HIPAA - What is HIPAA? Understanding Risk Maturity Standards

University of Nebraska Base Hospital No. 49 was mobilized in March 1918.

From the archives: World War I Physician - McGoogan News | McGoogan News | University of Nebraska Medical Center (unmc.edu)

Introduction

The Airius Risk Maturity Knowledgebase is intended to give you a snapshot of those things in the world affecting information risk for April 22th through April 28th, 2023.

HIPAA stands for Health Insurance Portability and Accountability Act of 1996. It is a federal law that sets standards for protecting the privacy and security of health information in the United States. HIPAA applies to covered entities and business associates that handle protected health information (PHI).

PHI is any information that can identify a person and relates to their health condition, health care services, or payment for health care. Examples of PHI include name, address, date of birth, medical records, diagnosis, treatment, insurance information, and billing information.

HIPAA compliance means following the rules and regulations of HIPAA to ensure the confidentiality, integrity, and availability of PHI. HIPAA compliance is important for both healthcare providers and patients because it:

What are the main components of HIPAA compliance?

HIPAA compliance consists of four main components:

The Privacy Rule

The Privacy Rule establishes the rights of patients to access and control their own PHI and the obligations of covered entities and business associates to protect the privacy of PHI. The Privacy Rule requires covered entities and business associates to:

The Security Rule

The Security Rule establishes the standards for protecting the security of PHI that is created, received, maintained, or transmitted electronically (e-PHI). The Security Rule requires covered entities and business associates to:

The Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to notify affected individuals, the Department of Health and Human Services (HHS), and in some cases the media in the event of a breach of unsecured PHI. A breach is defined as an impermissible use or disclosure of PHI that compromises its security or privacy. Unsecured PHI is PHI that is not rendered unusable, unreadable, or indecipherable to unauthorized persons through encryption or destruction.

The Breach Notification Rule requires covered entities and business associates to:

The notification must include:

The Enforcement Rule

The Enforcement Rule establishes the procedures and penalties for enforcing HIPAA compliance. The Enforcement Rule authorizes HHS to investigate complaints, conduct audits, and impose civil monetary penalties for violations of HIPAA. The Enforcement Rule also grants the authority to the Department of Justice to prosecute criminal cases for willful violations of HIPAA.

The Enforcement Rule provides for different levels of penalties based on the nature and extent of the violation and the degree of culpability of the violator. The penalties range from $100 to $50,000 per violation, with a maximum of $1.5 million per year for identical violations. In addition, criminal penalties can range from $50,000 to $250,000 in fines and from one to 10 years in prison.

Achieve Compliance Confidence

Book a Free Consultation to learn how our experts can help you navigate complex regulations.

Achieve Compliance Confidence

Book a Free Consultation to learn how our experts can help you navigate complex regulations.

How does HIPAA compliance demonstrate risk maturity?

HIPAA compliance demonstrates risk maturity by requiring organizations to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (e-PHI). This risk analysis is the first step in an organization’s Security Rule compliance efforts and is an ongoing process that should provide the organization with a detailed understanding of the risks to e-PHI.

HIPAA security compliance is not a point-in-time achievement, but rather a duty of care process that operates over time. To achieve ongoing due care, HIPAA risk management is applied. This involves monitoring and correcting security controls so they remain effective at reducing risk.

Is HIPAA aligned with recognized standards like the NIST CSF?

Yes, HIPAA is aligned with recognized standards like the NIST Cybersecurity Framework (CSF). The Office for Civil Rights (OCR) has released a crosswalk developed with the National Institute of Standards and Technology (NIST) and the Office of the National Coordinator for Health IT (ONC), that identifies “mappings” between the NIST Framework for Improving Critical Infrastructure Cybersecurity (the Cybersecurity Framework) and the HIPAA Security Rule.

Organizations that have already aligned their security programs to either the NIST Cybersecurity Framework or the HIPAA Security Rule may find this crosswalk helpful in identifying potential gaps in their programs. Taking specific action to address these gaps can bolster compliance with the Security Rule and improve an entity’s ability to secure ePHI from a broad range of threats.

What are some common risk management frameworks?

There are several common risk management frameworks that organizations use to manage and reduce cybersecurity risk. Some examples include:

These frameworks provide a structured approach to identifying, assessing, and managing risk across an organization.

What are some benefits of HIPAA compliance?

