Compliance and Gap Analysis

HIPAA Security Risk Assessment

HIPAA is in motion, it intends to stay that way, and can no longer be ignored, overlooked, or given its due. The Office of Civil Rights (OCR) is responsible for issuing guidance on the HIPAA Security Rule (45 CFR 164.302 – 318) which defines appropriate administrative, physical, and technical safeguards that organizations who fall under the purview of HIPAA must take to secure Protected Health Information (PHI). Within the Security Rule, specifically 164.308(a)(1)(ii)(A), these organizations must conduct a risk assessment:

“RISK ANALYSIS (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the [organization].”

While that’s all well and good, there is no prescribed method for conducting a risk assessment. Comments from the OCR, coupled with their renewed vigor to audit and impose penalties on organizations failing to demonstrate due diligence and compliance under HIPAA/HITECH, suggest that one does not need to read tea leaves to identify what needs to be done.

To that end, Alasdair maintains the experience and knowledge necessary to complete a bona fide risk assessment. While we are not lawyers and cannot attest to any organization being “HIPAA compliant”, we can provide your organization with HIPAA Risk Assessment services that not only can withstand the scrutiny of an OCR audit, but can also help technical staff and business leadership alike understand how the prudent adaptation of security controls can protect PHI in a cost-effective fashion.

Similarly, over the course of the analysis, Alasdair will provide your organization with a framework to address these controls in a manner that facilitates a demonstrable and continuous risk analysis and management process.

Whether your organization is a direct healthcare provider, a Covered Entity (CE), or one that is subject to a Business Associate Agreement (BAA), thereby requiring it to attest and demonstrate how it protects PHI, Alasdair stands prepared to provide your organization with the guidance and experience necessary for your organization to continue to thrive while upholding its requirements to safeguard protected and confidential information.

Sidebar: Well, How Did I Get Here?

In 1996, the Health Insurance Portability and Accountability Act (HIPAA) was passed by Congress. The intent was to improve portability and continuity of health insurance coverage in the group and individual markets, to combat waste, fraud, and abuse in health insurance and health care delivery, to promote the use of medical savings accounts, to improve access to long-term care services and coverage, to simplify the administration of health insurance, and for other purposes. And there it sat for many years; neglected and covered with layers of administrative dust giving it sufficient inertia to stay at rest. However, persistent efforts in recent years have proven successful with changing the state of HIPAA from being at rest to being in motion. In 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH) was enacted as part of the American Recovery and Reinvestment Act and intended to increase the use of Electronic Health Records (EHR) by physicians and hospitals. Later, in 2013, the HIPAA Omnibus Rule was codified which sought to put the proverbial teeth into HIPAA/HITECH which was then updated again in 2016.

NIST-based Framework Analysis

There are many different security frameworks on the market today; each having their own merits and deficiencies. Choosing a framework that is most suited to your organization can be a challenging endeavor, requiring careful thought and insightful business analysis. For many years, Alasdair engineers have successfully employed several different frameworks based on the National Institute of Standards and Technology (NIST) to assist customers across most major verticals and industries with aligning their security, IT governance, risk management, and business goals.

The most popular of the frameworks our customers seek advice and consultation on are:

  • NIST Special Publication 800-53 (revision 4): Security and Privacy Controls for Federal Information Systems and Organizations
  • NIST Special Publication 800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
  • NIST Cybersecurity Framework: Framework for Improving Critical Infrastructure Cybersecurity

When properly implemented, these frameworks share similar goals and objectives. Our customized approach and assessment methodology is designed to provide insight into your organization’s current security posture, establish baselines set in terms of a Capability and Maturity Model (CMM), offer advice for establishing goals and developing Plans of Action and Milestones (POA&M), and overall collaboratively set the pace for improving and maintaining a “prioritized, flexible, repeatable, performance-based, and cost-effective(XREF NIST CSF)” security and risk management program. Contact Alasdair to set up an open and honest discussion about how our consulting services can tailor a solution that is right for YOUR organization.

PCI-DSS Gap Analysis


At their core, many of the compliance regimes we’re familiar with (e.g., HIPAA, PCI-DSS, etc.) have their roots in the NIST frameworks. There is nothing magical about it and the concepts contained within the Special Publications are not new in the security and risk management world. They do, however, represent a significant effort to help bring order to chaos in a manner that uses common terms and descriptions to facilitate objective communication both inside your organization and with external parties. When we all are speaking the same understandable language, removing huge swaths of ambiguity and vendor jargon, is when great progress can be made.