home.aspx
 
. https://www.lexblog.com/2019/01/17/avoiding-critical-security-risk-analysis-mistakes/
blog article
AVOIDING CRITICAL SECURITY RISK ANALYSIS MISTAKES
Healthcare organizations and their business associates must be careful to avoid making mistakes with their HIPAA security risk analysis in case they ever undergo a compliance review or breach investigation by federal regulators, says privacy attorney Adam Greene. “What I see a lot of – and it’s both sad and frustrating – is that a covered entity or business associate might hire an outside security consultant to do a security risk assessment … but what they end up getting is a gap analysis against the HIPAA Security Rule or another set of controls,” he says in an interview with Information Security Media Group. While a gap analysis can be helpful, “it’s not the sort of risk assessment that the Department of Health and Human Services’ Office for Civil Rights is looking for … if there’s an investigation, audit or breach,” he stresses. What OCR is looking for in a HIPAA security risk analysis “is threat/vulnerability pairings” involving protected health information, he explains. READ MORE