HIPAA Professional (CHP) can most certainly help!

Schedule A Meeting with a Certified HIPAA Professional today ›




Topics: Digital Security Healthcare Solutions Privacy Network Management Document Security HIPAA Network Security Cybersecurity