An entire cottage industry and ecosystem has quickly emerged to provide risk analysis
("RA") services to covered entities ("CE") and business associates ("BA"). Sometimes this takes the form of just software, other times it is software plus professional services, and sometimes it is pure professional services. Price points for these services vary widely between approximate $2,500.00 to $30,000.00 USD. RA's are so foundational to a HIPAA Security Rule
("SR") implementation that to not have one likely places a CE or BA in willful neglect. No organization wants to be in willful neglect land because that's where the penalties start at $50K per identical violation. So, the emphasis on RA's are justified. Full stop!
However, let me put things into perspective for you. RA's only represent one out of forty-four (44) implementation specifications ("Controls") in the SR (although arguably one of the two most important because of its foundational nature). By our count, that leaves 43 SR controls (approximately depending on the methodology used for counting) unaccounted for (i.e. requiring implementation), not to mention that the HIPAA Privacy Rule
("PR") and Breach Notification Rule
("BR/NF") remain completely ignored. Another way to think of this problem is that when you have completed a RA then you have satisfied one (1) out of one-hundred sixty-nine (169) HHS Audit Protocol
requirements-you're on the road but still
a long way from home.
Completing a RA is good, and it is nice. But "good and nice" only go so far. Your organization still has dozens of ways that it could be found to be in willful neglect.
A HIPAA Implementation Initiative is Not a Technical Problem!
Most organizations HIPAA compliance initiatives ("HCI") fail because there is way too much focus on the SR while the PR and BR/NF Rules are left untouched. Further, these organizations tend to treat an HCI as a technical problem to be solved by the information technology ("IT") department. This is indeed a recipe for failure for the following non-exhaustive set of reasons: (1) the SR itself is a people, process organizational challenge more than a technical challenge (i.e. 90% of the SR work lies in the Administrative Safeguards which are (mostly) non-technical and global in scope (i.e. touches the entire organization); and (2) IT often contributes absolutely nothing to the implementation of the PR and BR/NF Rules, leaving two thirds of the HCI untouched.
For many reasons, the latter Rules are arguably more important than the SR-yet IT departments (and consultants) do not find "Risks" associated with them. Again, this is a good way end up in willful neglect land. These two Rules have lots of moving parts that need to be addressed. They collectively represent more HHS Audit Protocol requirements that the SR. Because HIPAA is descriptive regulatory regime many organizations struggle mightily to understand that a PCI DSS regulatory regime, highly technical and prescriptive by definition, is only of tangential benefit when complying with the SR. The two regimes are so fundamentally distinct that mapping one to the other (i.e. either way) is difficult, to say the least.
The Risk Mitigation and Remediation Challenge
If all you have is an RA then you have utterly failed to comply with 168 HHS audit protocol
requirements by our count. The good news is that the tools you need for compliance are included in your HSG Subscription Plan
. The requirements are summarized by our free Consolidated Scorecards
which bridge the gap between an RA and the remediation work that needs to be done subsequent to it. You should review each row of the SR, PR, and BR/NF Sheets in order to validate which Controls you already have in place. You can rate yourself from zero (0) to four (4) depending on the effectiveness of the Control that you implemented for each requirement (i.e. as represented by a single row). As challenging as performing an RA might be, the real work is in mitigating and remediating the Risks identified. Ask yourself the following questions: (1) where's the visible, demonstrable evidence ("VDE") for the remaining 43 SR controls; (2) where's the VDE for the PR?; and (2) where's the VDE for the BR/NF?
There's no "A" for having done a rigorous RA, something many of you have may fail to do, using simplistic approaches such as questionnaires instead of thinking hard about the real threats and vulnerabilities that confront your organization. There's no "A" for the effort required to meet one (1) out of one-hundred sixty-nine (169) HHS Audit Protocol requirements. Of course, it's not easy. No one ever said that HIPAA compliance was easy. Those that did lied.
Evaluating marketplace solutions
If you are evaluating vendors, from recognized leaders to one-man independent consultancies, the $64 million-dollar question you should ask is: beyond a RA, how does your offering help me comply, and mitigate the Risks related to, the rest of the Rules? Sure. Expresso
has had a significant impact on our customer's abilities to conduct rigorous RA's. However, if that was all our Subscription Plan
did then we would be leaving you alone at the dance with no one to dance with. RA's are a small but important part of HIPAA compliance. That's the extent of it. You need more help if you are going to get from zero to seventy anytime soon. Breaches happen. They will happen to you. Count on it.
Unfortunately, the RA cottage industry may be leaving you with a false sense of security, one that poses significant liability for your organization. You may still be able to "fake it 'til you make it," after all that's the essence of Agile methodology, eat the elephant by continuous iterations that help you provide more (and better) VDE over time. However, to "make it" you are going to have to show a lot more than an RA. Those days are gone. The nature of the always on 24/7 365 world that we all now inhabit demands that you do much more. This is not your daddy's HIPAA anymore!
is an easy to use Risk Assessment software that allows you to detect risks, threats, security objects, and vulnerabilities to PHI and identify impacts and assign controls at a glance! Expresso®
is available as part of our HIPAA Survival Guide®
Subscription Plan or alone, as a monthly subscription.
Just click on the Act Now Button below and fill out the information and our Customer Service Staff will set up your Free 15 Day Expresso® Test Drive and arrange a "Go To Meeting" session to review how you can do your HIPAA Risk Assessment in 3 hours or less.
Our "Quick Start Guide" and educational videos get you off and running to complete your first Baseline Risk Assessment. Expresso® comes pre-populated with all the Risks, Threats, Vulnerabilities and Impacts necessary to a complete your Risk Assessment.
1) Perform a Baseline Risk Assessment in a matter of hours;
2) Bulk import Security Objects: people, places, assets, processes and apply Security Controls;
3) Track the results of the Controls applied; and
4) Retain instances of past Risk Assessments for reporting purposes.