! Risk Assessment Identify Threats & Vulnerabilities Key Advantages • • • • • • • • • • • ⊞ ⊞ ⊞ ⊞ ⊞ ⊞ Over a decade of dedicated service to healthcare entities and hundreds of assessments performed Third-party assessment allows for thorough, unbiased review of security and privacy programs A knowledgeable staﬀ with industry certiﬁcations in privacy, security and audit disciplines, and, most importantly, experience in healthcare Ability to measure against multiple frameworks including, HIPAA/HITECH, ISO, NIST, FISMA, FIPS, PCI and more Meets risk analysis requirements for Meaningful Use and HIPAA Security Rule Standards align with OCR’s expectations, utilizing ﬁrsthand experience during audits and investigations Approach is consistent with OCR’s guidance, using NIST methodology Now Is The Time For Risk Assessment A risk analysis must be conducted or reviewed annually to meet regulatory requirements or anytime there is a change in the operating or technical environment. More importantly, a Risk Assessment supports awareness and development of data security programs and results in reduced interruptions due to outages or incidents and better enterprise integrity by methodically addressing remediation. Conducting a risk analysis is necessary for many reasons, including: • • • • • Improves risk management posture, reducing threat of breach or security incidents Validates previous eﬀorts and identiﬁes potential threats and vulnerabilities Veriﬁes that the controls environment supports business strategy and goals Ensures an accurate and complete risk analysis in the event of an OCR or CMS audit or investigation Demonstrates and maintains HIPAA, HITECH and Meaningful Use compliance CynergisTek Standard Risk Assessment External Security Assessment Architecture Assessment Internal Security Assessment Information Security Program Assessment Meaningful Use EHR Technical Controls Assessment Wireless LAN Security Assessment NIST Methodology-Based Risk Analysis “A CIO’s mission should be to protect patient privacy through the continual improvement of security programs. Having CynergisTek conduct an annual risk assessment supports my team as we work towards this mission by identifying vulnerabilities, analyzing risk, and revealing trends that might have gone unnoticed without them.” – Chuck Podesta, Chief Information Oﬃcer Risk Assessment • ⊞ Is Your Risk Assessment Process Compliant? HIPAA, Medicare/Medicaid certiﬁed systems, Meaningful Use and FISMA all require a formal risk analysis. Despite these regulations, OCR identiﬁed an improper or incomplete risk analysis as a common ﬁnding in compliance audits. Now there is a greater focus on risk management programs. “Comprehensive enterprise risk analysis followed by ... timely risk management practices is the cornerstone of any good compliance program.” – Jocelyn Samuels, Director of HHS, Oﬃce for Civil Rights CynergisTek’s Risk Assessment process speciﬁcally addresses regulatory requirements and helps organizations implement an ongoing risk management program. Our strategic process includes technical testing, a physical survey, a programmatic gap analysis and policy review, and formal risk analysis using the NIST 800-30 Rev. 1 standard. + Throughout the process CynergisTek collaborates with your team to build eﬀective remediation plans. Deliverables can be used as supporting documentation for audits or investigations. CynergisTek can customize a Risk Assessment to meet your organization’s speciﬁc needs, and it can be included with our Compliance Assistant Partner Program or an ongoing compliance management program. Popular add-ons include: • • • • OCR Audit Readiness: Mocks an OCR random audit to prepare for future audits and/or investigations HIPAA Privacy Program Assessment: Provides an in-depth review of privacy policies and procedures that measures compliance with HIPAA Phishing and Social Engineering: Provides training and awareness for employees to help reduce security risks Ongoing Technical Testing Programs Learn more about our Risk Assessment at: www.cynergistek.com/compliance/ra About CynergisTek About CynergisTek CynergisTek, Inc. " 11410 Jollyville Rd, Suite 2201, Austin TX 78759 # 512.402.8550 $ [email protected] % cynergistek.com & @CynergisTek Risk Assessment CynergisTek is a top-ranked information privacy and security consulting ﬁrm. The company oﬀers solutions to help organizations measure privacy and security programs against regulatory requirements and assists in developing risk management best practices. Since 2003 the company has served as a partner to hundreds in the healthcare industry. CynergisTek is also dedicated to supporting and educating the industry by contributing to relevant associations such as HIMSS, AHIMA, HFMA, HCCA, AHIA, AHLA, IAPP and CHIME. CynergisTek was recognized by KLAS®, as one of three ﬁrms provider organizations turn to most for privacy and security assistance in its groundbreaking report released in May 2014, entitled “Security and Privacy Perception 2014: High Stakes, Big Challenges.”