HIPAA Assessments

egrizzly · March 2020

For you all out there doing risk assessments for businesses has any of you done HIPAA assessments? How was the overall experience and the financial rewards in conducting these type of assessments and how do they compare with the other types of traditional risk assessments?

scasc · March 2020

I think generally in the US security compliance has a big part to play in how organisations deploy controls/conduct business etc. Whether its PCI/HITRUST/FISMAA etc. Not sure if HIPAA any different though I do know its a pretty big deal for health care firms. My brother in law in the US who works in healthcare always stating how critical it is for the industry etc. You will find essentially, all the regulations define control procedures/control objectives which pretty much are similar across the board. Its just the scope of focus - PCI = CC data, HIPAA = Healthcare data. Thus, I would have thought the process to do these are all similar

egrizzly · March 2020

SCASC thanks for participating. HIPAA security assessments deals more with privacy, electronic health records (EHR) and the people, process, and technology needed to maintain those records. Anyways, there's training on how to get these done through HHS.gov however they're not too clear to me so I thought to seek out any consultants that have done these assessments before.

scasc · March 2020

No worries. If you are interested in this area, maybe do a linked in search and find roles in your area and then train up. But compliance, in my experience, pretty much similar across the board -just looking at it from a different lens.

egrizzly · March 2020

My main job is in Incident Response as I work as a Senior Security Operations Center Analyst. However, that particular job has no autonomy as it's on the reactive side of things. HIPAA Compliance is on the proactive side of cybersecurity. I'm of course particularly drawn to it as I used to work in healthcare as a nurse.

Besides, if successful in starting the engagement I would be working as a direct vendor not as an employee, a setup which has its own share of financial rewards.

scasc · March 2020

Sounds good, check out the training and see if it is something that takes your fancy. Have you ever had a role in risk/compliance/audit? If not, bear in mind its not for everyone as a lot of people can find it boring as its not hands on. But you may enjoy it very much.

egrizzly · March 2020

I'm familiar with all the concepts and don't necessarily need to undertake additional training. At this point more of what I'm looking for is basically the actual checklists (some call it working papers) used on site when performing these HIPAA assessments.

To your question I've not conducted risk/compliance/audit professionally but I've been through all the CISA and CRISC training and believe I can handle it as I'm able to see the big picture the so called boring questions point to.

LonerVamp · March 2020

Unlike PCI DSS, I don't think HIPAA has a nice-to-reference list of things to compare against. Most firms, I think, sort of make that up as they go with particular care for where is the data, how is it handled, who can access it, who has accessed it, is there training, and can you prove all of this? For individual firms, those questions are sort of their private sauce.

Maybe the source would be a good place to start? https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/audit/protocol/index.html

egrizzly · March 2020

Thanks for the link @LonerVamp ...it's definitely a major leap in my quest to locate a checklist/working papers for conducting HIPAA compliance assessments. What about yourself...have you conducted assessments on the side before or are you 100% working for an employer?

HIPAA Assessments

Comments