GA HITREC Risk Assessment - based on NIST 800-30 Management Guidelines
HIPAA Administrative Safeguards require a Risk Assessment to be performed at least once a year.
A Risk Assessment is the building block from which HIPAA Compliance begins. Here are the key components in this process.
Inventory all technology assets in your organization: Hardware - Software - Devices.
Consider whether or not the asset processes ePHI.
Hardware, Software, Devices and processes that handle ePHI
How is data created, received, processed, or transmitted that contains ePHI
The assets may be used in an operational or administrative capacity
Any software or computer program which processes, transmits or stores ePHI
We can help you identify a wide range of hardware and processes to include in the assessment
Identify Threats, Vulnerabilities and their impact on your ePHI.
Identify realistic threats and potential vulnerabilities
Vulnerability Scans and Penetration Testing are utilized
Assess current security controls and safeguards
Assess probability of a threat attacking your ePHI intentionally or unintentionally
Determine the likelihood and impact of a threat exploiting a vulnerability
Improve the policies, procedures and safeguards that process and protect your ePHI and control access to it.
Draft and update policies to improve data safeguards and security control enforcement
Prioritize improvements to address safeguards that are required
Prioritize improvements to correct vulnerabilities that are most pressing within the current availability of resources
Prevention is the opportunity for your organization to consider and document any additional measures you wish to take to address and reduce risk
We help you manage your need -vs- budget condsiderations to then implement "reasonable and appropriate improvements"