Service Feature: Security Risk Assessment

It’s not new news that the Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. These risk assessments ensure your organization is compliant with HIPAA’s administrative, physical, and technical safeguards. Further, the assessment will help identify areas in your organization’s infrastructure where your protected health information may be at risk.

Netgain has been serving healthcare organizations nationwide for nearly 20 years. In that time, we’ve developed an expertise in healthcare operations and security strategy. We’ve partnered with industry-leading security frameworks to provide Security Risk Assessments that maximize the security of your data while minimizing your organization’s security vulnerabilities.

Our Security Risk Assessment is based around the FISASCORE™, which is built to be the definitive and best information security risk assessment methodology available with reporting designed to be easy to manage and actionable.

As you evaluate partners for your Security Risk Analysis, consider the depth, attention, and expertise of your partner. The outline below shows the scope of the Security Risk Analysis and what you can expect as key deliverables to help improve your organization’s security.

The Security Risk Assessment (SRA) is designed to assess the security of your organization, to propose recommendations for mitigation of these risks, and to ensure your organization meets the federal requirement for HIPAA as well as the Protect Patient Health Information Objective (Security Risk Analysis) under the Quality Payment Program.

Throughout each phase of the SRA, Netgain will conduct an interview and analysis process with deliverables and recommendations through these four phases:

Phase 1: Administrative Controls – The “people” part of security, including risk management, security governance, policies, standards, training and employee awareness.

This phase includes a comprehensive and objective review of all documentation, processes, and practices used in the management and governance of information security.  It is segmented into ten control categories and forty-two (42) subcategories. Administrative Controls are derived from the NIST Cybersecurity Framework (CSF), ISO/IEC 27001:2013, NIST SP 800-53, and the CIS Critical Security Controls for reference, comparison, gap analysis, and risk rating.

Phase 2: Physical Controls – Physical controls are an essential and often overlooked part of your security strategy.

This phase focuses on the physical locations of critical information resources, taking the following into consideration to generate a definitive risk score:

a.  Physical walk through assessing each location
b.  Crime Index – using the latest FBI and local law enforcement crime data
c.  Natural Disasters
d.  Secure Areas
e.  Equipment

Phase 3: Technical Controls (Internal) – Most organizations do a pretty good job at securing the technical perimeter (firewalls, intrusion detection, etc.), but sometime neglect the controls that are essential for an effective defense-in-depth strategy.

This phase of the SRA consists of a thorough, metrics-based assessment of:

a.  A review of the network architecture and management practices,

i.    Network Connectivity
ii.   Remote Access
iii.  Directory Services
iv.  Servers and Storage
v.   Client Systems
vi.  Mobile Devices
vii. Logging, Alerting, and Monitoring

b.  Vulnerability Management,

viii. Backup and Disaster Recovery
ix.   Vulnerability scanning on the internal network(s)
x.    Tests for password policies, system permissions, required auditing and system settings that are common in all networks
xi.   Tests for user auditing settings, such as their password complexity and logging access failures and logons that are common in all networks
xii.  Tests conducted against a database of 50,000+ known vulnerabilities
xiii. Tests for the existence of sensitive files and data leakage
xiv. Tests against known good configurations

c.  Analysis of the collected vulnerability data,
d.  Risk analysis and quantification,
e.  Removal of insignificant data from results,
f.  Prioritization of the risks identified, and
g.  Recommendations for remediation and ongoing maintenance.
h.  Netgain discloses the tools, methods, and configurations employed during testing to enable your personnel to conduct future testing on a regular basis.

Phase 4: Technical Controls (External) – This category covers how effective your organization is at keeping the bad guys out of your network.

The primary objective of the External Technical Controls Assessment and testing exercise is to identify significant vulnerabilities that pose a risk of unauthorized information disclosure, alteration, and/or destruction through publicly accessible information resources.

The External Network Assessment consists of a five-phase process; reconnaissance/discovery, enumeration, vulnerability identification, vulnerability verification, and analysis.

The Final Assessment Reports will be provided to and reviewed with your organization’s stakeholders during an offsite review meeting.

You will be provided with your overall FISASCORE™ as well as a FISASCORE™ for each Phase, control category, and individual control sub-category.  This is important for your organization as you identify your most significant risks and prioritize remediation.

FISA™ Executive Summary Report

This summary report provides the necessary information to quickly understand where your organization’s information security program excels and where it is deficient. The snapshot views allow solid decision-making now (tactically) and into the future (strategically).

FISA™ Management Summary Report

The Management summary report provides more depth into the assessment than the executive summary.  It provides a high-level break down into the individual controls.

FISA™ Information Security Assessment Full Report

The FISA™ Full Report is written with information security professionals in mind. All the details involved with what was assessed, how it was assessed (including tools and logic), findings, and recommendations are provided.  The FISA™ Full Report is also supported with numerous other documents, technical testing results, and raw data.  All supporting information is referenced and provided.

FISA™ Action Plan

One of the challenges in any assessment is determining what to do with the results.  The FISA™ Action Plan is a strategic and tactical plan to tackle the most significant findings from the assessment.  The plan is developed post-assessment between your organization and Netgain’s SRA Team. The result is a comprehensive plan with decisions, accountability, and projected dates for actions to be taken.

HIPAA Compliance requires healthcare organizations conduct Security Risk Assessments at least annually. We’ve found in our years of serving healthcare organizations that the security landscape changes at a much greater rate, and when healthcare organizations conduct SRAs more frequently, they’re subject to less security vulnerabilities.

Take control of your security, minimize your vulnerabilities, and know your FISASCORE by reaching out to one of Netgain’s Security Experts about a Security Risk Analysis.

Click Here for a Free Assessment of Your Current Security Posture

Follow Us