Professional Healthcare Services
Information Security, Data Privacy, and Compliance Practice Areas
Securing PHI for Covered Entities, Business Associates, and Software & Solutions Vendors
A Risk Analysis is an assessment of the risks and vulnerabilities to any sensitive information, such as ePHI, that your organization may create, collect, store, process, transmit, archive, or share with others. A Risk Analysis may be required by federal or state law, by mandate, or by an organization with which you do business.
A foundational requirement of HIPAA, the HITECH Act, and Meaningful Use is that all Covered Entities and Business Associates must “Conduct a comprehensive and thorough assessment of the potentials risks and vulnerabilities to the confidentiality, integrity, and availability of all Protected Health Information.”
A technical vulnerability test provides staff with the tactical information they need to remediate vulnerabilities quickly and accurately. RISC reporting provides clear identification of vulnerabilities as well as remediation steps and information, whenever it is available. The assessment report also provides an overview of the state of security, the relative rating of impact and risk, and information in statistical and graphical formats suitable for Executive and Board-level reporting.
NEW! Checkout RISC Management's Virtual Security Officer Server, VSOS TM
HITECH Data Breach & Compliance
A Data Breach is, generally, an impermissible use or disclosure under the Privacy Rule that compromises the security or privacy of the protected health information such that the use or disclosure poses a significant risk of financial, reputational, or other harm to the affected individual. Covered entities and business associates must only provide the required notification if the breach involved unsecured protected health information.
Experts at RISC Management & Consulting can assist all organizations including covered entities and business associates in determining if a data breach has occurred, if you must report it, and how to report it.
Business Continuity Management
Covered Entities and Business Associates must address the HIPAA requirements contained within the Contingency Plan Standard, one of the Standards in the Administrative Safeguards.
Solid business continuity management programs begin with a Business Impact Analysis (BIA) that assesses and documents the impact of a loss, and determines the relative order of priority for key applications, vendors, and functions. A RISC Business Impact Analysis will help define and document key requirements such as Recovery Time Objective (RTO) and Recovery Point Objective (RPO) for all of your technologies, and even key vendors and business processes, depending upon your chosen depth. A BIA helps healthcare organizations address HIPAA's Applications and Data Criticality Analysis Implementation Specification.
Under this Standard, HIPAA also requires the development, and subsequent Testing and Revision of a Disaster Recovery Plan. Both of these are Implementation Specifications under this Standard. The technically-focused Disaster Recovery Plan (DRP) helps to establish resiliency, redundancy, and recovery techniques to get IT systems up running as quickly as possible after an unexpected outage.
HIPAA also requires an Emergency Mode Operations Plan. This Plan addresses the continuation or recovery of privacy and security controls in the event of a disaster. RISC team members are experts at integrating Emergency Mode Operations Planning into your Disaster Recovery Plan.
RISC can assist in the development of these plans, as well as the testing of these plans. Tests demonstrate assumptions or errors in the plans, and lead to important updates and corrections, while generating a Test Report to demonstrate sustained efforts in these areas. RISC Management BCP and DRP tests are an affordable way for your organization to understand if these plans have been kept up to date, would be useful in an actual emergency, and to demonstrate compliance with HIPAA.
Contact RISC for assistance with:
Business Impact Analysis (BIA) or Applications and Data Criticality Analysis
Business Continuity Planning
Disaster Recovery Planning
Emergency Mode Operations Planning
Testing, Exercising, and Revising Plans
Security Policy Development, Review, & Assessment
Security Policy Development, Review, & Assessment
Data privacy and information security policies state the intent of an organization to comply with legal or industry requirements and mandates. Policies inform employees, partners, customers, and legal bodies of an organization's priority to compliance and adherence to laws. Policies should include several key sections, and yet not contain sensitive company information that might be used to construe internal technologies or controls.
Procedures are typically confidential, and assist members of the workforce to understand how they should comply with policies.
If your organization has already developed security policies of significance, RISC can assess and edit those policies and assist in creating Procedures to support the Policies, and Control Mechanisms to ensure adherence to Policies.
Social Engineering Assessment
Social engineering is essentially the art of gaining access to buildings, offices, systems or data by exploiting human psychology, using fake business cards, ID cards, rather than by breaking in or using technical hacking techniques. For example, instead of trying to find software vulnerability, a social engineer might call an employee and pose as an IT support person, trying to trick the employee into divulging his password. This is all performed by experts in the field with permission of course!
Social engineering techniques are used by our experts to see where a company is vulnerable all within sights of company employees!
Social Engineering tests are the only safe way to test an organization's physical security controls and employee's willingness to challenge unauthorized parties. A RISC Social Engineering test will provide management with an honest assessment of the actual security of their sensitive spaces, assets, and information.
Risk Mitigation & Management
Once an organization has identified risk through a risk analysis, technical vulnerability assessment, or social engineering test, thoses risks and vulnerabilities must be managed, and ultimately reduced or eliminated.
RISC can assist your organization with addressing identified risk through planning and remediation activities. RISC will guide you through the choices available to address risks and vulnerabilities including:
Eliminating the risk by preventing the risky activity;
Reducing risk through implementation and monitoring of controls;
Transferring the risk to a third party; or
Knowlingly and objectively accepting the risk, fully documenting the reasoning in support of future audit activities.
RISC can develop tools for you to assist with managing and mitigating risk from project planning to architecture and roadmaps, let the experts at RISC assist you.
Meaningful Use Attestation
In order to qualify for Meaningful Use incentives CMS identified a core set of 14 Meaningful Use objectives in which eligible hospitals (EH) and 15 core Meaningful Use objectives in which eligible professionals (EP) need to focus to qualify for incentive funds provided through the new CMS Medicare and Medicaid incentive program.
Core Measure 14 for Eligible Hospitals, and Core Measure 15 for Eligible Providers requires these organizations to, "Attest Yes to having conducted or reviewed a risk analysis in accordance with the requirements under 45 CFR 164.308(a)(1) and implemented security updates as necessary and corrected identified security deficiencies prior to or during the EHR reporting period to meet this measure."
RISC has extensive experience assisting EHs and EPs in meeting the requirement to protect ePHI.