What To Do With Your Completed Risk Analysis

Completing a comprehensive HIPAA risk analysis is a big achievement and puts you in rare company…but you’re not done yet. Once you’ve completed your HIPAA risk analysis, your organization should be asking: What are we doing to do with this risk? Has management reviewed this and agreed? How can we use this information to improve? A mature risk management program doesn’t ask, “Do we have to do this again?” Instead, your risk management program should incorporate an ongoing, integrated risk analysis process. In this webinar, Mark Hinely will discuss five steps to take in using your your risk analysis: internal reporting, management responsibilities, corrective actions, monitoring, and auditing.

Internal Reporting

Once you have completed the identification of your threats and vulnerabilities, the potential impact, the likelihood of occurrence, the controls in place, and your recommendations – all of the foundations of a comprehensive risk analysis – you may wonder what to do with that information. Internal reporting is the next step to take. Your report should include a high-level summary of the risk analysis process, the top findings, your recommendations, and any appendices. The audience for this report should be senior-level management, operational units, or external auditors.

  1. High-Level Summary: The summary in your report should communicate to internal and external stakeholders what you did, and how you did it, in a way that could be independently verified. You want to frame what can be a very complex and confusing collection of information in way that’s understandable.
  2. Top Findings: Your top findings and/or a heat map provide a visual representation of risk. Instead of giving all of the threat-level details that the risk analysis will include, a heat map will scale that information back to only portray the likelihood of occurrence and potential impact of a particular risk. A heat map is also beneficial because sometimes risk is only fully understood in comparison to other risks, threats, or vulnerabilities.
  3. Recommendations: These recommendations should be enterprise/project-level recommendations, not threat/vulnerability-level.
  4. Appendices: Include any type of supplemental, explanatory information that would be useful to internal or external stakeholders’ understanding of your risk analysis.

These four items will be separate from your actual HIPAA risk analysis. In addition to your internal report, you want to include your risk analysis. Sometimes individuals will also include an asset list, threat list, or policy list.

Management Responsibilities

After you’ve completed your risk analysis and documented the results in a report, now you have a chance to provide the results to management. The guiding standard for responding to risk is “reasonable risk,” specifically § 164.308(a)(1)(ii)(B) – “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a).”

When management reviews and evaluates risk, they can respond in one of four ways:

  1. Accept: If cost-benefit analysis determines the cost to mitigate risk is unreasonable, then the best and compliant response is to accept and continually monitor the risk. But, there are two kinds of acceptance – passive and active. Passive acceptance takes no action to resolve or manage the risk. Active acceptance takes action to manage the impact.
  2. Transfer: The best response to activities with a low probability of occurring, but with a large financial impact, is to transfer a portion, or all, of the risk to a third party.
  3. Mitigate: The best response to activities with a high likelihood of occurring, but with a small financial impact, is to use management control systems to reduce the risk of potential loss.
  4. Avoid: The best response to activities with a high likelihood of loss and large financial impact. Instead of doing the activity but putting controls in place to reduce the risk, this option says “We just won’t do that anymore.”

You want to document management’s review of the risk analysis. We recommend using standards like, “Our organization’s internal standard to accept risk that have an overall risk value of medium or low.” You also want to document management’s approval of the internal risk analysis report. This approval means they’ve thoroughly reviewed the report and deem it a fair representation of the risk environment. An appendix at the end of the management documentation should have names, titles, dates, and a statement that says that management has reviewed the information and agrees with it.

Corrective Action

A risk analysis is a great tool for creating a HIPAA compliance roadmap. It tells you where you have the most exposure, what steps you can take to reduce the areas of greatest exposure, and it can assist in helping you with budget requirements. From a best practices perspective, you want to get to a point where you can categorize your control recommendations from a cost perspective, benefit perspective, and implementation perspective. The corrective actions take the things that need to be done to reduce risk to an appropriate and reasonable level, and do it.

Monitoring

Once you’ve completed the corrective action stage, you can begin to create a risk-based management control system, rather than a resource-based management control system. If it’s feasible, areas of greater risk receive increased monitoring – increased in frequency and intensity. You can monitor activity through diagnostic controls, boundary controls, or belief systems.

  1. Diagnostic Controls: This type of control reports whether activities are happening when they’re supposed to happen and in the way that it was designed to occur. For example, audit logs or penetration tests.
  2. Boundary Controls: This is a type of control that constrains activity. It doesn’t just tell you whether or not the activity is occurring, it actually impacts activities. For example, access control process, encryptions, or sanctions.
  3. Belief Systems: These controls tend to create a culture of compliance. For example, your security awareness training. Employees frequently resist security training, but when you look at enforcement activity, you see activities that should’ve been prohibited in security awareness training, but instead led to breaches.

An effective risk management program will incorporate a healthy balance of diagnostic, boundary, and belief system controls.

Auditing

A HIPAA risk analysis not only provides direction for monitoring activities, but also for auditing activity. So, what’s the difference between monitoring and auditing? Monitoring is a review of information provided by an operational unit. Auditing is an independent assessment of activities performed by someone outside of the business unit. Internal auditing benefits from a comprehensive risk analysis because your risk analysis should inform your auditing program where the greatest risk is. Audits should test risk analysis controls for both existence and effectiveness. Auditing also lays the groundwork for future risk analyses.

Listen to the full webinar to learn detailed steps of internal reporting, management responsibilities, corrective actions, monitoring, and auditing. Contact us today to learn more about HIPAA compliance.

Independent Audit Verifies OutSystems Internal Controls and Processes

Atlanta  – April 4, 2017 – KirkpatrickPrice announced today that OutSystems, a low-code application development platform leader, has received their SOC 2 Type I attestation report. The completion of this engagement provides evidence that OutSystems has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of OutSystems controls to meet the criteria for these principles.

OutSystems has a strong track record in accelerating the development of mission-critical applications and meeting strict security requirements in heavily regulated industries such as financial, healthcare, and defense.

“The external SOC 2 service auditor report is a very important achievement for OutSystems,” said Jose Casinha, OutSystems Chief Information Security Officer. “This milestone was achieved through an audit by an accredited firm and reflects our commitment to security in services provided to our customers. With this certification, we strengthen the trust relationship with our customers, enabling an even wider adoption of the OutSystems Cloud for security sensitive operations.”

“The SOC 2 audit is based on the Trust Services Principles and Criteria. OutSystems has selected the security principle for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “OutSystems delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on OutSystems’ controls.”

About OutSystems

Thousands of customers worldwide trust OutSystems, the number one low-code platform for rapid application development. Engineers with an obsessive attention to detail crafted every aspect of the OutSystems platform to help organizations build enterprise-grade apps and transform their business faster. OutSystems is the only solution that combines the power of low-code development with advanced mobile capabilities, enabling visual development of entire application portfolios that easily integrate with existing systems. Visit us at www.outsystems.com, or follow us on Twitter @OutSystems or LinkedIn at https://www.linkedin.com/company/outsystems.

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

###

OutSystems (US and Worldwide)

Ann Conrad

ann.conrad@outsystems.com

+1 404-994-2614

 

Jessica Ann Morris (US)

jessica@zagcommunications.com

+781.608.0499

Who must be HIPAA Compliant, and how can they prepare?

If you are just beginning to learn about HIPAA, you may be wondering, “Who must be HIPAA Compliant?” Up until 2009, the answer was simple: Covered Entities. But when the Health Information Technology for Economic and Clinical Health (HITECH) Act passed, it expanded the oversight of the Office for Civil Rights (OCR) to Business Associates. The HITECH Act was passed in 2009 to promote the adoption and meaningful use of health information technology (HIT).

Stephanie Rodrigue Discusses Who must be HIPAA Compliant?

The OCR’s proactive supervision will hold all covered entities and business associates responsible for their own compliance with the laws. According to the Omnibus Rule, business associates are being held directly responsible for their compliance with any relevant HIPAA laws. This means that business associate compliance will be a focus of the coming Phase 2 HIPAA enforcement actions.

Covered Entities are healthcare providers such as doctors’ offices, hospitals, health plans, or healthcare clearing houses. If your business is a covered entity preparing for Phase 2 of the OCR’s HIPAA Audit Program, we recommend that you prepare through Risk Analysis, Risk Management, Breach Reporting, and Privacy Notice and Access. Phase 2 audits of covered entities will focus on:

  • Device and Media Controls
  • Transmission Security
  • Risk Analysis and Risk Management
  • Safeguards and Training on Policies and Procedures
  • Notice of Privacy Practices and Access Rights
  • Breach Notification Content and Timeliness


Business Associates
HIPAA Fines for Business Associatesare the vendors who provide services on behalf of Covered Entities. Right now, the OCR is conducting audits of business associates and assigning fines for lack of HIPAA compliance. For business associates, these audits will focus on Risk Analysis, Risk Management, and Breach Reporting to Covered Entities. If you are a business associate, we recommend that you prepare through:

  • Conducting Security Rule Risk Analysis and Risk Management
  • Reviewing Policies and Procedures related to ePHI vulnerability, accessibility, and integrity
  • Identifying all systems that include ePHI
  • Evaluating security measures to reduce risk
  • Breach Reporting (impermissible acquisition, use, access, or disclosure of ePHI)
  • Evaluating Policies and Procedures

KirkpatrickPrice can service both covered entities and business associates through:

  • Experienced Risk Analysis Practices
  • Policy and Procedure Review
  • Approach Modeled on HIPAA Audit Protocol
  • Expert Information Security Personnel
  • Web-based Portal Experience

If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

Who must be HIPAA Compliant? This is a question we get asked from time to time. Up until 2009, the answer was Covered Entities, which are healthcare providers like doctors’ offices and hospitals. But when the HITECH Act passed, it expanded the oversight of the OCR to the Business Associates, which are the vendors who provide services to the Covered Entities.
Right now, the OCR is conducting audits of Business Associates and assessing fines for lack of HIPAA Compliance. If you’re unsure which parts of HIPAA laws apply to your business, contact us for help.

Independent Audit Verifies iVenture Solutions’ Internal Controls and Processes

Jacksonville, FL – February 2017 – iVenture Solutions, an IT services and solutions provider, today announced that it has completed its SSAE 16 (SOC 1) Type II Audit. This attestation verifies that iVenture Solutions has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of iVenture Solutions’ controls that may affect its clients’ financial statements. In accordance with SSAE 16 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes iVenture Solutions’ description of controls as well as the detailed testing of its controls over a minimum six-month period.

“Many of iVenture Solutions’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, iVenture Solutions has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by iVenture Solutions.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 16 auditing standards which focus on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About iVenture Solutions

Since October 2000 iVenture has provided managed services, IT support, and cloud services for mid-sized and small businesses in Central and North Florida. Visit www.iventuresolutions.com for more info.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm providing assurance services to over 550 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 10 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SSAE 16, SOC 2, HIPAA, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. www.kirkpatrickprice.com.

Best Practices for Patch and Vulnerability Management Programs

75% of the assessments that we do will generally have a finding regarding patching. So, what’s missing? What can we do to change that? In this webinar, Jeff Wilder discusses best practices for patch management programs, best practices for vulnerability management and identification programs, false assumptions about patching, risk ranking, and recommended tools.

Patch management should only be a part of your overall vulnerability program. Your program should also include AV, FIM, and Log Review, defined policies and procedures, the necessary tools to identify missing patches or vulnerabilities, and staff that is sufficiently trained to address identified issues. We also need to keep in mind that patching is not just about your workstation or servers. You need to ask yourself: When was the last time you updated your routers and firewalls? Have you also considered the applications you use? How do you intend on deploying your non-Microsoft patches? What about IoT devices? What about company-provided Android devices, Adobe products, etc.?

Your vulnerability management and identification program should include monitoring multiple sources for known vulnerabilities, monitoring vendor sites for patches and updates, a risk ranking system for the identified vulnerability, and a watch for 0-day attacks.

Once you’ve identified a patch or vulnerability, you need to rank that risk. We recommend the Common Vulnerability Scoring System (CVSS). Vulnerabilities, once identified, are given a score between 1 and 10, 1 being “informational” and 10 being “needs to be address immediately.”

There can be many false assumptions when it comes to patching. Patch and vulnerability management programs are about addressing risk, not just patching a device. Traps that you could fall into are thinking that just because there is an available patch or update doesn’t mean that you have to install it, thinking that because a vendor says an update is medium risk doesn’t mean it’s critical or not critical to your organization, thinking that because Microsoft doesn’t tell you there is a vulnerability means you are immune from attack, and thinking that keeping your system patched will keep it free from all vulnerabilities.

Tools that we recommend:

  • Secunia
  • US-CERT
  • org
  • Microsoft Baseline Security Analyzer (MBSA)
  • Missing update on Linux Devices
  • Nipper by Titania
  • Secunia PSI (Personal Software Inspector)
  • NVD Database
  • Reddit
  • exploit-db.com
  • IRC
  • HexChat

Still have questions on vulnerability management programs? Contact us today and speak to an expert.