HIPAA security Risk Assessment/Analysis

Encyclopedia : H : HI : HIP : HIPAA security Risk Assessment/Analysis

There are very few or no other articles that link to this one.
Please help in articles on [related topics]. After links have been created, remove this message.
This article has been tagged since July 2006.

}

Please [Glossary#Wwikify] (format) this article or section as suggested in the [Guide to layoutGuide to layout] and the [Manual of StyleManual of Style].
Remove this template after wikifying. This article has been tagged since June 2006.

Contents

1.1 What is
1.2 Objective of
1.3 Project Scope of

1.3.1 Administrative Safeguards
1.3.2 Physical Safeguards
1.3.3 Technical Safeguards

1.4 Technical Vulnerability Assessment

1.4.1 External Penetration Testing:
1.4.2 Network Vulnerability Assessment
1.4.3 Wireless/Remote Access Assessment (RAS) Security Assessment
1.4.4 Vulnerability Assessment Tools

2 External links

What is Risk Analysis is often regarded as the first step towards HIPAA compliance. Risk analysis is a required implementation specification under the Security Management Process standard of the Administrative Safeguards portion of the HIPAA Security Rule as per Section 164.308(a)(1). Covered entities will benefit from an effective Risk Analysis and Risk Management program beyond just being HIPAA compliant. Compliance with HIPAA is not optional... it is mandatory, to avoid penalties.

Objective of The overall objective of a HIPAA risk analysis is to document the Potential risks and vulnerabilities to the confidentiality, integrity, or availability of electronic protected health information (ePHI) and determine the appropriate safeguards to bring the level of risk to an acceptable and manageable level. It helps in ensuring that controls and expenditure are fully commensurate with the risks to which the organization is exposed.
The key to any effective security program is to understand the risk level in the organization and then to determine how to effectively mitigate that risk. This requires identifying what is the data that your organization needs to protect and where that data lives and moves. This then provides the basis for security policies, practices and technologies to protect all such data, such as electronic protected health information. Risk analysis requires understanding the core business functions of the enterprise and then analyzing potential threats and vulnerabilities to assets and information. It helps identify critical business assets and associated risks.

Project Scope of

Administrative Safeguards

• Risk analysis procedures and demonstration of a risk management process;

• Policies and procedures relevant to operational security, including business associate security requirements;

• Information access restriction requirements and controls;

• Incident response procedures and disaster recovery plan and;

• Evidence of periodic technical and non technical reviews.

Physical Safeguards

• Physical access controls, such as building access and appropriate record keeping;

• Policies and procedures for workstation security; and

• Proper usage, storage, and disposal of data storage devices

Technical Safeguards

• Auditing and audit procedures;

• Use of encryption devices and tools;

• Implementation of technology to ensure ePHI confidentiality, integrity, and availability

Technical Vulnerability Assessment

External Penetration Testing:

This testing is focused on the servers, infrastructure and the underlying software comprising the target. It may be performed with no prior knowledge of the site or with full disclosure of the topology and environment. This type of testing will typically involve a comprehensive analysis of publicly available information about the client, a network enumeration phase where target hosts are identified and analyzed, and the behavior of security devices such as screening routers and firewalls are analyzed. Vulnerabilities within the target hosts should then be identified, verified and the implications assessed.

Network Vulnerability Assessment

A Network Vulnerability Assessment checks all aspects of your network from behind the firewall and identifies any potential holes a hacker could exploit. A Network Vulnerability Assessment will analyze IP address, computer, server, and network device on your network. Operating systems, web server platforms, mail servers, and router, switch, and hub on your network are carefully checked for vulnerabilities. Once we identify those vulnerabilities, you’ll get a detailed explanation of the recommended fix for each one.

Wireless/Remote Access Assessment (RAS) Security Assessment

The goal of Wireless Security Assessment is to quantify the vulnerability state of the wireless APs configurations, test the range of the wireless networks to see whether access could be gained outside of client’s property. It also helps to discover whether there were any rogue (unauthorized) APs on client’s network and mainly to determine whether it was possible to gain internal access to ePHI via the wireless APs both authorized and unauthorized

Vulnerability Assessment Tools

A number of tools may be used in assessing the vulnerability of an organization’s systems and networks. Examples of tools that may be used for risk analysis and vulnerability assessment include (but are not limited to):

. SamSpade Tools

. QualysGuard

. Nmap

. STAT Scanner

. Nessus Vulnerability Scanner

. ISS Internet Scanner

. Microsoft Baseline Security Analyzer (MBSA)

Security professionals need to be familiar with using these tools and understand their capabilities for functions such as reporting.

External links

From Wikipedia, the Free Encyclopedia. Original article here. Support Wikipedia by contributing or donating.
All text is available under the terms of the GNU Free Documentation License See Wikipedia Copyrights for details.