Trust Experience: Eagle HIPAA Computer Security Risk Analysis Solutions

Eagle helps you become HIPAA Compliant

Eagle consultants bring years of experience for HIPAA compliance and audit readiness at hospitals and for physician’s practices, business associates, and for government agencies.

We use a comprehensive protocol with you that includes:

  • Evaluating technical security capabilities in place, such as passwords, encryption, firewalls and audit logging, usually based on interviews with computer support personnel. For larger practices and networks, a vulnerability scan may be performed
  • Employee Security Awareness Assessments to determine how susceptible staff members are to phishing attacks.
  • Identifying all computer hardware, software and patient data (PHI).
  • Reviewing administrative processes in place, such as employee background checks, employee termination procedures and employee discipline.
  • Preparing a risk analysis report, using the format specified with NIST SP 800-30, that identifies risks and risk levels.

Physicians, Hospitals, Business Associates, Government Agencies:

More Details About Eagle HIPAA Security Risk Analysis Solutions

No. of HIPAA Compliance Complaint Cases Investigated by HHS (source: HHS.gov)

HIPAA violation complaints have been increasing, according to HHS.gov — 8752 were recorded in 2010, and 17,643 in 2015. The HIPAA Computer Security Risk Analysis is a mandatory requirements of the HIPAA Security rule. The rule states that a Computer Security Risk Analysis should be completed periodically and that deficiencies should be corrected. The Health and Human Services Office of Civil Rights, the agency responsible for HIPAA enforcement, repeatedly stresses the importance of a “thorough and accurate” Risk Analysis.  Most of the enforcement cases have cited deficiencies in the risk analysis.

An annual Computer Security Risk Analysis is a required objective for all of versions of the CMS “Promoting Interoperability” programs, formerly known as “Meaningful Use” and “Advancing Care Information”.

Eagle has a long experience in successful risk assessment and solutions for healthcare providers
Eagle Healthcare Consultants

Eagle Consulting Services GuaranteeEagle Consulting for HIPPA ComplianceFor this risk analysis, Eagle uses the methodology specified in NIST SP 800-30, which is the only approach explicitly mentioned in the HIPAA Security rule as an appropriate.  For smaller practices, this risk analysis can be conducted remotely.  For larger practices, an on-site review is recommended.

This assessment is required annually by the CMS “Promoting Interoperability” (PI) programs for Objective #1,  Privacy and Security.   (In April 2018, CMS renamed both the “Advancing Care Information” Performance Category of the MIPS and the physician Medicaid “Meaningful Use” programs to “Promoting Interoperability”.

The PI requirement also discusses a Security Management Process. Simply put, the “Security Management Process” consists of the following:  A) Conduct a risk analysis, B) Implement security fixes to correct deficiencies, and C) Repeat.  To fulfill the PI requirement, you must do both A and B.

The EHR software you purchased, and its measure “dashboard”, show no details about this objective since the software has no way of knowing if you meet the requirements of this objective.

For more information regarding the risk analysis and the Promoting Interoperability program requirements, see the two posts Achieving Meaningful Use Stage 1 for Privacy and Security and 45 CFR 164.308(a)(1), 45 CFR 164.312(a)(2)(iv) and 45 CFR 164.306(d)(3) Explained. (Note that while CMS renamed “Meaningful Use” to “Promoting Interoperability”, this content of these posts is otherwise current and accurate).

By choosing Eagle’s service, physicians can attest with confidence, without worry if the physician is selected for a government audit for the MIPS or Promoting Interoperability programs.  Eagle has a 100% acceptance rate for its clients who have been selected for one of these audits.

 

Eagle Consulting Services GuaranteeEagle Consulting assists hospitals and large physician practices with the Privacy and Security objective for the Promoting Interoperability program (formerly “Meaningful Use” and/or “Advancing Care Information”).  This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.

The fundamental purpose of implementing internal controls is to mitigate risk to an acceptable level within the organization.  This assessment is based on the controls specific to the HIPAA Security Rule as they relate to the hospital’s business goals and objectives, and the perceived threats.  Our unique assessment measures both compliance to controls and the level of risk that exists as it relates to IT threats existing vulnerabilities, and the probability that these vulnerabilities will be exploited.

Engagement Process

Discovery.  After identifying key participants from the hospital organization, a custom assessment workbook is prepared for each participant.  The workbook includes all of HIPAA Security’s 45 implementation specifications, plus additional 25 controls from the ISO 27002 framework, and controls from the Council on CyberSecurity Top 20 Security Controls.  Conducting an effective risk analysis for a larger organization requires a more comprehensive and granular framework such as ISO 27002.  Select controls from the SANS Top 20 are also evaluated because these high-priority controls are absent from HIPAA.  Conducting an appropriate risk analysis requires an evaluation of the controls that matter.

Testing.  Existing security controls will be evaluated, including any previously completed penetration testing and vulnerability scanning.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Site Review. An on-site assessment is included, with a walkthrough of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Risk Management Support.  The CMS Promoting Interoperability objective requires that the hospital address deficiencies identified as part of its ongoing Security Management Process.   Eagle offers retainer agreements to assist with risk management, that is, the process of addressing the issues identified in the risk analysis report.  In addition, a variety of services are available to assist with corrective action.

The Promoting Interoperability programs all require that the risk analysis be updated annually.

Eagle Consulting Services GuaranteeEagle Consulting assists Business Associates with the HIPAA Risk Analysis required by the HIPAA Security Rule.  This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.  A graphic illustration of the Security Management Process shows the multiple steps to create a detailed Security Risk Analysis.

