Our IT risk assessment reviews the effectiveness of security controls and gives recommendations on ways to ensure a proper level of risk mitigation. In addition to the typical information systems infrastructure, a HIPAA-focused risk assessment addresses specific security needs of healthcare organizations including, but not limited to:
The process begins with interviews with key customer personnel. We use this information to develop a framework to represent the operational assets of the organization, as well as the threats that pose risk to those assets. Our analysts then perform a detailed controls examination to understand how the organization protects its assets and where there is room for improvement. After these exercises are complete, we present an extensive report to outline the risks identified and offer recommendations for reducing risk.
What is the difference between an audit and a risk assessment?
A risk assessment reports the resulting residual risk after evaluation of threats to your assets and current mitigating controls, whereas an audit proves/tests that you have implemented the prescribed and asserted controls. An audit is usually conducted by an independent party after the organization.
Will this make me HIPAA Compliant?
Risk assessments are an essential part of your information security program and are required by HIPAA. However, a risk assessment is not designed to report compliance. Compliance can be verified by an independent audit or HIPAA compliance gap analysis.
What is included in “IT security”?
Information technology is one element of your information systems, but there are usually physical, procedural, and personnel-related elements too. Combined, these encompass your Information Security program, which includes IT Security.
I have a vendor who manages my IT, and they assure me that they are HIPAA compliant. Do I still need a Risk Assessment?
An organization can outsource services, including management of information systems, but you cannot outsource the “responsibility” for protection of your data. Organizations must have a means to verify the vendor or service providers compliance with prescribed security controls. This is typically achieved through independent audits, monitoring, and periodic vendor/provider reviews.
Will this Risk Assessment look at both ePHI and PHI?
This Risk Assessment will look at information protection in both physical and electronic form
Will this Risk Assessment cover personal employee devices brought to work?
This depends on if these devices are used to access business information.
How much interference will this cause in my day to day operations?
Aside from interviews with key stakeholders, this service causes little to no disruptions in normal business activities.
What kind of physical access do you need?
No type of physical access is necessary. We can perform risk assessments remotely or on-site depending upon customer preference.
How many times should I get a risk assessment and how often?
Risk assessments should be done upon major changes to the processes or information systems. At least once per year.
Who do you need to talk to in my organization?
Any stakeholder with knowledge of the technical, procedural, and physical controls employed by the organization to protect information.
Are you going to look at my policies?
A policy document may be reviewed at the client's request in order to gain insight into any particular policy, process or control.