There are several benefits of HIPAA compliance for both healthcare organizations and patients. For healthcare organizations, HIPAA compliance can help to streamline administrative healthcare functions, improve efficiency in the healthcare industry, and ensure protected health information is shared securely. HIPAA compliance can also help to foster trust and loyalty with patients, increase profitability, and differentiate your business from others.

For patients, HIPAA compliance ensures that healthcare providers, health plans, healthcare clearinghouses, and business associates of HIPAA-covered entities must implement multiple safeguards to protect sensitive personal and health information. HIPAA gives patients control over who their information is released to and who it is shared with. It also allows patients to take a more active role in their healthcare by giving them the ability to obtain copies of their health information and check for errors.

What is the HIPAA Standard?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that required the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge. The US Department of Health and Human Services (HHS) issued the HIPAA Privacy Rule to implement the requirements of HIPAA. The HIPAA Security Rule protects a subset of information covered by the Privacy Rule.

The Privacy Rule standards address the use and disclosure of individuals’ health information (known as protected health information or PHI) by entities subject to the Privacy Rule. These individuals and organizations are called “covered entities.” The Privacy Rule also contains standards for individuals’ rights to understand and control how their health information is used. A major goal of the Privacy Rule is to make sure that individuals’ health information is properly protected while allowing the flow of health information needed to provide and promote high-quality healthcare, and to protect the public’s health and well-being.

What is HITECH

The Health Information Technology for Economic and Clinical Health (HITECH) Act was enacted as part of the American Recovery and Reinvestment Act of 2009. It was signed into law on February 17, 2009, to promote the adoption and meaningful use of health information technology. Subtitle D of the HITECH Act addresses the privacy and security concerns associated with the electronic transmission of health information, in part, through several provisions that strengthen the civil and criminal enforcement of the HIPAA rules.

HITECH incentivized the adoption and use of health information technology, enabled patients to take a proactive interest in their health, paved the way for the expansion of Health Information Exchanges, and strengthened the privacy and security provisions of HIPAA. HITECH strengthened HIPAA by extending the reach of the HIPAA Security Rule to Business Associates of Covered Entities, who also had to comply with certain Privacy Rule standards and the new Breach Notification Rule. Tougher penalties for HIPAA compliance failures were also introduced to add an extra incentive for healthcare organizations and their business associates to comply with the HIPAA Privacy and Security Rules.

What are the parts of the HIPAA standard?

The complete suite of HIPAA Administrative Simplification Regulations can be found at 45 CFR Part 160, Part 162, and Part 164, and includes:

1. Transactions and Code Set Standards

The HIPAA Transactions and Code Set Standards are rules to standardize the electronic exchange of patient-identifiable, health-related information. They require providers and health plans to use standard content, formats, and coding. The purpose of the standards is to simplify processes and decrease costs associated with payment for health care services. The standards apply to patient-identifiable health information transmitted electronically.

2. Identifier Standards

The HIPAA Identifier Standards require covered healthcare providers, health plans, and health care clearinghouses to use a ten-digit “National Provider Identifier” number for all administrative transactions under HIPAA, while covered employers must use the Employer Identification Number issued by the IRS.

3. Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals' medical records and other individually identifiable health information (collectively defined as “protected health information”) and applies to health plans, health care clearinghouses, and those health care providers that conduct certain health care transactions electronically. The Rule requires appropriate safeguards to protect the privacy of protected health information and sets limits and conditions on the uses and disclosures that may be made of such information without an individual’s authorization. The Rule also gives individuals rights over their protected health information, including rights to examine and obtain a copy of their health records, to direct a covered entity to transmit to a third party an electronic copy of their protected health information in an electronic health record, and to request corrections.

4. Security Rule

The HIPAA Security Rule establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information¹.

5. Enforcement Rule

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, the imposition of civil money penalties for violations of the HIPAA Administrative Simplification Rules, and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.

6. Breach Notification Rule

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.

______________________________________________________________________________________________________________

How does a company get HIPAA certified?

There is no official HIPAA certification process or accreditation recognized by the Department of Health and Human Services (HHS) or its Office for Civil Rights (OCR). However, some companies offer HIPAA certification programs that provide training on HIPAA regulations and assess an organization's compliance with the regulations. These programs can help organizations understand their obligations under HIPAA and demonstrate their commitment to protecting patient privacy and security.

