Risk Assessment ("RA") software is a type of "process ware" that should encompass an industry standard methodology for conducting RAs. In the healthcare space there is no de jure standard for conducting a Risk Assessment; however, a de facto standard has emerged in the form of
NIST SP800-30 Rev.1 ("Standard"). NIST is the federal government agency responsible for providing cybersecurity advice to all U.S. government agencies, and what NIST recommends is the aforementioned Standard. With respect to HIPAA, this Standard is only a recommendation. Covered entities ("CEs") and business associates ("BAs") are free to choose their own methodologies for achieving the same objective. However, it would be both misleading and misguided to suggest that CEs and BAs may select any arbitrary methodology as a substitute for the Standard. In short, if OCR is recommending a particular Standard then any substitute that is as good as or better than the Standard is likely to meet the "reasonable and appropriate" requirement of the Security Rule; all others are likely to fall far short.
The NIST methodology has been implicitly found to be functionally sound and industry agnostic (i.e. the Standard can applied to any regulatory regime that requires a Risk Assessment, not just
HIPAA.). The U.S. government has arguably invested millions of dollars in ensuring that the Standard reflects best practices and the consensus opinion of cybersecurity public and private sector thought leaders. In short, the Standard has been vetted and not found wanting. For this reason, many software vendors whose software actually allows you to conduct a Risk Assessment have selected the Standard as the model that is abstracted and reflected in their offerings.
There are a significant number of software vendors using surveys and questionnaires as a substitute for the Standard. Caveat Emptor (buyer beware). In order to make an informed decision a CE or BA must be prepared to ask the right questions. Although surveys and questionnaires may add value (e.g. if you are wandering around the desert and looking for a drink of water) they are no replacement for a Risk Assessment conducted according to the Standard. Surveys and questionnaires generally do not pair threats, Vulnerabilities, and Impacts to help you calculate Risks. They almost certainly do not allow you to associate Controls with Risks nor allow you to associate the former with Security Objects to reduce Risks to levels that are "reasonable and appropriate."
Surveys and questionnaires are pure "snake oil" when being sold as a substitute for the Standard. In order to circumvent any comparison to the Standard, vendors may use different words or complete disclaimers to describe a purported Risk Assessment offering. Said vendors may indeed provide offerings that help you in some way with your HIPAA compliance initiative ("HCI")-but the truth of the matter is that you can put "lipstick on a pig" but it's still a pig. Offerings that are too good to be true more often than not are just that.
So what's a prospective buyer to do? You would assume that in the age where the Internet is our "go to" tool for conducting research, a relatively quick comparison between vendors offering HIPAA software would produce the kinds of comparisons you need to make an informed decision. That's the way it works for consumer electronics, most software, and millions of other products. However that is often not the way it works for HIPAA software.
Simply type "HIPAA risk assessment software" or "HIPAA software" into Google (or your favorite search engine) and you will get a pretty good list of vendors to start your search. We can almost guarantee (unless the marketplace completely changes in the next 2-3 weeks) that you will be disappointed by what you find. On most vendor websites you will have a hard time figuring out what their software does and, instead, what you will see is "contact us for a demo." Further, you will likely have an even harder time figuring out what the vendor's offering costs and, instead, what you get is "contact us for pricing."
Compare that to
Expresso.
Expresso abstracts and reflects the Standard in its entirety; therefore, we have a high degree of confidence that you can perform a valid Risk Assessment using the functionality which
Expresso provides. You can go
here for an hour long
Expresso demo conducted in one of our public webinars, together with Q&A from the public. You can also see
here that our pricing is $2,495.95 for the first year and $1,295.95 for each year you choose to renew thereafter.
What about the number of users, how does that factor into the equation? It doesn't with
Expresso; at least not directly. Instead we chose to break-up the licensing per profit and loss ("P&L") center. If you have 1000 members in your workforce all under one P&L center, then Expresso costs no more than the prices discussed above. On the other hand, if you are ABC Fortune 500 company, and want to use Expresso for all 100 P&L centers within your organization, then you would be required to purchase 100 licenses. This is not to say that one pricing scheme is better than another, but rather that there should be transparency in pricing. Of course, based "on the facts on the ground" then one pricing scheme will be more economical than another. However, until those facts are known, no valid pricing comparison can be made; therefore a prospective customer cannot reasonably determine, without a lot more time, how to proceed, if at all.
Moreover the analysis almost never stops with just a determination of RA functionality and pricing. Similar to our Subscription, most vendors sell much more than RA software. They sell other products (and services) to help you with the remediation process. The best RA in the world (and "best" is not the legal requirement) is a pure analysis step. It should help you identify which Risks you want to attack and what Controls you want to implement, but it is not the step where the actual work gets done. That is left for the next implementation specification in the first Administrative Safeguards Standard, namely "Risk Mitigation." We have over 30 products and counting that help you remediate, including 15 training products. The value of our Subscription Plan does not stop with Expresso, however good the latter may be. Similar to what we do, you should ask other vendors how they help you remediate.
Be careful because many vendors will answer this question with "it depends." What they likely want to do is sell you professional services. The pitch goes something like this, let us come in with our experts and then we will be able to provide you a quote that pertains to your unique situation. This is especially true if the pitch is being "lobbed at" the aforementioned Fortune 500 Company. The latter is use to conducting business in this manner, and moreover, they may sell their professional services in exactly the same way. There is nothing per se wrong with this approach. However, the savvy prospect needs to understand what remediation they are buying "in the box" and what comes only with professional services attached (i.e. likely dramatically increasing the cost of the prospect is purchasing).