HIPAA Security Risk Assessments

Our experts have in-depth knowledge of the HIPAA Security Rule and regulatory expectations from their prior roles with some of the largest, most prominent healthcare systems and hospital associations in the nation. They also bring years of frontline experience with real-world corporate, data breach and investigative matters. They know your challenges well. 

This unique vantage point ensures we assess strengths and risks in the context of your operational priorities, risk tolerances and threat landscape. We have the knowledge and resources to review your organization’s information security program end-to-end, from policies and procedures to human factor influences to technical controls.

In this way, we deliver a highly nuanced HIPAA risk analysis that is appropriate for your specific organization. We also provide pragmatic insights for proactive or remedial strategies that can strengthen your cyber resiliency.

HIPAA Assessment Methodology Goes Broad and Deep

In their Summary of the HIPAA Security Rule, government regulators were clear and direct when it comes to risk assessments (emphasis ours):

“Risk analysis should be an ongoing process, in which a covered entity:

• regularly reviews its records to track access to ePHI and detect security incidents;
• periodically evaluates the effectiveness of security measures put in place; and
• regularly re-evaluates potential risks to ePHI.”

With security risk bound up in virtually every aspect of patient care and modern healthcare operations, Kroll’s HIPAA security risk assessments go broad and deep. Our methodology continually incorporates the most current learnings on cyber risk trends and threats, so you can be more confident in the accuracy and thoroughness of the risk profile we develop for your organization.  

Kroll follows a rigorous, proven process in conducting your HIPAA Risk Assessment. Throughout the analysis, we will interview key technical and business stakeholders to develop a more complete picture of your organization’s cyber security preparedness and vulnerabilities:

• Collect Data – Review policies, procedures, previous security reports, etc., to determine the security controls, processes and technology solutions in place to protect ePHI.
• Assess Current Security Measures – Analyze current security measures to determine if these controls, processes and technology solutions are aligned with the requirements of the HIPAA Security Rule’s administrative, physical and technical safeguards.
• Identify Security Risks to ePHI – Document gaps in controls, processes and technology solutions using the NIST Cybersecurity Framework as guidance (described below). We will also recommend potential safeguards and solutions to reduce the risks we identify.
• Prioritize Security Risks – Risk-rank findings in terms of likelihood of occurrence and impact to compromise the confidentiality, integrity or availability of ePHI and, therefore, should be addressed first.

Case Study

Kroll HIPAA risk assessment helps regional healthcare system enhance cyber resiliency enterprise-wide

When a large regional healthcare system asked Kroll to conduct a HIPAA risk assessment, their goals went beyond regulatory compliance. They also wanted in-depth, pragmatic guidance around security implementations that would help mature the organization’s overall cyber resiliency. This included a focus on identifying gaps in the organization’s cyber risk management program to assess the capability to identify and respond to modern cyber threats.

What Kroll Did?

Kroll utilized the National Institute of Standards and Technology (NIST) Framework to evaluate the maturity of the organization’s information security program. Our risk analysis methodology included developing a customized assessment strategy to identify the cyber security risks unique to the organization.

• Evaluated threat defenses and detection mechanisms by considering the technical security controls in place such as firewalls, intrusion detection, anti-virus software and log management.

• Reviewed policies and procedures addressing “human risk factors,” including security policy development and adherence, user awareness, analytics on collected security data and data classification programs.

• Developed a roadmap of recommendations for risks prioritized by probability and impact to support ongoing compliance with HIPAA standards while concurrently enhancing cyber security throughout the enterprise. Our suggested improvements covered topics such as user termination processes, password policies, remote access/multifactor authentication and accessibility of PHI on printers, desks, electronic displays, etc.

*As the DHHS Office for Civil Rights noted in its HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, “Although all Security Rule administrative, physical, and technical safeguards map to at least one of the NIST Cybersecurity Framework Subcategories, other Security Rule standards, such as specific requirements for documentation and organization, do not.” Kroll has accounted for these control gaps in other areas of our assessment.