HIPAA Security Risk Analysis
Cyber Tygr’s HIPAA Security Risk Assessment supports the identification and implementation of safeguards that comply with and carry out the standards and implementation specifications in the HIPAA Security Rule.
We have combined our technical, physical and administrative assessment services to create our flagship offering, the HIPAA Security Risk Assessment. This integrated service establishes the confidentiality, integrity and availability of our client’s electronic protected health information while providing a tailored measurable method of achieving HIPAA compliance.
We understand there is not a one-size-fits-all blueprint for compliance with the Security Rule requirement. Rather, our service considers the size and complexity of your healthcare organization then leverages industry standards for good business practices and applies them to secure e-PHI that is created, received, maintained or transmitted.
The HIPAA Security Rule classifies implementation specifications into two categories, required and addressable. The Addressable rules allow for flexibility in implementing and documenting reasonable and appropriate equivalent measures, but it is not optional. The Addressable rules allow for flexibility in implementing and documenting reasonable and appropriate equivalent measures, but are not optional.
45 CFR §164.308(a)(1)(ii)(A
45 CFR §164.308(a)(8)
See 45 CFR §164.308(a)(8)
45 CFR §§ 164.308(a)(1)(ii)(A) and 45 CFR §§ 164.316(B)(1)
All e-PHI created, received, maintained or transmitted by an organization is subject to the HIPAA Security Rule. The Security Rule requires entities to evaluate risks and vulnerabilities in their environments and to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the confidentiality, integrity and availability of e-PHI. The Risk Analysis, required under HIPAA, is the first step in this process.
A HIPAA Risk Analysis creates an accurate and thorough evaluation of the potential risks and likelihood vulnerabilities will be exploited, negatively impacting the confidentiality, integrity, and availability of Patient Health Information (PHI). The risk management process, which is a response to the Risk Analysis findings, is designed to implement security measures sufficient to reduce those risks and vulnerabilities to a reasonable and appropriate level.
The Department of Health and Human Services (HHS) has provided guidance for HIPAA Security Risk Assessments. As a baseline for a HIPAA Risk Analysis, HHS recommends the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) with the crosswalk to HIPAA guidance. Cyber Tygr is a member of the HHS task force responsible for the development of the “Health Industry Cybersecurity Practices: Managing Threats and Protecting Patients” for small, medium and large healthcare organizations
The array of compliance and security risks facing healthcare organizations is daunting and expanding. Cyber Tygr’s streamlined assessment process applies the NIST CSF methodology to the business mission of the healthcare organization. We start with the understanding that every organization is unique. The CSF lays out the organization’s risk landscape while the methodology leverages a tailored profile, guiding how and what is assessed.
Organizations frequently underestimate the proliferation of PHI within their environments. When conducting a risk assessment, an organization must identify all PHI created, maintained, received or transmitted. PHI locations needing review include EHRs, billing systems, documents, spreadsheets, database systems, web servers, fax servers, multi-function printer networks, cloud based servers and medical device messaging apps.
Cyber Tygr's Risk Assessment is detailed, comprehensive, dynamic and customizable, allowing the organization to identify the categories of risk to which it may be exposed. The objective methodology determines the likelihood that vulnerabilities will be exploited by various threats and the impact on the identified risk. Both quantitative and qualitative values are generated, allowing management to support resource allocation decisions to mitigate potential threat events.
Cyber Tygr’s documented findings empower our Client’s Leadership Team with clear and comprehensive healthcare focused analysis, not simply computer generated reports. Our findings allow the Client to make informed risk management decisions regarding investment in mitigation. These business mission decisions have a critical impact on patient safety, revenue cycle, legal and regulatory risk exposure. The translation of cybersecurity nomenclature into a business focused, decision-making healthcare C-suite language is one of our hallmarks.
Cyber Tygr supports many other frameworks or compliance standards as they relevant to the business mission. Below are examples of industry standouts we can incorporate as applicable: