Derive for HIPAA

Written By Corey Neskey

Use Derive as your risk quantifier to build and maintain a sustainable HIPAA compliant risk management program and still actually use it to support decision making and justify cybersecurity spend.

HIPAA Requires…

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires routine security risk assessments and an overarching risk management process.

The United States Department of Health and Human Services (HHS), who maintains the HIPAA Security Rule states that, “conducting a risk analysis is the first step in identifying and implementing safeguards that comply with and carry out the standards and implementation specifications in the Security Rule.”

The HHS also calls for continuous assessment, as opposed to the one-off occasional assessments that are common in other regulations (See 45 C.F.R. §§ 164.306(e) and 164.316(b)(2)(iii)).

CMS Incentives Programs

The Centers for Medicare and Medicaid Services (CMS) established Medicare and Medicaid Electronic Health Record (EHR) Incentive Programs to encourage eligible professionals (EPs), eligible hospitals, and critical access hospitals (CAHs) to adopt, implement, upgrade, and demonstrate meaningful use of certified electronic health record technology (CEHRT).

Organizations participating in pursuing incentives programs such as Meaningful Use must comply with HIPAA and increase the frequency of their risk assessments to at least annually.

Derive Delivers…

Navigating HIPAA, let alone cybersecurity, can be daunting but the Security Rule emphasizes risk assessment and risk management for that very reason. Determining what is “reasonable and appropriate”, “satisfactory assurance”, “required or addressable”, or a “reportable breach” all come down to risk assessment.

Derive is an intuitive browser accessible tool that will guide you through the steps to HIPAA compliant security risk analysis (SRA) and risk management.

  1. Define the scope of your organization.

  2. Generate risk scenarios or import your own.

  3. Assign probability and impact ranges to your scenarios.

  4. Propose security controls to reduce probability, impact, and uncertainty.

  5. Explore what combinations of which controls work best and cost the least.

  6. Export a customizable HIPAA compliant Security Risk Analysis docx.

  7. Track management responses and remediation efforts.

Corey Neskey