. https://www.lexblog.com/2019/01/17/avoiding-critical-security-risk-analysis-mistakes/
blog article
Healthcare organizations and their business associates must be careful to avoid making mistakes with their HIPAA security risk analysis in case they ever undergo a compliance review or breach investigation by federal regulators, says privacy attorney Adam Greene. “What I see a lot of – and it’s both sad and frustrating – is that a covered entity or business associate might hire an outside security consultant to do a security risk assessment … but what they end up getting is a gap analysis against the HIPAA Security Rule or another set of controls,” he says in an interview with Information Security Media Group. While a gap analysis can be helpful, “it’s not the sort of risk assessment that the Department of Health and Human Services’ Office for Civil Rights is looking for … if there’s an investigation, audit or breach,” he stresses. What OCR is looking for in a HIPAA security risk analysis “is threat/vulnerability pairings” involving protected health information, he explains. READ MORE