Recently, I had the opportunity to conduct a HIPAA/HITECH Risk Assessment for a regional healthcare provider. In this project, a HIPAA/HITECH compliance assessment was required prior to the risk assessment work.
After the project kick-off meeting, various meetings were held with business and IT application owners and documents were collected and reviewed. The information from this was entered into Caliber’s Security Process Management Suite (SPM), Compliance Communicator (BETA) using a HIPAA/HITECH Security Rule controls template (Figure 1).
As I moved through the 65 controls across the Administrative, Physical, Technical, Policy and HITECH Breach Notification Act sections, I selected the appropriate control response, added notes and attached supporting documents as evidence (Figure 2). When I was finished, I used the results to create a HIPAA/HITECH risk profile in Risk Communicator using the Risk Builder.
The Risk Builder (Figure 3) lets the assessor create risk profiles for individual controls, adding a description, threat agents, categories, actions, intent and asset type along with considering business drivers and security categories (Figure 4).
Then, specifying the likelihood and impact to arrive at a risk score for each control measure (Figure 5).
From here, a risk map (Figure 6) in heat map format is created along with a report (Figure 7)
Since each of the risks must be treated, I used the Project Builder (Figure 8) to create risk management projects and map them (Figure 9).
Next, I downloaded the risk report (docx format) and used it to create the report to the client. The risk report contained the risk, status and project heat maps and detailed breakdowns of each risk and project for reference; this information was easily transferrable to Microsoft PowerPoint or intranet sites for presentation.
In this engagement, Compliance Communicator (BETA) and Risk Communicator enabled me to rapidly capture assessment data and profile the risks associated with the control gaps, resulting in a concise view of risk priorities and mitigation projects, of great benefit to the client