When dealing with hospitals, physician practices or insurance companies, a standard framework can be used because the business processes of these entities are generally understood at the onset.  However, there is tremendous variety of Business Associates with vastly different business processes, for example:

  • Billing services are focused on healthcare and maintain billing and/or electronic records with access to records of a few practices of to records of hundreds of organizations
  • Consulting firms or attorneys may send consultants or attorneys on site at hospitals but never store any electronic PHI on their own systems
  • Medical software authors/resellers may have extensive teams of software developers, and customers may expect that the code is secure.  These organizations may process PHI on a limited basis for data conversions but otherwise keep no PHI.  And, these organizations may maintain electronic access to their client’s systems.
  • A direct mail mailing house may service a wide variety of industries and from time-to-time handle a large hospital’s mailings to patients

Further, a business associates may range from a small organization with a few people to a national organization with hundreds of locations and tens of thousands of employees.  Because of this wide range, an initial discovery phase is necessary as part of the risk analysis process.

Engagement & Eagle Solution Process

Discovery and Control Selection.  The first step is to understand the business processes of the Business Associate, to identify the electronic PHI that it maintains, and to briefly understand the existing controls in place.  Based on the business processes, Eagle identifies the controls that are most appropriate.    The selection process involves reviewing appropriate controls not only from the HIPAA Implementation Specifications, but also from the more comprehensive and granular framework, ISO 27002.  In addition, Eagle reviews relevant controls from the Council on CyberSecurity’s Top 20 Security Controls because some of these high-priority controls are absent from HIPAA.  The deliverable from this step is a list of controls that we

Control Review and Testing.  Using the controls identified above, existing controls will be reviewed in more detail with gaps and deficiencies identified.  Any previous evaluations, such as penetration testing and vulnerability scans, will be reviewed.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Impact Assessment.  Based on an understanding of the quantity of ePHI involved, the nature of the organization, and the reliance on information technology for daily operations, the impact of various failures will be estimated.  Failures evaluated will include data breach, system downtime, and data integrity failures.

Site Review. An on-site assessment is included, with a walk through of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Remediation Support.  As a follow-up to the risk analysis, a variety of services are available to assist with corrective action.

Eagle Consulting Services GuaranteeEagle Consulting Partners specializes in helping Governmental Agencies comply with HIPAA and other applicable Privacy and Security regulations. Eagle has worked with numerous Public Health Departments  and agencies serving the disabled providing support for HIPAA and other privacy laws.

For over 15 years, Eagle has been at the forefront of serving Ohio County Boards of Developmental Disabilities in creating procedures to protect computer data security and client privacy. Eagle has experience working with GateKeeper, Intellivue, as well as other software used by county boards to provide services.

Our Risk Analysis Process:

Discovery.  After identifying key participants from the organization, a custom assessment workbook is prepared for each participant.  The workbook includes all of HIPAA Security’s 42 implementation specifications, plus additional 25 controls from the ISO 27001/27002 framework, and controls from the Council on CyberSecurity Top 20 Security Controls.  Conducting an effective risk analysis for a larger organization requires a more comprehensive and granular control set such as ISO 27002.  Select controls from the Council on CyberSecurity’s Top 20 are also evaluated because these high-priority controls are absent from HIPAA.  Conducting an appropriate risk analysis requires an evaluation of the controls that matter. This process includes review of Policies & Procedures manuals for compliance with state and federal regulations.

Testing.  Existing security controls will be evaluated, including any previously completed penetration testing and vulnerability scanning.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Site Review. An on-site assessment is included, with a walkthrough of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Eagle Consulting Services GuaranteeEagle Consulting assists Payers with the HIPAA Risk Analysis required by the HIPAA Security Rule.  This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.

Our Risk Analysis Process:

Discovery.  After identifying key participants from the organization, a custom assessment workbook is prepared for each participant.  The workbook includes all of HIPAA Security’s 42 implementation specifications, plus additional 25 controls from the ISO 27001/27002 framework, and controls from the Council on CyberSecurity Top 20 Security Controls.  Conducting an effective risk analysis for a larger organization requires a more comprehensive and granular control set such as ISO 27002.  Select controls from the Council on CyberSecurity’s Top 20 are also evaluated because these high-priority controls are absent from HIPAA.  Conducting an appropriate risk analysis requires an evaluation of the controls that matter. This process includes review of Policies & Procedures manuals for compliance with state and federal regulations.

Testing.  Existing security controls will be evaluated, including any previously completed penetration testing and vulnerability scanning.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Site Review. An on-site assessment is included, with a walkthrough of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Eagle Consulting Services GuaranteeEagle Consulting assists Providers with the HIPAA Risk Analysis required by the HIPAA Security Rule.  This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.

Our Risk Analysis Process:

Discovery.  After identifying key participants from the organization, a custom assessment workbook is prepared for each participant.  The workbook includes all of HIPAA Security’s 42 implementation specifications, plus additional 25 controls from the ISO 27001/27002 framework, and controls from the Council on CyberSecurity Top 20 Security Controls.  Conducting an effective risk analysis for a larger organization requires a more comprehensive and granular control set such as ISO 27002.  Select controls from the Council on CyberSecurity’s Top 20 are also evaluated because these high-priority controls are absent from HIPAA.  Conducting an appropriate risk analysis requires an evaluation of the controls that matter. This process includes review of Policies & Procedures manuals for compliance with state and federal regulations.

Testing.  Existing security controls will be evaluated, including any previously completed penetration testing and vulnerability scanning.  As an option with this process, Eagle can include either of these evaluations as part of the scope of work.

Site Review. An on-site assessment is included, with a walkthrough of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.

Final Report.  A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii).  This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.  Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.

Pin It on Pinterest