No surprise! The Payment Card Industry (PCI) is raising the bar when it comes to performance of an annual risk assessment a.k.a. risk analysis. It’s no surprise after all since completing an annual risk analysis is foundational for any legitimate information security program. In fact, many HIPAA Covered Entities and Business Associates have to meet both HIPAA and PCI Data Security Standard (PCI DSS) requirements. Here’s today’s big tip – kill two birds with one stone by completing a bona fide risk analysis according to NIST SP 800-30!
HIPAA Security Risk Analysis Tips & PCI Risk Analysis Tip!
When the Payment Card Industry (PCI) Security Standards Council updated the PCI Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures with Version 2.0 in October 2010, they included the explicit requirement to complete an annual risk assessment in Section 12.1.2 which states:
12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:
12.1.1 Addresses all PCI DSS requirements.
12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)
12.1.3 Includes a review at least annually and updates when the environment changes.
The PCI DSS auditing / testing procedures for 12.1.2 risk assessment requirement include:
12.1.2.a Verify that an annual risk assessment process is documented that identifies threats, vulnerabilities, and results in a formal risk assessment.
12.1.2.b Review risk assessment documentation to verify that the risk assessment process is performed at least annually.
In November 2012, the Risk Assessment Special Interest Group (SIG) of the PCI Security Standards Council published the Information Supplement: PCI DSS Risk Assessment Guidelines.
The objective of this PCI DSS Risk Assessment Guidelines document is to provide supplemental guidance and recommendations for performing a risk assessment in accordance with PCI DSS Requirement 12.1.2. A risk assessment, as required in the PCI DSS, is a formal process used by organizations to identify threats and vulnerabilities that could negatively impact the security of cardholder data.
Two Birds One Stone – Meet Both PCI DSS and HIPAA Security Requirements At Once
Both PCI DSS V2 and the latest PCI DSS Risk Assessment Guidelines cite a number of industry-accepted methodologies that can be used to meet the PCI DSS risk assessment requirement. One of these methodologies is that detailed in “NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments“.
Organizations adopting the NIST SP800-30 approach for conducting a risk analysis can comply with both HIPAA Security Rule and PCI DSS risk analysis requirements with this one approach.
Please avail yourself of any of these free resources which you may access now by clicking on the links below:
- Risk Analysis Buyer’s Guide
- Expert 2nd Opinion on Your HIPAA Risk Analysis
- Clearwater Compliance White Paper: Risky Business: How to Conduct a Bona Fide HIPAA Security Risk Analysis
- Clearwater Recorded Webinar event entitled How to Conduct a Bona Fide HIPAA Security Risk Analysis
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software DataSheet
- IRM|Analysis™- Clearwater’s Risk Analysis and Risk Management software Free Trial for qualified organizations
- More Risk Analysis Resources
Latest posts by Bob Chaput (see all)
- HIPAA Risk Analysis Tip – Part 5 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - June 5, 2017
- HIPAA Risk Analysis Tip – Part 4 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 29, 2017
- HIPAA Risk Analysis Tip – Part 3 – Questions & Answers from May 3rd Conversation with Former OCR Director Leon Rodriguez - May 21, 2017