/en/services/cyber-risk/assessments-testing/hipaa-security-risk-assessments service

Our experts have in-depth knowledge of the HIPAA Security Rule and regulatory expectations from their prior roles with some of the largest, most prominent healthcare systems and hospital associations in the nation. They also bring years of frontline experience with real-world corporate, data breach and investigative matters. They know your challenges well. 

This unique vantage point ensures we assess strengths and risks in the context of your operational priorities, risk tolerances and threat landscape. We have the knowledge and resources to review your organization’s information security program end-to-end, from policies and procedures to human factor influences to technical controls.

In this way, we deliver a highly nuanced HIPAA risk analysis that is appropriate for your specific organization. We also provide pragmatic insights for proactive or remedial strategies that can strengthen your cyber resiliency.

HIPAA Assessment Methodology Goes Broad and Deep

In their Summary of the HIPAA Security Rule, government regulators were clear and direct when it comes to risk assessments (emphasis ours):

“Risk analysis should be an ongoing process, in which a covered entity:

  • regularly reviews its records to track access to ePHI and detect security incidents;
  • periodically evaluates the effectiveness of security measures put in place; and
  • regularly re-evaluates potential risks to ePHI.”

With security risk bound up in virtually every aspect of patient care and modern healthcare operations, Kroll’s HIPAA security risk assessments go broad and deep. Our methodology continually incorporates the most current learnings on cyber risk trends and threats, so you can be more confident in the accuracy and thoroughness of the risk profile we develop for your organization.  

Kroll follows a rigorous, proven process in conducting your HIPAA Risk Assessment. Throughout the analysis, we will interview key technical and business stakeholders to develop a more complete picture of your organization’s cyber security preparedness and vulnerabilities:

  • Collect Data – Review policies, procedures, previous security reports, etc., to determine the security controls, processes and technology solutions in place to protect ePHI.
  • Assess Current Security Measures – Analyze current security measures to determine if these controls, processes and technology solutions are aligned with the requirements of the HIPAA Security Rule’s administrative, physical and technical safeguards.
  • Identify Security Risks to ePHI – Document gaps in controls, processes and technology solutions using the NIST Cybersecurity Framework as guidance (described below). We will also recommend potential safeguards and solutions to reduce the risks we identify.
  • Prioritize Security Risks – Risk-rank findings in terms of likelihood of occurrence and impact to compromise the confidentiality, integrity or availability of ePHI and, therefore, should be addressed first.


Case Study

Kroll HIPAA risk assessment helps regional healthcare system enhance cyber resiliency enterprise-wide

When a large regional healthcare system asked Kroll to conduct a HIPAA risk assessment, their goals went beyond regulatory compliance. They also wanted in-depth, pragmatic guidance around security implementations that would help mature the organization’s overall cyber resiliency. This included a focus on identifying gaps in the organization’s cyber risk management program to assess the capability to identify and respond to modern cyber threats.

What Kroll Did?

Kroll utilized the National Institute of Standards and Technology (NIST) Framework to evaluate the maturity of the organization’s information security program. Our risk analysis methodology included developing a customized assessment strategy to identify the cyber security risks unique to the organization.

  • Evaluated threat defenses and detection mechanisms by considering the technical security controls in place such as firewalls, intrusion detection, anti-virus software and log management.
  • Reviewed policies and procedures addressing “human risk factors,” including security policy development and adherence, user awareness, analytics on collected security data and data classification programs.
  • Developed a roadmap of recommendations for risks prioritized by probability and impact to support ongoing compliance with HIPAA standards while concurrently enhancing cyber security throughout the enterprise. Our suggested improvements covered topics such as user termination processes, password policies, remote access/multifactor authentication and accessibility of PHI on printers, desks, electronic displays, etc.


NIST Cybersecurity Framework for HIPAA Security Rule Assessment*


  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy


  • Awareness Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology


  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes


  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements


  • Recovery Planning
  • Improvements
  • Communications
  • Provide Technology and Policy Remediation Recommendations

*As the DHHS Office for Civil Rights noted in itsHIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, “Although all Security Rule administrative, physical, and technical safeguards map to at least one of the NIST Cybersecurity Framework Subcategories, other Security Rule standards, such as specific requirements for documentation and organization, do not.” Kroll has accounted for these control gaps in other areas of our assessment.

Talk to a Kroll HIPAA Security Expert

Our HIPAA Security Rule experts know what it’s like to walk in your shoes. We understand the imperative for protecting ePHI as well as the challenges of integrating HIPAA-compliant information security into everyday business practices. Cyber threats are continually evolving, and your risks may be significantly different from your last assessment. Talk with one of our experts today.  

Connect with us

Gregory Michaels
Greg Michaels
Managing Director and Global Head of Proactive Services
Cyber Risk
Keith Novak
Keith L Novak
Managing Director
Cyber Risk
New York

See all servicesStay Ahead with Kroll


Valuation of businesses, assets and alternative investments for financial reporting, tax and other purposes.

Compliance and Regulation

End-to-end governance, advisory and monitorship solutions to detect, mitigate and remediate security, legal, compliance and regulatory risk.

Corporate Finance and Restructuring

Comprehensive investment banking, corporate finance, restructuring and insolvency services to investors, asset managers, companies and lenders.

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Environmental, Social and Governance

Advisory and technology solutions, including policies and procedures, screening and due diligence, disclosures and reporting and investigations, value creation, and monitoring.

Investigations and Disputes

World-wide expert services and tech-enabled advisory through all stages of diligence, forensic investigation, litigation and testimony.

Business Services

Expert provider of complex administrative solutions for capital events globally. Our services include claims and noticing administration, debt restructuring and liability management services, agency and trustee services and more.


Q4 2021 Threat Landscape: Software Exploits Abound

Feb 16, 2022

by Keith WojcieszekLaurie Iacono George Glass


ALM Intelligence Pacesetter Research – Cybersecurity Services 2020

Oct 28, 2020

by Jason N. SmolanoffAndrew BeckettMarc Brawner


Kroll Ransomware Attack Trends – 2020 YTD

Oct 06, 2020

by Devon AckermanKeith Wojcieszek Laurie Iacono


Considering Self-Funded Insurance Plans? Don’t Forget HIPAA Laws

Sep 19, 2013


Kroll Partners with Armis to Extend Preparedness and Response for OT and ICS Environments

May 09, 2022


Kroll Named in the GIR 100

Oct 23, 2020


Kroll Named a Cyber Security Services Pacesetter by ALM Intelligence

Oct 28, 2020


Kroll Recognized Among Top Managed Security Service Providers Worldwide by MSSP Alert

Sep 29, 2020