Cyber Risk

HIPAA Security Risk Assessments

Kroll’s HIPAA security risk assessments are unique in how they help you meet HIPAA standards.

 

Our experts have in-depth knowledge of the HIPAA Security Rule and regulatory expectations from their prior roles with some of the largest, most prominent healthcare systems and hospital associations in the nation. They also bring years of frontline experience with real-world corporate, data breach and investigative matters. They know your challenges well. 

This unique vantage point ensures we assess strengths and risks in the context of your operational priorities, risk tolerances and threat landscape. We have the knowledge and resources to review your organization’s information security program end-to-end, from policies and procedures to human factor influences to technical controls.

In this way, we deliver a highly nuanced HIPAA risk analysis that is appropriate for your specific organization. We also provide pragmatic insights for proactive or remedial strategies that can strengthen your cyber resiliency.

HIPAA Assessment Methodology Goes Broad and Deep

In their Summary of the HIPAA Security Rule, government regulators were clear and direct when it comes to risk assessments (emphasis ours):

“Risk analysis should be an ongoing process, in which a covered entity:

  • regularly reviews its records to track access to ePHI and detect security incidents;
  • periodically evaluates the effectiveness of security measures put in place; and
  • regularly re-evaluates potential risks to ePHI.”

With security risk bound up in virtually every aspect of patient care and modern healthcare operations, Kroll’s HIPAA security risk assessments go broad and deep. Our methodology continually incorporates the most current learnings on cyber risk trends and threats, so you can be more confident in the accuracy and thoroughness of the risk profile we develop for your organization.  

Kroll follows a rigorous, proven process in conducting your HIPAA Risk Assessment. Throughout the analysis, we will interview key technical and business stakeholders to develop a more complete picture of your organization’s cyber security preparedness and vulnerabilities:

  • Collect Data – Review policies, procedures, previous security reports, etc., to determine the security controls, processes and technology solutions in place to protect ePHI.
  • Assess Current Security Measures – Analyze current security measures to determine if these controls, processes and technology solutions are aligned with the requirements of the HIPAA Security Rule’s administrative, physical and technical safeguards.
  • Identify Security Risks to ePHI – Document gaps in controls, processes and technology solutions using the NIST Cybersecurity Framework as guidance (described below). We will also recommend potential safeguards and solutions to reduce the risks we identify.
  • Prioritize Security Risks – Risk-rank findings in terms of likelihood of occurrence and impact to compromise the confidentiality, integrity or availability of ePHI and, therefore, should be addressed first.
 
Case Study

Kroll HIPAA risk assessment helps regional healthcare system enhance cyber resiliency enterprise-wide

When a large regional healthcare system asked Kroll to conduct a HIPAA risk assessment, their goals went beyond regulatory compliance. They also wanted in-depth, pragmatic guidance around security implementations that would help mature the organization’s overall cyber resiliency. This included a focus on identifying gaps in the organization’s cyber risk management program to assess the capability to identify and respond to modern cyber threats.

What Kroll Did?

Kroll utilized the National Institute of Standards and Technology (NIST) Framework to evaluate the maturity of the organization’s information security program. Our risk analysis methodology included developing a customized assessment strategy to identify the cyber security risks unique to the organization.

  • Evaluated threat defenses and detection mechanisms by considering the technical security controls in place such as firewalls, intrusion detection, anti-virus software and log management.
  • Reviewed policies and procedures addressing “human risk factors,” including security policy development and adherence, user awareness, analytics on collected security data and data classification programs.
  • Developed a roadmap of recommendations for risks prioritized by probability and impact to support ongoing compliance with HIPAA standards while concurrently enhancing cyber security throughout the enterprise. Our suggested improvements covered topics such as user termination processes, password policies, remote access/multifactor authentication and accessibility of PHI on printers, desks, electronic displays, etc. 

NIST Cybersecurity Framework for HIPAA Security Rule Assessment*

Identify

  • Asset Management
  • Business Environment
  • Governance
  • Risk Assessment
  • Risk Management Strategy

Protect

  • Awareness Training
  • Data Security
  • Information Protection Processes and Procedures
  • Maintenance
  • Protective Technology

Detect

  • Anomalies and Events
  • Security Continuous Monitoring
  • Detection Processes

Respond

  • Response Planning
  • Communications
  • Analysis
  • Mitigation
  • Improvements

Recover

  • Recovery Planning
  • Improvements
  • Communications
  • Provide Technology and Policy Remediation Recommendations

*As the DHHS Office for Civil Rights noted in its HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework, “Although all Security Rule administrative, physical, and technical safeguards map to at least one of the NIST Cybersecurity Framework Subcategories, other Security Rule standards, such as specific requirements for documentation and organization, do not.” Kroll has accounted for these control gaps in other areas of our assessment.

Talk to a Kroll HIPAA Security Expert

Our HIPAA Security Rule experts know what it’s like to walk in your shoes. We understand the imperative for protecting ePHI as well as the challenges of integrating HIPAA-compliant information security into everyday business practices. Cyber threats are continually evolving, and your risks may be significantly different from your last assessment. Talk with one of our experts today.  

/en/services/cyber-risk/prepare-and-prevent/cyber-risk-assessments/hipaa-security-risk-assessments /-/media/kroll/images/banners/services/jpg/desktop/cyber-risk.ashx service

Related Services

Cyber Risk

Cyber Risk

End-to-end cyber security services provided by unrivaled experts.

Cyber Risk
Cyber Risk

Cyber Risk Assessments

Delivering actionable recommendations using the best technology and expertise available.

Cyber Risk Assessments

Insights