HIPAA Survival Guide November 2016 Newsletter

HIPAA Survival Guide October Newsletter 2016: Issue 83.
Your HIPAA Compliance Companion

Selecting Risk Assessment Software

INTRODUCTION

Risk Assessment ("RA") software is a type of "process ware" that should encompass an industry standard methodology for conducting RAs. In the healthcare space there is no de jure standard for conducting a Risk Assessment; however, a de facto standard has emerged in the form of NIST SP800-30 Rev.1 ("Standard"). NIST is the federal government agency responsible for providing cybersecurity advice to all U.S. government agencies, and what NIST recommends is the aforementioned Standard. With respect to HIPAA, this Standard is only a recommendation. Covered entities ("CEs") and business associates ("BAs") are free to choose their own methodologies for achieving the same objective. However, it would be both misleading and misguided to suggest that CEs and BAs may select any arbitrary methodology as a substitute for the Standard. In short, if OCR is recommending a particular Standard then any substitute that is as good as or better than the Standard is likely to meet the "reasonable and appropriate" requirement of the Security Rule; all others are likely to fall far short.

The NIST methodology has been implicitly found to be functionally sound and industry agnostic (i.e. the Standard can applied to any regulatory regime that requires a Risk Assessment, not just HIPAA.). The U.S. government has arguably invested millions of dollars in ensuring that the Standard reflects best practices and the consensus opinion of cybersecurity public and private sector thought leaders. In short, the Standard has been vetted and not found wanting. For this reason, many software vendors whose software actually allows you to conduct a Risk Assessment have selected the Standard as the model that is abstracted and reflected in their offerings.

There are a significant number of software vendors using surveys and questionnaires as a substitute for the Standard. Caveat Emptor (buyer beware). In order to make an informed decision a CE or BA must be prepared to ask the right questions. Although surveys and questionnaires may add value (e.g. if you are wandering around the desert and looking for a drink of water) they are no replacement for a Risk Assessment conducted according to the Standard. Surveys and questionnaires generally do not pair threats, Vulnerabilities, and Impacts to help you calculate Risks. They almost certainly do not allow you to associate Controls with Risks nor allow you to associate the former with Security Objects to reduce Risks to levels that are "reasonable and appropriate."

Surveys and questionnaires are pure "snake oil" when being sold as a substitute for the Standard. In order to circumvent any comparison to the Standard, vendors may use different words or complete disclaimers to describe a purported Risk Assessment offering. Said vendors may indeed provide offerings that help you in some way with your HIPAA compliance initiative ("HCI")-but the truth of the matter is that you can put "lipstick on a pig" but it's still a pig. Offerings that are too good to be true more often than not are just that.

So what's a prospective buyer to do? You would assume that in the age where the Internet is our "go to" tool for conducting research, a relatively quick comparison between vendors offering HIPAA software would produce the kinds of comparisons you need to make an informed decision. That's the way it works for consumer electronics, most software, and millions of other products. However that is often not the way it works for HIPAA software.

Simply type "HIPAA risk assessment software" or "HIPAA software" into Google (or your favorite search engine) and you will get a pretty good list of vendors to start your search. We can almost guarantee (unless the marketplace completely changes in the next 2-3 weeks) that you will be disappointed by what you find. On most vendor websites you will have a hard time figuring out what their software does and, instead, what you will see is "contact us for a demo." Further, you will likely have an even harder time figuring out what the vendor's offering costs and, instead, what you get is "contact us for pricing."

Compare that to Expresso. Expresso abstracts and reflects the Standard in its entirety; therefore, we have a high degree of confidence that you can perform a valid Risk Assessment using the functionality which Expresso provides. You can go here for an hour long Expresso demo conducted in one of our public webinars, together with Q&A from the public. You can also see here that our pricing is $2,495.95 for the first year and $1,295.95 for each year you choose to renew thereafter.