How can you acheive HIPAA compliance?

HIPAA compliance is not a one-time event, but an ongoing process that requires constant vigilance and improvement. To achieve HIPAA compliance, you need to:

HIPAA compliance is not only a legal obligation, but also a best practice for ensuring the trust and satisfaction of your patients and customers. By following HIPAA compliance, you can demonstrate your commitment to protecting their health information and providing them with quality health care services.

Conclusion

HIPAA compliance is a complex and challenging topic that affects every aspect of health care delivery in the United States. It is essential for both health care providers and patients to understand what HIPAA compliance entails and why it matters. By complying with HIPAA, you can protect the privacy and security of health information, enhance the quality and efficiency of health care services, and reduce the risk of legal liability or reputational damage.

If you need help with achieving HIPAA compliance, you can contact us at info@airius.com.

We are a team of experts who can provide you with customized solutions and support for your HIPAA compliance needs. We can help you with:

Don’t wait until it’s too late. Contact us today and let us help you achieve HIPAA compliance with confidence and ease.

Regulatory compliance with Airius

In The News

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

Ready to Help!

If we can help you with risk management, SOC reporting, an emergency or you just need guidance with INFOSEC, please reach out to us.

Coming Soon

License

References and Credits

Preserving Patient Privacy and HIPAA

Understanding HIPAA and its importance

In today's electronic age, the defense of delicate personal information has actually ended up being vital in the medical care market. In the Health Insurance Portability and Accountability Act (HIPAA), a thorough regulatory structure was developed to protect individual personal privacy as well as hold doctors liable for their information protection methods. At the core of HIPAA's demands exists the essential procedure of performing HIPAA risk assessments—an organized examination of prospective susceptibilities, risks, and threats to protected health information (PHI).

HIPAA, known as the Health Insurance Portability and Accountability Act, states rigorous standards to ensure the protection and personal privacy of individuals' protected health information. The main goals of these regulations are two-fold: initially, to safeguard personal information from unapproved accessibility, usage, or disclosure; and second, to develop responsibility amongst medical care entities for their compliance with the safety and personal privacy laws. Failing to follow HIPAA can cause serious repercussions consisting of substantial penalties and reputational damages, which might substantially influence the economic security as well as credibility of health care companies.

In addition, the climbing value of information and personal privacy in the electronic age includes seriousness about HIPAA compliance. With a growing variety of cyber hazards and information violations targeting doctors, the requirement for durable security measures cannot be overemphasized. The Department of Health and Human Services (HHS), via its Office for Civil Rights (OCR), is in charge of applying HIPAA compliance and also examining possible offenses.

To ensure compliance with HIPAA, covered entities and business associates are required to carry out a thorough risk assessment, also called a security risk assessment. This vital procedure includes determining prospective threats, examining their prospective effect on PHI, and executing ideal risk management approaches to alleviate susceptibilities properly.

In the upcoming areas of this blog, we will dive much deeper into the essential facets of HIPAA risk assessments, recognizing the risk assessment process and the function it plays in attaining and maintaining HIPAA compliance. We will discover exactly how companies can conduct risk assessments efficiently using the devices and sources offered for this function, as well as the assimilation of danger analysis searches into thorough risk management strategies. In addition, we will stress the relevance of HIPAA compliance policemen as well as skilled employees in promoting the risk assessment process, lining up security policies and procedures with HIPAA requirements, and preparing companies to react efficiently in instances of protection events or violations.

Questions about HIPAA compliance?

Achieving the discipline and dedication to be HIPAA compliant is a big deal. Maintaining that level of risk management is an even bigger deal.

Check out our blogs, learn more about the risk management process, or contact us today.

Navigating HIPAA Risk Assessments

A HIPAA risk assessment acts as a foundation in the pursuit of preserving the highest possible criteria for patient-data security while sticking to the rigorous policies stated by the Health Insurance Portability and Accountability Act (HIPAA). Comprehending the complexities of this vital procedure is critical for health care companies to protect protected health information (PHI) and ensure complete compliance with the HIPAA Security Rule as well as the Privacy Rule.

At its most fundamental level, a HIPAA risk assessment is a comprehensive evaluation that is designed to identify potential vulnerabilities, dangers, and threats that potentially compromise the privacy, integrity, and accessibility of protected health information (PHI). firms are able to acquire crucial insights about the current condition of their security measures as well as risk management strategies by doing such an evaluation. This provides the firms with the ability to take proactive actions to safeguard sensitive customer information.

