Risk Analysis for Meaningful Use — Hospitals
Eagle Consulting assists hospitals and large physician practices with the Privacy and Security objective for Meaningful Use Stage 2. This includes conducting the HIPAA Security Risk Analysis, also known as the Risk Assessment, and creating a corrective action plan based on findings.
The fundamental purpose for implementing internal controls is to mitigate risk to an acceptable level within the organization. This assessment is based on the controls specific to the HIPAA Security Rule as they relate to the hospital’s business goals and objectives, and the perceived threats. Our unique assessment measures both compliance to controls and the level of risk that exists as it relates to IT threats, existing vulnerabilities, and the probability that these vulnerabilities will be exploited.
Discovery. After identifying key participants from the hospital organization, a custom assessment workbook is prepared for each participant. The workbook includes all of HIPAA Security’s 42 implementation specifications, plus additional 25 controls from the ISO 27002 framework, and controls from the Council on CyberSecurity Top 20 Security Controls. Conducting an effective risk analysis for a larger organization requires a more comprehensive and granular framework such as ISO 27002. Select controls from the SANS Top 20 are also evaluated because these high-priority controls are absent from HIPAA. Conducting an appropriate risk analysis requires evaluation of the controls that matter.
Testing. Existing security controls will be evaluated, including any previously completed penetration testing and vulnerability scanning. As an option with this process, Eagle can include either of these evaluations as part of the scope of work.
Site Review. An on-site assessment is included, with a walk through of facilities, to evaluate physical security controls, to validate data obtained, and to perform additional assessments.
Final Report. A final written report is provided, in a format consistent with the requirements of the HIPAA Security rule, 164.308(a)(1)(ii). This standard calls for an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of ePHI. Eagle’s report will include a list of prioritized recommendations to address risks and vulnerabilities identified.
Advisory Services. The meaningful use objective requires that the hospital address deficiencies identified as part of its ongoing Security Management Process. Eagle offers a 1 year retainer arrangement to serve as a resource for the hospital’s IT management team for implementation of our recommendations. In addition, a variety of services are available to assist with corrective action.
A multi-year discount arrangement is offered. The Stage 2 Meaningful Use guidelines clarify that risk assessments should be conducted annually.
No. of HIPAA Compliance Cases with Corrective Action from HHS (source: HHS.gov)
Experienced Eagle Analysis & Solutions:
1) Identify all computer hardware, software and patient data (PHI). This involves quantifying the location, type and quantity of patient data.
2) Evaluate technical security capabilities in place, such as passwords, encryption, firewalls and audit logging, usually based on interviews with computer support personnel. For larger practices and networks, a vulnerability scan can be performed.
3) Review administrative processes in place, such as employee background checks, employee termination procedures and employee discipline.
4) Prepare risk analysis report, which includes commentary for all 42 HIPAA Security implementation specifications with corresponding risk levels based on security measures and prioritized for corrective action recommendations.