One of the sub-steps, if you will, in completing the Risk Determination step as part of doing a HIPAA Security Risk Analysis (45 CFR 164.308(a)(1)(ii)(A)) is to Document Present Security Controls. Here’s today’s big tip — Use the security controls bible! Read more…
For each Information Asset identified in your Inventory Asset Inventory process, (e.g., systems, databases, major hardware, network equipment, operating systems, and application software), you need to document what present safeguards and controls are in place. Read HIPAA Security Risk Analysis Background and Requirements – A White Paper for Healthcare Professionals for more on completing a HIPAA Security Risk Analysis.
We recommend you work through this process, asset-by-asset as it can be very detailed and time-consuming work.
Starting with your first Asset, list any and all security controls that you believe to be in place for this Asset. In other words, describe how the confidentiality, integrity and availability of this Asset are being protected presently. This work should include consideration of all administrative, physical and technical safeguards.
Reference the security controls bible: NIST SP800-53 Revision 3 Final, Recommended controls for Federal Information Systems and Organizations as an aid / guide / memory prompt.
The Clearwater HIPAA Security Risk Analysis ToolKit™ includes a worksheet from which you copy/paste relevant security controls from the “SP800-53 Controls” worksheet into the “Risk Determination and Remediation” worksheet.
As required by The HITECH Act, the Office for Civil Rights has issued final “Guidance on Risk Analysis Requirements under the HIPAA Security Rule”. (July 2010). We advise all Covered Entities and Business Associates to review the Final Guidance and become familiar with the applicable standards and implementation specifications.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- Making the case for comprehensive cyber-risk strategies: 10 startling facts that will spur C-suite action - August 8, 2016
- Building Capability and Capacity to Take on Healthcare’s Evolving Security Threats - August 5, 2016
- HIPAA Risk Analysis Tip – The Biggest Risk Management Surprises in the 2016 OCR Audit Protocol - April 11, 2016