HIPAA Security Risk Assessment - modified for small, medium and large organizations

Cyber Tygr’s HIPAA Security Risk Assessment supports the identification and implementation of safeguards that comply with and carry out the standards and implementation specifications in the HIPAA Security Rule.

We have combined our technical, physical and administrative assessment services to create our flagship offering, the HIPAA Security Risk Assessment. This integrated service establishes the confidentiality, integrity and availability of our client’s electronic protected health information while providing a tailored measurable method of achieving HIPAA compliance.

We understand there is not a one-size-fits-all blueprint for compliance with the Security Rule requirement. Rather, our service considers the size and complexity of your healthcare organization then leverages industry standards for good business practices and applies them to secure e-PHI that is created, received, maintained or transmitted.

HIPAA Security Rule Requirements

The HIPAA Security Rule classifies implementation specifications into two categories, required and addressable. The Addressable rules allow for flexibility in implementing and documenting reasonable and appropriate equivalent measures, but it is not optional. The Addressable rules allow for flexibility in implementing and documenting reasonable and appropriate equivalent measures, but are not optional.

Why is a Risk Analysis Required under HIPAA

All e-PHI created, received, maintained or transmitted by an organization is subject to the HIPAA Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the confidentiality, integrity and availability of e-PHI. The Risk Analysis, required under HIPAA, is the first step in this process.

A HIPAA Risk Analysis creates an accurate and thorough evaluation of the potential risks and likelihood vulnerabilities will be exploited, negatively impacting the confidentiality, integrity, and availability of Patient Health Information (PHI). The risk management process, which is a response to the Risk Analysis findings, is designed to implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.

The Department of Health and Human Services (HHS) has provided guidance for HIPAA Security Risk Assessments. As a baseline for a HIPAA Risk Analysis, HHS recommends the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) with the crosswalk to HIPAA guidance. Cyber Tygr is a member of the HHS task force responsible for the development of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” for small, medium and large healthcare organizations

Cyber Tygr Methodology

The array of compliance and security risks facing healthcare organizations is daunting and expanding. Cyber Tygr’s streamlined assessment process applies the NIST CSF methodology to the business mission of the healthcare organization. We start with the understanding that every organization is unique. The CSF lays out the organization’s risk landscape while the methodology leverages a tailored profile, guiding how and what is assessed.

Organizations frequently underestimate the proliferation of PHI within their environments. When conducting a risk assessment, an organization must identify all PHI created, maintained, received or transmitted. PHI locations needing review include EHRs, billing systems, documents, spreadsheets, database systems, web servers, fax servers, multi-function printer networks, cloud based servers and medical device messaging apps.

Cyber Tygr's Risk Assessment is detailed, comprehensive, dynamic and customizable, allowing the organization to identify the categories of risk to which it may be exposed. The objective methodology determines the likelihood that vulnerabilities will be exploited by various threats and the impact on the identified risk. Both quantitative and qualitative values are generated, allowing management to support resource allocation decisions to mitigate potential threat events.


Cyber Tygr’s documented findings empower our Client’s Leadership Team with clear and comprehensive healthcare focused analysis, not simply computer generated reports. Our findings allow the Client to make informed risk management decisions regarding investment in mitigation. These business mission decisions have a critical impact on patient safety, revenue cycle, legal and regulatory risk exposure. The translation of cybersecurity nomenclature into a business focused, decision-making healthcare C-suite language is one of our hallmarks.

Risk Assessment Frameworks

Cyber Tygr supports many other frameworks or compliance standards as they relevant to the business mission. Below are examples of industry standouts we can incorporate as applicable:

The Risk Analysis

  • The first step in HIPAA Security Rule compliance
  • We support the OCR guidelines stating the NIST CSF and HIPAA crosswalk represents the industry standard for good practices for securing ePHI
  • Our methodology recognizes the analysis varies based on size, complexity and capabilities of the client
  • Required to implementation specifications of HIPAA Security Rule. - See 45 CFR §164.308(a)(1)(ii)(A)
  • HIPAA Risk Management Tool

Technical Assessment

  • A Technical Evaluation requires healthcare organizations to test how effective existing safeguards are and if they are working
  • These services can include Vulnerability Test, Penetration Test, Internet/Web and Wireless Test, Network Infrastructure Assessment and Security Awareness Assessment
  • HIPAA Risk Management Tool

Gap Analysis

  • Audit of Policies and Procedures
  • Audit of Reasonable and Appropriate Actions & Safeguards
  • Where is the organization not compliant
  • This Standard Evaluation must include Technical and Non-Technical aspects of the security program
  • Compliance Gap Analysis against the HIPAA Security Rule is required. - See 45 CFR §164.308(a)(8)
  • HIPAA Risk Management Tool

Medical Device Inventory

  • Integrate your biomedical device inventory into Cyber Tygr’s HIPAA Risk Management Tool
  • Manage device risk and remediation within comprehensive and complete Risk Analysis
  • Leverage Cyber Tygr’s automated medical device inventory feature for streamlined discovery
  • Document of electronic media devices with their threats and vulnerabilities required under - 45 CFR 164.306(a)(2) and 164.316(b)(1)(ii)
  • HIPAA Risk Management Tool

Risk Management

  • Provide remediation of risks and vulnerabilities to reasonable levels through administrative, technical and physical controls
  • Implement security measures and controls sufficient to reduce risks and vulnerabilities to acceptable levels.
  • Ongoing Risk Management is a requirement of the HIPAA Security Rule. - See 45 CFR §164.308(a)(1)(ii)(B)
  • HIPAA Risk Management Tool