What about the number of users, how does that factor into the equation? It doesn't with Expresso; at least not directly. Instead we chose to break-up the licensing per profit and loss ("P&L") center. If you have 1000 members in your workforce all under one P&L center, then Expresso costs no more than the prices discussed above. On the other hand, if you are ABC Fortune 500 company, and want to use Expresso for all 100 P&L centers within your organization, then you would be required to purchase 100 licenses. This is not to say that one pricing scheme is better than another, but rather that there should be transparency in pricing. Of course, based "on the facts on the ground" then one pricing scheme will be more economical than another. However, until those facts are known, no valid pricing comparison can be made; therefore a prospective customer cannot reasonably determine, without a lot more time, how to proceed, if at all.

Moreover the analysis almost never stops with just a determination of RA functionality and pricing. Similar to our Subscription, most vendors sell much more than RA software. They sell other products (and services) to help you with the remediation process. The best RA in the world (and "best" is not the legal requirement) is a pure analysis step. It should help you identify which Risks you want to attack and what Controls you want to implement, but it is not the step where the actual work gets done. That is left for the next implementation specification in the first Administrative Safeguards Standard, namely "Risk Mitigation." We have over 30 products and counting that help you remediate, including 15 training products. The value of our Subscription Plan does not stop with Expresso, however good the latter may be. Similar to what we do, you should ask other vendors how they help you remediate.

Be careful because many vendors will answer this question with "it depends." What they likely want to do is sell you professional services. The pitch goes something like this, let us come in with our experts and then we will be able to provide you a quote that pertains to your unique situation. This is especially true if the pitch is being "lobbed at" the aforementioned Fortune 500 Company. The latter is use to conducting business in this manner, and moreover, they may sell their professional services in exactly the same way. There is nothing per se wrong with this approach. However, the savvy prospect needs to understand what remediation they are buying "in the box" and what comes only with professional services attached (i.e. likely dramatically increasing the cost of the prospect is purchasing).

The HIPAA Survival Guide Subscription Plan

Now Includes Expresso™

The Risk Assessment Express

See The Expresso Demo

HIPAA Compliance

It's no secret that HIPAA compliance can be complicated. Very complicated!.The Security Rule tells us that all Covered Entities and Business Associates must perform Risk Assessments. HHS tells us that Risk Assessments are on the desk auditors' target list. HIPAA tells us that failure to comply with the Security Rule can result in huge fines.

What HIPAA doesn't tell you is how to actually perform a Risk Assessment.

WHERE DO YOU START???

You Now Have: Expresso™ an easy to use Risk Assessment software that allows you to identify security objects, risks, threats and vulnerabilities to define impacts and assign controls at a glance!

You Can

Perform a baseline Risk Assessment in a matter of hours

Bulk import Security Objects (people, places, assets, processes and other things that Security Controls are applied to)

Track the results of the Controls applied

Retain instances of past Risk Assessments for reporting purposes

Expresso™ will allow you to do all of the above, and so much much more!

Included In HIPAA Survival Guide Subscription Plan

HIPAA Compliance Products

Expresso™
Cloud, Social Media, and Mobile Checklist
Model Mobile Policy
Privacy Rule Checklist
Model Privacy Rule Policy
Model Notice of Privacy Practices
Security Rule Checklist
Model Security Rule Policy
Checklists Combo Package
Breach Notification Framework
Breach Notification Policy
HIPAA Frameworks Combo
HIPAA Survival Guide Fourth Edition
Business Associate Agreement
Business Associate-to-Business Associate Agreement
Security Rule for Business Associates

HIPAA Training Products Included

HIPAA Audit Preparation Training
HIPAA Security Rule Audit Preparation Training
HIPAA Privacy Rule Audit Preparation Training
HIPAA Breach Notification Rule Audit Preparation Training
HIPAA Audit Preparation Training Suite
HITECH Act Training
Security Rule Training
Privacy Rule Training
Breach Notification Training
Business Associates Training
HITECH Core Training Combo
Omnibus Rule Training
Mobile Devices Training
Social Media Training
Risk Assessment Training
Risk Management Program Training
Agile Compliance Training

Give Your Organization's Compliance Initiative

The Boost It Needs To Survive A HHS Audit With
The HIPAA Survival Guide Subscription Plan With Expresso™

BUY NOW

Protect Your Practice and Your Business