Information Security Risk Assessment
The foundation of a risk-based approach to information security is a risk assessment. This theme can be found in regulatory requirements spanning financial services, healthcare, government and other industries who handle sensitive information. Risk assessments and supporting documentation are extremely important for maintaining full compliance with regulatory requirements. Annual risk assessments are also central to state regulations such as the New York DFS cybersecurity regulation 23 NYCRR 500. In these instances, organizations should perform annual risk assessments and create an information security program based on risk assessment. Following this process provides a repeatable, measurable and defensible process for management to make risk-based information security decisions around the people, processes, and technologies that may compromise sensitive information and information systems.
HITRUST CSF® Services
The HITRUST CSF is an overarching privacy and security framework that incorporates and leverages the existing security requirements placed on healthcare organizations including federal (e.g., HIPAA, HITECH), state, third party (e.g., PCI, COBIT) and other government agencies (e.g., NIST, FTC and CMS). By attaining HITRUST CSF Certification, your organization demonstrates compliance with, and adoption of, leading best practice security requirements and assessment processes. The result for your organization is a competitive advantage and reduction of reputational, legal and regulatory risk. Originally designed around the requirements of the healthcare industry, the HITRUST CSF can be used by any and all organizations that create, access, store or exchange critical data. In addition to healthcare security requirements, there are over 30 Authoritative Sources (state, regulatory and 3rd party requirements) that may be included in the scope of an assessment. Whether your goal is to meet HIPAA Security Rule requirements, evaluate against Authoritative Sources, achieve certification against the NIST Cybersecurity Framework or achieve HITRUST CSF Certification, SCA can help with our HITRUST CSF services.
HIPAA/HITECH Security Risk Analysis
Any organization that provides healthcare services is mandated by law to fully comply with the details of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The HIPAA Security Rule specifically requires that healthcare providers perform a HIPAA Security Risk Analysis to evaluate the technical, administrative and physical safeguards in place to secure protected health information. Following risk assessment methodology of NIST 800 -30, SCA evaluates the technical, administrative and physical safeguards, the individual criteria that must be met for each and the specific implementation requirements.
Meaningful Use and Merit-based Incentive Payment System Security Risk Analysis
Our information security risk assessment team will help you determine if you are prepared for these incentives. These programs require a security risk analysis of several areas; ranging from device and media controls to security management processes, information access management, facility access controls, assigned security responsibility, disaster recovery planning, and more. Our risk analysis process also includes vulnerability scans to meet OCR requirements of evaluating the security of patient data.
Reach out to us to schedule a consultation and learn more about our cybersecurity assessment and advisory services. We will help elevate your security and demonstrate your compliance so that your organization can grow and thrive.