ISO 27001 Gap Assessment Compliance Assessment ISO 27001 Internal Audit Outsourced ISO 27001 / ISMS Managed Service

HITECH / HIPAA Risk Assessment

Problem
HIPAA introduces a variety of organizational and procedural changes that address the confidentiality, availability, integrity and overall security of Electronic Patient Health Information (EPHI) within the HealthCare and Medical Services industry. If your organization is a Covered Entity (CE) as defined by the Health and Human Services Department, you are required to implement a variety of practices within your organization. These are defined in the HIPAA Security Rule. We provide our clients comparative information and baselines against industry standard practices in addition to the HIPAA mandated review items in the Security Rule. A complete assessment as required under the HIPAA specifications includes on-site interviews with personnel, system analysis, policy and procedure review and remediation suggestions.

Solution
The Orange Parachute HITECH/HIPAA Risk Assessment is an in-depth assessment of the organization's adherence to existing policies and industry best practices and identification of areas of weakness that need to be addressed to meet business needs or regulatory and compliance requirements. We will assess the existing weaknesses and develop countermeasures in three areas: people, process and technology. Through our gap analysis approach, we design a remediation process and identify mitigating controls. The audit can be broken down into the following areas:

• Internal – Analyzing the security of the desktops, laptops, servers and storage as well as the existing security processes and procedures from an internal perspective. Areas that can be reviewed include but are not limited to security over intellectual property, vendors, legal and compliance issues, disaster recovery, business continuity, data storage, etc.
• People and Process – Assess vulnerabilities associated with how employees conduct themselves, including contractors, visitors and unauthorized insiders. Review business processes for inherent weaknesses according to industry best practices.
• Physical – Assess the physical controls around information assets for potential vulnerabilities.
• Environmental disasters
• Deliberate acts of destruction
• Loss of services
• Equipment and system failure
• Serious information security incidents
• Personnel (hiring, firing, transferring/moving) and safety
• Building and property access, monitoring and recording

How the Process Works
Our consultant travels on-site to interview relevant staff, conduct testing and review all pertinent documentation that is required by HIPAA regulations. Current practices will be compared to industry best practices, such as ISO 27001, and any additional regulatory requirements that the company must follow. A summary and detailed report will be provided identifying all findings and detailed solutions will be provided to both fix the current problem and change business processes as necessary to prevent further issues and to meet compliance with the HITECH ACT as it pertains to the HIPAA Security Rule.