Over a month ago the HIPAA OMNIBUS Rule became enforceable, spawning a number of vertical industries that now must be held accountable for regulatory compliance with the applicable requirements of the final rule. Many of these organizations are in need of a Security Risk Assessment and Gap Analysis to define where they lie in relation to compliance standards. At Loricca we strive to keep the updates and new topics flowing with our community of IT and IT Security Professionals. In this installment we will be covering Risk Assessments. Risk Assessments are commonly the first step in becoming HIPAA Compliant and protecting you organization’s data and information.
Why does my organization need a Risk Assessment?
We commonly encounter organizations and their management who ask about the value and necessity of conducting an actual Risk Assessment. In some cases, they actually believe that they are not in need of an assessment. Most of these entities state that they have an IT Department that also handles security, so they should have it covered. In our many years of experience, and what we see frequently, is that the safety and security of business-sensitive data is not commonly a top priority, since most IT departments are more focused on functionality and operations for the business workforce, not security.
We understand that security is usually a second priority, so it is our recommendation that a 3rd party assessment organization is used for Security and Risk Assessments, since you typically don’t want your IT folks assessing themselves. This will achieve a number of things for your department and its compliance benchmark:
- It will provide an accurate evaluation of the effectiveness of the current IT security measures and safeguards that have been implemented to date.
- It will determine the overall security posture of the organization, from the technical, administrative and physical security standpoint.
- It will create a clear and honest picture showing any “gaps” in compliance with applicable federal regulations, corporate policy and industry accepted best practices for data security.
- It will allow your employees to focus on what they do best, rather than taking the time and money required to become IT Security and regulatory compliance experts.
- It will identify and document key threats/vulnerabilities that need to be remediated.
So I need a Risk Assessment. How do I choose a provider?
It is true that with the growth of security measures in the IT industry, there are increasingly more companies offering risk assessments. These range from simple checklists that provide little value to thorough and detailed analysis of findings and usable recommendations, such as what Loricca offers. At Loricca, we believe that the Risk Assessment is the MOST IMPORTANT procedure in our service offering. Without proper evaluation and re-evaluation it becomes easy to overlook vulnerabilities in various facets of daily operations. In other words, if you don’t know you are vulnerable or at risk for a particular threat, how can you even begin to mitigate that risk or remediate that vulnerability.
Some advocate the use of a low cost “Checklist Approach” where your organization can work within itself to identify vulnerabilities. The problem with this approach is that normally the person doing the assessment is an employee of the organization and does not have the experience required to assess the situation and answer the questions properly. From what we have seen; sometimes, they don’t really understand the question at hand. This can SIGNIFICANTLY distort the findings of the Risk Assessment and leave your organization unprotected. Other significant issues arise when dealing with checklists as well. For instance, your organization may not require the same type of compliance and security as a larger version of your company. Why would you need the same checklist for compliance standards that you are not required to comply with? There is no ‘one size fits all’ checklist, since every organization is a unique operating entity in and of itself.
Loricca’s Approach to Risk Assessments
At Loricca, we understand that there are a number of different variables to consider when performing Risk Assessments. We also understand that each organization’s needs, culture and technical architecture environments are completely different from each other. For these reasons we have designed a customizable Risk Assessment process featuring a variety of manual and automated technical testing methods along with our “Adaptive Interviewing Process”. When we execute a Risk Assessment for an organization it is never exactly the same as any other Assessment that we have done. By using Loricca and our “Adaptive Interview Process” you can be sure that your company is getting the most thorough assessment that has been tailored to the needs of you and your staff, not just a simple checklist.
What Can My Organization Expect During A Risk Assessment?
Depending on the size of your organization and the scope of your involvement the Risk Assessment, from project kickoff to the final Findings and Recommendations Report, can be completed in as little as two to three weeks, or up to ten to twelve weeks for large enterprises. During the Assessment Loricca will examine and analyze your technical, administrative and physical security as it applies to the data that your organization handles (receives/transmits/stores). A brief collection of the services offered in a Loricca IT Risk Assessment are:
- Identifying compliance “gaps” with HIPAA/HITECH, PCI, FISMA, NIST, ISO, FFIEC, etc.
- Determining the overall security posture (technical, administrative, and physical)
- Network penetration testing (blind/internal/external) and vulnerability analysis
- Documenting threats/vulnerabilities with operations and IT security
- Review of existing corporate Policy and Procedures
- Review of DRP (disaster recovery plan) and Business Continuity Plan
- Providing detailed Findings & Recommendations with prioritized ‘next steps’
- Knowledge transfer with key personnel and management presentation of findings
Once the Assessment has been completed, an implementation and remediation plan is crafted and set into place, based on budget and timeframe requirements, to alleviate the information security and compliance issues within your organization. As the plan is executed your organization will become more prepared, more educated, and most importantly more secure. If your company is not clear as to your compliance with applicable regulations or adequate security of your business-sensitive data please CONTACT Loricca today to discuss how our Risk Assessment and gap analysis can do more for your Organization, and give you peace of mind in knowing that the risks to your company have been significantly reduced.