Airius can guide you through a proper HIPAA Risk Assessment. While there is a free option, the paid version allows you to add your practice information, upload evidence, get professional assistance, get a score and analysis of your disclosure and schedule a followup.

The free version is linked above. The professional version is $1,899.

Recognizing Vulnerabilities, Threats, and Potential Impacts on Patient Data:

The first thing that has to be done is an in-depth review of the company's structure, operations, and techniques in order to locate any potential vulnerabilities. These may then be used to pinpoint potential dangers that could target protected health information (PHI) as well as potential fallout from a breach in information security.

Carrying Out a Risk Assessment

A Step-by-Step Guide approach is vital to ensuring an extensive and reputable danger evaluation. This includes comprehending the risk assessment process, consisting of the range, goals, and approach. In addition, including appropriate stakeholders such as IT workers, compliance police officers, and personal privacy police officers promotes cooperation and brings varied viewpoints right into the evaluation.

The Role of Technology in HIPAA Risk Assessments

Embracing modern technology is vital to enhancing the risk assessment process. Making use of specialized software programs and devices, plus automation, makes it possible for reliable analyses, information evaluation, and threat tracking. Innovation not only conserves time and resources but also boosts the precision and integrity of risk assessments.

Typical Challenges Faced During Risk Assessments, Coupled with Strategies to Overcome Them

Risk assessments can present difficulties, such as source restrictions, complicated IT facilities, and differing levels of compliance understanding amongst teams. Getting rid of these obstacles demands clear interaction, continuous education and learning, and durable risk management to resolve recognized dangers efficiently.

Compliance with HIPAA policies is critical to shielding individuals' private information and preserving the trust of both individuals and governing authorities. The Office for Civil Rights (OCR) within the Department of Health and Human Services (HHS) manages the enforcement of HIPAA compliance, and failing to conform can cause serious repercussions consisting of considerable penalties as well as reputational damages.

In the coming areas of this blog, we will look into the subtleties of carrying out a HIPAA risk assessment. We will check out the ideal methods, approaches, and threat analysis devices utilized to recognize prospective dangers as well as susceptibilities. Moreover, we will certainly resolve the significance of risk analysis as well as risk management as critical elements of the analysis procedure.

Achieve Compliance Confidence

Book a Free Consultation to learn how our experts can help you navigate complex regulations.

Achieve Compliance Confidence

Book a Free Consultation to learn how our experts can help you navigate complex regulations.

Achieving and Maintaining HIPAA Compliance

While carrying out a HIPAA risk assessment is an essential action in the direction of information defense, accomplishing it coupled with preserving compliance surpasses recognizing dangers. Executing durable safeguards based on threat evaluation is the next important phase in strengthening data security. By attending to susceptibilities and boosting information security actions, medical care companies can proactively reduce possible dangers.

Train the Employees

To make certain all employees are educated and compliant with HIPAA laws, personnel training coupled with an understanding of campaigns is crucial. Health care entities should invest in continual education and learning, together with training programs, to keep personnel updated on current security measures as well as personal privacy methods. Effectively educated workers are the initial line of protection against information violations and human mistakes that might endanger personal details.

Regular Evaluations

Regular evaluations and updates are just as essential in the search for HIPAA compliance. Risk assessments ought not to be dealt with as a single task but rather as a recurring procedure. As the health care landscape advances, so do hazards and modern technologies. Consistently reviewing risk assessments enables companies to adjust and also react efficiently to brand-new difficulties, making sure that their information security methods continue to be current and durable.

Create a Case Reaction Strategy

Regardless of just how prepared a company is, protection occurrences as well as violations might still happen. Creating a distinct case reaction strategy is important to lessen the effect of such occasions. A clear plus combined with feedback can help reduce possible problems, determine the source of occurrences, and assist in the reconstruction of solutions as well as information stability.

Third Party Vendors

The duty of third-party suppliers and service affiliates to comply with HIPAA cannot be taken too lightly. Medical care companies typically rely on third-party suppliers for different solutions, and guaranteeing information safety throughout the supply chain is essential. Overseas entities have to function carefully with their company links to develop detailed information defense arrangements coupled with normal analyses to keep track of compliance.

