Our experts have in-depth knowledge of the HIPAA Security Rule and regulatory expectations from their prior roles with some of the largest, most prominent healthcare systems and hospital associations in the nation. They also bring years of frontline experience with real-world corporate, data breach and investigative matters. They know your challenges well. 

This unique vantage point ensures we assess strengths and risks in the context of your operational priorities, risk tolerances and threat landscape. We have the knowledge and resources to review your organization’s information security program end-to-end, from policies and procedures to human factor influences to technical controls.

In this way, we deliver a highly nuanced HIPAA risk analysis that is appropriate for your specific organization. We also provide pragmatic insights for proactive or remedial strategies that can strengthen your cyber resiliency.

HIPAA Assessment Methodology Goes Broad and Deep

In their Summary of the HIPAA Security Rule, government regulators were clear and direct when it comes to risk assessments (emphasis ours):

“Risk analysis should be an ongoing process, in which a covered entity:

  • regularly reviews its records to track access to ePHI and detect security incidents;
  • periodically evaluates the effectiveness of security measures put in place; and
  • regularly re-evaluates potential risks to ePHI.”

With security risk bound up in virtually every aspect of patient care and modern healthcare operations, Kroll’s HIPAA security risk assessments go broad and deep. Our methodology continually incorporates the most current learnings on cyber risk trends and threats, so you can be more confident in the accuracy and thoroughness of the risk profile we develop for your organization.  

Kroll follows a rigorous, proven process in conducting your HIPAA Risk Assessment. Throughout the analysis, we will interview key technical and business stakeholders to develop a more complete picture of your organization’s cyber security preparedness and vulnerabilities:

  • Collect Data – Review policies, procedures, previous security reports, etc., to determine the security controls, processes and technology solutions in place to protect ePHI.
  • Assess Current Security Measures – Analyze current security measures to determine if these controls, processes and technology solutions are aligned with the requirements of the HIPAA Security Rule’s administrative, physical and technical safeguards.
  • Identify Security Risks to ePHI – Document gaps in controls, processes and technology solutions using the NIST Cybersecurity Framework as guidance (described below). We will also recommend potential safeguards and solutions to reduce the risks we identify.
  • Prioritize Security Risks – Risk-rank findings in terms of likelihood of occurrence and impact to compromise the confidentiality, integrity or availability of ePHI and, therefore, should be addressed first.

 

Case Study

Kroll HIPAA risk assessment helps regional healthcare system enhance cyber resiliency enterprise-wide

When a large regional healthcare system asked Kroll to conduct a HIPAA risk assessment, their goals went beyond regulatory compliance. They also wanted in-depth, pragmatic guidance around security implementations that would help mature the organization’s overall cyber resiliency. This included a focus on identifying gaps in the organization’s cyber risk management program to assess the capability to identify and respond to modern cyber threats.

What Kroll Did?

Kroll utilized the National Institute of Standards and Technology (NIST) Framework to evaluate the maturity of the organization’s information security program. Our risk analysis methodology included developing a customized assessment strategy to identify the cyber security risks unique to the organization.

  • Evaluated threat defenses and detection mechanisms by considering the technical security controls in place such as firewalls, intrusion detection, anti-virus software and log management.
  • Reviewed policies and procedures addressing “human risk factors,” including security policy development and adherence, user awareness, analytics on collected security data and data classification programs.
  • Developed a roadmap of recommendations for risks prioritized by probability and impact to support ongoing compliance with HIPAA standards while concurrently enhancing cyber security throughout the enterprise. Our suggested improvements covered topics such as user termination processes, password policies, remote access/multifactor authentication and accessibility of PHI on printers, desks, electronic displays, etc.

NIST Cybersecurity Framework for HIPAA Security Rule Assessment*

Identify Protect Detect Respond Recover
  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
  • Awareness Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology 
  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes 
  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements 
  • Recovery Planning
  • Improvements
  • Communications
  • Provide Technology and Policy Remediation Recommendations 

NIST Cybersecurity Framework for HIPAA Security Rule Assessment*

Identify
  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy
Protect
  • Awareness Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology 
Detect
  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes 
Respond
  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements 
Recover
  • Recovery Planning
  • Improvements
  • Communications
  • Provide Technology and Policy Remediation Recommendations 

*As the DHHS Office for Civil Rights noted in its HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, “Although all Security Rule administrative, physical, and technical safeguards map to at least one of the NIST Cybersecurity Framework Subcategories, other Security Rule standards, such as specific requirements for documentation and organization, do not.” Kroll has accounted for these control gaps in other areas of our assessment.

Talk to a Kroll HIPAA Security Expert

Our HIPAA Security Rule experts know what it’s like to walk in your shoes. We understand the imperative for protecting ePHI as well as the challenges of integrating HIPAA-compliant information security into everyday business practices. Cyber threats are continually evolving, and your risks may be significantly different from your last assessment. Talk with one of our experts today.

Related Team

Connect with us

Jeff Macko is a Director
Jeff Macko
Associate Managing Director
Cyber Risk
Secaucus
Phone

See all servicesStay Ahead with Kroll

Valuation

Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

M&A advisory, restructuring and insolvency, debt advisory, strategic alternatives, transaction diligence and independent financial opinions.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation, disputes and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.

Digital Forensics and Incident Response


Kroll at Infosecurity Europe 2023

In-Person In-Person Jun 20 - Jun 22, 2023 | in-person

Digital Forensics and Incident Response


KAPE Intensive Training and Certification

Online Event Online Event Apr 13 - Dec 07, 2023 | Online Event

Cyber


Q4 2021 Threat Landscape: Software Exploits Abound

Feb 16, 2022

by Keith WojcieszekLaurie Iacono George Glass

Cyber


ALM Intelligence Pacesetter Research – Cybersecurity Services 2020

Oct 28, 2020

by Jason N. SmolanoffMarc Brawner

Cyber


Kroll Ransomware Attack Trends – 2020 YTD

Oct 06, 2020

by Devon AckermanKeith Wojcieszek Laurie Iacono

Publication


Considering Self-Funded Insurance Plans? Don’t Forget HIPAA Laws

Sep 19, 2013

Press Release


Kroll Recognized in 2023 Gartner Market Guide for Digital Forensics and Incident Response Retainer Services

May 19, 2023

Press Release


Kroll Responder Recognized in 2023 Gartner Market Guide for Managed Detection and Response Services for the Third Consecutive Year

Mar 23, 2023

News


Kroll Launches Cyber Partner Program Delivering Lifetime Returns

Feb 28, 2023

News


Kroll Named an MDR “Champion” by Bloor Research

Feb 27, 2023

Return to top