HIPAA Compliance Operational Environment Operational Assessment Technical Assessment Privacy Assessment Information Security Compliance Risk Analysis Enterprise Application Integration Code Remediation		HIPAA Compliance Risk Analysis An important step that organizations can take now is a risk analysis to determine where they are vulnerable to security and privacy lapses, and how much risk to accept. HIPAA defines risk analysis as "a process whereby cost-effective security control measures may be selected by balancing the costs of various security control measures against the loss that would be expected if these measures were not in place. Risk analysis drives an organization's HIPAA compliance efforts because it helps them find out where their vulnerabilities are. Steps in this analysis include: Step 1: Inventory, Definition, and Requirements Identify critical business processes. Create a list of assets used by those critical processes. Place a value on the assets or somehow quantify their importance. Step 2: Vulnerability and Threat Assessment When looking at an organization risk level, it is easy to designate any lapses as high-risk and that could be a mistake. Define the distinctions between high risk and extremely high risk. Run automated security tools to start analysis process. Follow-up with a manual review. Step 3: Evaluation of Controls Brainstorm about potential safeguards and controls as well as their associated cost. Step 4: Analysis, Decision, and Documentation Analyze list of control options for each threat. Decide which control is best to implement for each threat, or choose none at all. Document assessment process and results. Review the reports generated from the analysis workshops. Provide a comprehensive evaluation that pinpoints potential problem areas. Step 5: Communication Communicate results to appropriate parties. Step 6: Monitoring Continuously analyze new threats and modify controls as necessary. Significant organizational changes should lead to a new risk assessment. Features Full HIPAA Risk Analysis addresses all areas affected by enhanced HIPAA security features. Extensive opportunity, risk, vulnerability, and impact analyses of how new types of access controls, updated applications, or new systems directly relate to potential impacts, threats, and existing vulnerabilities. Construct an enterprise-wide knowledge base for justification of security recommendations in business terms. Benefits Promotes far better investment targeting and facilitates related decisions. Transforms the application of HIPAA Risk Analysis across multiple business units to quickly establish the areas of greatest risk to the enterprise as a whole. Brings a consistent and objective approach to all security reviews and cost justification strategies. Ensures vendor's security features are compatible with the organization's information infrastructure. Advantages The Risk Analysis process generates cost-benefit justification for security recommendations in business terms. Provides the ability to 'build-in' expertise while enhancing the productivity of the security or audit team by utilizing a formalized review structure that pools security knowledge to alleviate the need for expensive external security consultants. Wide scale application of a risk assessment program actively involves a range of, and greater number of, staff, which increases security awareness within and across the enterprise. By obtaining information from different parts of an organization, a Risk Analysis aids communication and facilitates decision making.