Achieving and preserving HIPAA compliance calls for a complex method that incorporates risk assessments, the application of safeguards, personnel training, continuous evaluations, and durable event feedback preparation. By adhering to the finest techniques as well as remaining aggressive in their compliance initiatives, health care companies can construct a solid structure for securing delicate client details. Compliance with HIPAA is not simply a lawful demand but additionally an ethical responsibility to protect individual personal privacy and also preserve the trust fund of those looking for treatment. As modern technology and medical care techniques continue to develop, adherence to HIPAA's laws continues to be an important foundation for a safe and credible health care environment.

Now you know, What's next?

In a healthcare landscape increasingly dependent on electronic systems and data exchange, the value of HIPAA risk assessments cannot be overemphasized. These evaluations work as a critical column in guarding individual personal privacy and ensuring compliance with the Health Insurance Portability and Accountability Act (HIPAA). By carrying out thorough risk evaluations, medical care companies can determine possible susceptibilities and risks, permitting them to execute efficient risk management techniques to safeguard people's delicate details.

Taking a positive approach to HIPAA compliance is extremely important in dealing with possible threats before they intensify into information violations or infractions. By consistently carrying out risk assessments, companies can remain one action ahead of arising risks and susceptibilities, guaranteeing their security measures will continue to be durable. Compliance with HIPAA is not just a legal commitment; it is also an ethical task to maintain a person's trust fund as well as privacy.

Urging health care companies to check out risk assessments as a continuous method is vital for adjusting to the ever-evolving landscape of hazards as well as innovations. As the health care sector continues to incorporate sophisticated innovations, the danger landscape advances appropriately. By keeping a constant cycle of risk assessments, companies can quickly recognize and attend to brand-new threats, boosting their information security techniques and minimizing the chance of future events.

HIPAA risk assessments play a crucial role in safeguarding individual information as well as preserving regulatory compliance. An aggressive approach coupled with a constant strategy to take the chance of analysis equips health care entities to shield the personal privacy of protected health information (PHI) properly. As modern technology continues to develop and brand-new hazards arise, focusing on risk assessments ends up being vital for the continued honesty and reliability of the health care community. By sticking to HIPAA requirements and welcoming risk assessments as an indispensable component of their procedures, medical care companies can strengthen their security measures, show a dedication to people's personal privacy, and also browse the complicated globe of medical care information defense with self-confidence.

Questions about HIPAA compliance?

Achieving the discipline and dedication to be HIPAA compliant is a big deal. Maintaining that level of risk management is an even bigger deal.

Check out our blogs, learn more about the risk management process, or contact us today.

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

Ready to Help!

If we can help you with risk management, HIPAA compliance, an emergency or you just need guidance with INFOSEC or IP issues, please reach out to us.

License

References and Credits

Free SRA Toolkit - Easy to use!

Introduction

The Airius Risk Maturity Knowledgebase is intended to give you a snapshot of those things in the world affecting information risk for April 29th through May 5th, 2023.

From HealthIT . . .

The Office of the National Coordinator for Health Information Technology (ONC), in collaboration with the HHS Office for Civil Rights (OCR), developed a downloadable Security Risk Assessment (SRA) Tool to help guide you through the process. The tool is designed to help healthcare providers conduct a security risk assessment as required by the HIPAA Security Rule and the Centers for Medicare and Medicaid Service (CMS) Electronic Health Record (EHR) Incentive Program. The target audience of this tool is medium and small providers; thus, use of this tool may not be appropriate for larger organizations.

What is wrong with the Security Risk Assessment /SRA Toolkit?

HHS offers a tool "SRA TOOL" (Security Risk Assessment Tool | HealthIT.gov). It is a way to guide senior management within medical practices to act more responsibly with risk.

Windows ONLY

The problem is that it is only available for Windows. It is built in JAVA and could run anywhere. The packager makes it an MSI, and only that is proprietary.

Free, like the trojan horse

There are no license restrictions at all, so it is potentially public domain. The big problem is that it is closed. The source code is not shared. The design documents are not available for review. For the SRA tool to run, it needs to be installed on a Windows computer and used by someone that has access to lots of risk information regarding a healthcare practice. A free software application without any information regarding its constituent parts, how it operates and what the license obligations are can impose unanticipated risks on a practice risk manager.

