Cybersecurity Risk Assessment
Cybersecurity Risk Assessments are the foundation of a risk-based cybersecurity program and a core regulatory requirement of GLBA, FTC Safeguards Rule, 23 NYCRR 500, NAIC Data Security Model Law, and the HIPAA Security Rule and more. In these instances, organizations should perform annual risk assessments and create a cybersecurity program based on the risk assessment. Following this process provides a repeatable, measurable and defensible basis for management to make risk-based cybersecurity decisions around the people, processes, and technologies that may compromise sensitive information and information systems. Risk assessments and supporting documentation are extremely important for maintaining full compliance with regulatory requirements. Additionally, a Cybersecurity Risk Assessment is a foundational element of the Identify domain in the NIST Cybersecurity Framework and also contained in NIST 800-53 and NIST 800-171 security control frameworks.
HITRUST CSF® Services
The HITRUST CSF is an overarching privacy and security framework that incorporates and leverages the existing security requirements placed on healthcare organizations including federal (e.g., HIPAA, HITECH), state, third party (e.g., PCI, COBIT) and other government agencies (e.g., NIST, FTC and CMS). By attaining HITRUST CSF Certification, your organization demonstrates compliance with, and adoption of, leading best practice security requirements and assessment processes. The result for your organization is a competitive advantage and reduction of reputational, legal and regulatory risk. Originally designed around the requirements of the healthcare industry, the HITRUST CSF can be used by any and all organizations that create, access, store or exchange critical data. In addition to healthcare security requirements, there are over 30 Authoritative Sources (state, regulatory and 3rd party requirements) that may be included in the scope of an assessment. Whether your goal is to meet HIPAA Security Rule requirements, evaluate against Authoritative Sources, achieve certification against the NIST Cybersecurity Framework or achieve HITRUST CSF Certification, SCA can help with our HITRUST CSF services.
HIPAA/HITECH Security Risk Analysis
Any organization that provides healthcare services is mandated by law to fully comply with the details of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) as well as the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH). The HIPAA Security Rule specifically requires that healthcare providers perform a HIPAA Security Risk Analysis to evaluate the technical, administrative and physical safeguards in place to secure protected health information. Following risk assessment methodology of NIST 800 -30, SCA evaluates the technical, administrative and physical safeguards, the individual criteria that must be met for each and the specific implementation requirements.
Meaningful Use and Merit-based Incentive Payment System Security Risk Analysis
Our information security risk assessment team will help you determine if you are prepared for these incentives. These programs require a security risk analysis of several areas; ranging from device and media controls to security management processes, information access management, facility access controls, assigned security responsibility, disaster recovery planning, and more. Our risk analysis process also includes vulnerability scans to meet OCR requirements of evaluating the security of patient data.
Reach out to us to schedule a consultation and learn more about our cybersecurity assessment and advisory services. We will help elevate your security and demonstrate your compliance so that your organization can grow and thrive.