April 30, 2015

April 10, 2015

Please reload

Recent Posts

I'm busy working on my blog posts. Watch this space!

Please reload

Featured Posts

Conducting a HIPAA/HITECH Risk Assessment with SPM

September 23, 2014

 

Recently, I had the opportunity to conduct a HIPAA/HITECH Risk Assessment for a regional healthcare provider. In this project, a HIPAA/HITECH compliance assessment was required prior to the risk assessment work.

After the project kick-off meeting, various meetings were held with business and IT application owners and documents were collected and reviewed. The information from this was entered into Caliber’s Security Process Management Suite (SPM), Compliance Communicator (BETA) using a HIPAA/HITECH Security Rule controls template (Figure 1).

Figure 1

FIGURE 1 HIPAAHitech RA

Figure 2

FIGURE 2 HIPAAHitech RA

As I moved through the 65 controls across the Administrative, Physical, Technical, Policy and HITECH Breach Notification Act sections, I selected the appropriate control response, added notes and attached supporting documents as evidence (Figure 2). When I was finished, I used the results to create a HIPAA/HITECH risk profile in Risk Communicator using the Risk Builder.

The Risk Builder (Figure 3) lets the assessor create risk profiles for individual controls, adding a description, threat agents, categories, actions, intent and asset type along with considering business drivers and security categories (Figure 4).

Figure 3

FIGURE 3 HIPAAHitech RA

Figure 4

FIGURE 4 HIPAAHitech RA

Then, specifying the likelihood and impact to arrive at a risk score for each control measure (Figure 5).

 

Figure 5

FIGURE 5 HIPAAHitech RA

From here, a risk map (Figure 6) in heat map format is created along with a report (Figure 7)

Figure 6

FIGURE 6 HIPAAHitech RA

Figure 7

FIGURE 7 HIPAAHitech RA

Since each of the risks must be treated, I used the Project Builder (Figure 8) to create risk management projects and map them (Figure 9).

Figure 8

FIGURE 8 HIPAAHitech RA

Figure 9

FIGURE 9 HIPAAHitech RA

Next, I downloaded the risk report (docx format) and used it to create the report to the client. The risk report contained the risk, status and project heat maps and detailed breakdowns of each risk and project for reference; this information was easily transferrable to Microsoft PowerPoint or intranet sites for presentation.

In this engagement, Compliance Communicator (BETA) and Risk Communicator enabled me to rapidly capture assessment data and profile the risks associated with the control gaps, resulting in a concise view of risk priorities and mitigation projects, of great benefit to the client

Share on Facebook
Share on Twitter
Please reload

Follow Us

I'm busy working on my blog posts. Watch this space!

Please reload

Search By Tags