A covered entity is fully responsible for ALL of the ePHI that is created and managed. As a result, vendor risk, and risk imposed through third party applications, solutions, software and hardware, needs to be carefully assessed.

This is a five year old project, built using Open Source JAVA packages, but with license information hidden.

The problem is that it is only available for Windows. It is built in JAVA and could run anywhere. The packager makes it an MSI, and only that is proprietary.

Disassembling the SRA tool

  1. Download the MSI file
  2. lessmsi-v1.10.0 to open the MSI file.
  3. Write the compiled code to a file. Now it will run as JAVA on Chromebook and MacOS.
  4. jd-gui-windows-1.6.6 to decompile the JAVA jars into sources.

Now we scan the code

Our team used Checkmarx to FINALLY do the one thing that has not been done in 5 years. Scan what is in this code.

.

Bill of Materials

Our friends at Revenera helped us to assess the extracted source code further.
They found 50 Open sourced projects with licenses including GPL2, Apache, BSD, MIT and more. The source is currently not available, there is no published license information and there is no third party attribution required by the licenses.

What does this mean?

The SRA Toolkit was built using a number of open sourced frameworks.

  1. License obligations - copyleft licenses, commonly like GPLv2, require attribution and source code to be distributed with the completed packages
  2. Vulnerabilities - installing this package does not include automatic vulnerability management. Nearly 30 vulnerabilities, including 8 severe ones, were found within the current release of the SRA Toolkit.
  3. Obfuscation - the package was intentionally modified to hide the sources, not include the attribution statements, not include the source, and hide exactly what is being used as part of this SRA Toolkit.
  4. Violation of security rule - it is impossible for a Covered Entity to determine the appropriate risk associated with this tool and its potential exposure to ePHI and critical risk management data.
  5. Supply Chain Integrity - users of this SRA Toolkit have no assurance regarding the provenance of the code that makes this tool. The analysis herein confirms that any trust in this tool would be misplaced, since it represents a number of severe operational risks.

What is an alternative to the JAVA SRA?

We built the Security Risk Assessment Toolkit online.

  1. Click Here >>> Free Risk Assessment <<<
  2. Up to 153 questions, 7 sections, like the JAVA SRA Toolkit
  3. Airius site is built around WordPress
  4. It is hosted through GoDaddy
  5. The Toolkit is built using Formidable Forms, a licensed plugin for WordPress
  6. Attribution is given to Health and Human Services throughout the Assessment
  7. The code is PHP, Javascript and Cascading style sheets. The code is not obfuscated, most of it can be reviewed by viewing page source, but we can do a private session and show any code that generates a page
  8. The SRA Toolkit generates graphs upon completion and a certificate. This has a score, a data and a list of all evidence provided
  9. We are available to assist at any time, but the basic SRA Toolkit is free

Conclusion

While it is admirable that the HHS and the ONC combined to make HIPAA compliance tools available, it is a shame that their effort was ill advised and potentially introduces significant risk to a user.

Our research used a number of tools:

  1. Checkmarx - We are Certified Sales Partners, Partner Engineers and Professional Service Engineers
  2. Revenera - (Formerly Palamida). They specialize in solutions that help companies understand what’s in the code they use and identifying security and license compliance issues.

The commercial and open sourced tools took a great deal of expertise to operate. This project took six weeks and involved ten engineers at three different companies. All of the commercial tools were properly licensed, and the realistic cost for this project would quickly exceed $70,000.

If you need help with achieving HIPAA compliance, you can contact us at info@airius.com.

We are a team of experts who can provide you with customized solutions and support for your HIPAA compliance needs. We can help you with:

Don’t wait until it’s too late. Contact us today and let us help you achieve HIPAA compliance with confidence and ease.

Regulatory compliance with Airius

Notable Mentions

We are amazed at the number of submissions we have gotten to date, but even more so, we are incredibly grateful to over 150 core contributors who have devoted their time and resources to helping us provide up-to-date information. Send your stories and announcements to knowledgebase@airius.com

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information.

The Risk Maturity Knowledgebase restarts an effort that we began in 2007. With hundreds of volunteers, interns and staff members at the time, along with over 60 weekly translations, our predecessor became the standard for GPL and open source security information. Can you translate the blog? Please reach out.

Ready to Help!

If we can help you with risk management, SOC reporting, an emergency or you just need guidance with INFOSEC, please reach out to us.

License

More Info

References and Credits