HIPAA Security Risk Assessments

Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.
Contact Cyber Experts

Our experts have in-depth knowledge of the HIPAA Security Rule and regulatory expectations from their prior roles with some of the largest, most prominent healthcare systems and hospital associations in the nation. They also bring years of frontline experience with real-world corporate, data breach and investigative matters. They know your challenges well. 

This unique vantage point ensures we assess strengths and risks in the context of your operational priorities, risk tolerances and threat landscape. We have the knowledge and resources to review your organization’s information security program end-to-end, from policies and procedures to human factor influences to technical controls.

In this way, we deliver a highly nuanced HIPAA risk analysis that is appropriate for your specific organization. We also provide pragmatic insights for proactive or remedial strategies that can strengthen your cyber resiliency.

HIPAA Assessment Methodology Goes Broad and Deep

In their Summary of the HIPAA Security Rule, government regulators were clear and direct when it comes to risk assessments (emphasis ours):

“Risk analysis should be an ongoing process, in which a covered entity:

  • regularly reviews its records to track access to ePHI and detect security incidents;
  • periodically evaluates the effectiveness of security measures put in place; and
  • regularly re-evaluates potential risks to ePHI.”

With security risk bound up in virtually every aspect of patient care and modern healthcare operations, Kroll’s HIPAA security risk assessments go broad and deep. Our methodology continually incorporates the most current learnings on cyber risk trends and threats, so you can be more confident in the accuracy and thoroughness of the risk profile we develop for your organization.  

Kroll follows a rigorous, proven process in conducting your HIPAA Risk Assessment. Throughout the analysis, we will interview key technical and business stakeholders to develop a more complete picture of your organization’s cyber security preparedness and vulnerabilities:

  • Collect Data – Review policies, procedures, previous security reports, etc., to determine the security controls, processes and technology solutions in place to protect ePHI.
  • Assess Current Security Measures – Analyze current security measures to determine if these controls, processes and technology solutions are aligned with the requirements of the HIPAA Security Rule’s administrative, physical and technical safeguards.
  • Identify Security Risks to ePHI – Document gaps in controls, processes and technology solutions using the NIST Cybersecurity Framework as guidance (described below). We will also recommend potential safeguards and solutions to reduce the risks we identify.
  • Prioritize Security Risks – Risk-rank findings in terms of likelihood of occurrence and impact to compromise the confidentiality, integrity or availability of ePHI and, therefore, should be addressed first.

Case Study

Kroll HIPAA risk assessment helps regional healthcare system enhance cyber resiliency enterprise-wide

When a large regional healthcare system asked Kroll to conduct a HIPAA risk assessment, their goals went beyond regulatory compliance. They also wanted in-depth, pragmatic guidance around security implementations that would help mature the organization’s overall cyber resiliency. This included a focus on identifying gaps in the organization’s cyber risk management program to assess the capability to identify and respond to modern cyber threats.

What Kroll Did?

Kroll utilized the National Institute of Standards and Technology (NIST) Framework to evaluate the maturity of the organization’s information security program. Our risk analysis methodology included developing a customized assessment strategy to identify the cyber security risks unique to the organization.

  • Evaluated threat defenses and detection mechanisms by considering the technical security controls in place such as firewalls, intrusion detection, anti-virus software and log management.
  • Reviewed policies and procedures addressing “human risk factors,” including security policy development and adherence, user awareness, analytics on collected security data and data classification programs.
  • Developed a roadmap of recommendations for risks prioritized by probability and impact to support ongoing compliance with HIPAA standards while concurrently enhancing cyber security throughout the enterprise. Our suggested improvements covered topics such as user termination processes, password policies, remote access/multifactor authentication and accessibility of PHI on printers, desks, electronic displays, etc.

NIST Cybersecurity Framework for HIPAA Security Rule Assessment*


  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy


  • Awareness Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology 


  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes 


  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements 


  • Recovery Planning
  • Improvements
  • Communications
  • Provide Technology and Policy Remediation Recommendations 

*As the DHHS Office for Civil Rights noted in its HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, “Although all Security Rule administrative, physical, and technical safeguards map to at least one of the NIST Cybersecurity Framework Subcategories, other Security Rule standards, such as specific requirements for documentation and organization, do not.” Kroll has accounted for these control gaps in other areas of our assessment.

Talk to a Kroll HIPAA Security Expert

Our HIPAA Security Rule experts know what it’s like to walk in your shoes. We understand the imperative for protecting ePHI as well as the challenges of integrating HIPAA-compliant information security into everyday business practices. Cyber threats are continually evolving, and your risks may be significantly different from your last assessment. Talk with one of our experts today.

Penetration Testing Services

Validate your cyber defenses against real-world threats. Kroll’s world-class penetration testing services bring together front-line threat intelligence, thousands of hours of cyber security assessments completed each year and a team of certified cyber experts — the foundation for our sophisticated and scalable approach.

Web Application Penetration Testing Services

Assess the design, configuration and implementation of your web apps for critical vulnerabilities. Kroll’s scalable pen testing services consider the business case and logic of your apps, providing more coverage and an optimized program based on risk.

API Penetration Testing Services

Kroll’s certified pen testers find vulnerabilities in your APIs that scanners simply can’t identify. Protect your business and keep sensitive data secure by leveraging our knowledge and experience in testing modern API infrastructures.

Agile Penetration Testing Program

Integrated into your software development lifecycle (SDLC), Kroll’s agile penetration testing program is designed to help teams address security risks in real time and on budget.

Cloud Penetration Testing Services

Kroll’s team of certified cloud pen testers uncover vulnerabilities in your cloud environment and apps before they can be compromised by threat actors.

Application Security Services

Kroll’s product security experts upscale your AppSec program with strategic application security services catered to your team’s culture and needs, merging engineering and security into a nimble unit.

Red Team Security Services

Red team security services from Kroll go beyond traditional penetration testing, leveraging our frontline threat intelligence and the adversarial mindset used by threat actors to push the limits of your information security controls.

Application Threat Modeling Services

Kroll helps development teams design and build internal application threat modeling programs to identify and manage their most pressing vulnerabilities.

Cyber Risk Retainer

Kroll delivers more than a typical incident response retainer—secure a true cyber risk retainer with elite digital forensics and incident response capabilities and maximum flexibility for proactive and notification services.