A prioritized approach of the Security Rule.

Brand Barney, HCISPP, CISSP
By: Brand Barney
To view this post in its original format, watch the How to Prioritize HIPAA Compliance webinar.

If you read part 1 of this series, I discuss the importance of starting a Risk Analysis as part of this 3-step prioritized approach that focuses on the Security Rule:
Now, let’s jump into the fun part: how are we going to deal with all the risks and vulnerabilities that we just found?

HIPAA compliant, HIPAA reality check

How to craft a Risk Management Plan

After you have analyzed your risk, you need to come up with a plan to become HIPAA compliant. You can do this on your own, or receive help from a security auditor (like me!) who is trained to craft the most straightforward and effective plan. A road map!

Need help crafting your Risk Management Plan? Send us a line.

In your Risk Management Plan, you need extensive documentation that shows you take sufficient security measures to reduce risks and vulnerabilities. Be sure to include the following:
  • Action items for every risk
  • Milestones established to demonstrate your progress
  • Completion dates for everything
  • Daily/weekly progress (even up to monthly, depending on the risk)
You need to implement a risk strategy for every risk you identified in your Risk Analysis.

Your risk strategy

There are many different risk strategies that you can implement.
  • Risk acceptance: you don’t necessarily need to address every risk at once. There is actually some acceptance for some risks, especially if it is a lower risk.
  • Share risk: you might consider sharing some of the risk, similar to an insurance company sharing some of your risk.
  • Remove risk: many choose to reduce most of their risk by resolving or removing it. You might even consider completely getting rid of your risks all together. For example, you can get rid of Windows XP machines, which have not been supported for more than a year now. Or Windows Server 2003, since Microsoft is ending support on July 14th 2015. Many organizations are choosing to migrate to a newer server operating system and remove that risk entirely.
You need to document milestones, specifically your goals and achievements. What were your goals and when did you want to complete them? When did you achieve your goals?

Who affects your risk?

While planning for the future, it’s important to note the parties who have and will continue to impact your risk in the future. Identifying and mitigating the risks associated with these groups will increase your security immensely.

Get a free HIPAA compliance dashboard demo.


Oftentimes, employees are not necessarily trying to be malicious (though it does occur). In many cases, employees’ actions that pose risk to your security are unintentional, well meaning, or negligent. These employees often do not know they cause a security breach.

Put controls in place so your employees aren’t allowed to hurt your data, systems, and business. For example:
  • Have screensavers, enable automatic lockouts, and require passwords after time-out to protect PHI on computers.
  • Don’t allow employees to share usernames or passwords. Instead, your employees should have HIPAA compliant passwords.
  • Establish systems to distinguish visitors apart from onsite personnel, even if you are part of a small organization.
  • Train your staff about phishing tactics.
  • Train your staff on social engineering.
SEE ALSO: Social Engineering Training: What Your Employees Should Know

Business associates

Ponemon Institute’s 2014 study shows only 30% of covered entities felt confident that their business associates were properly handling their PHI, which is a staggering statistic considering how important your business associate can be to your security. As that statistic clearly states, your business associates offer some of the greatest risks to you. They are definitely not all bad, but when you share data, you no longer have a way to control and safeguard that data.

According to the 2013 HIPAA Omnibus Rule, you need to have and update your Business Associate Agreements (BAA). You also should review all your vendors before contracting with them. A BAA does not relieve your liability and responsibility with HIPAA compliance.

IT staff

Your IT guy is probably great and does many things for your organization, but he might not be trained in security. IT professionals all have a different subset of skills, just as an anesthesiologist and a cardiologist have specialties.

As a result, your systems may not be properly implemented, especially your firewall and remote access system. Usually, firewalls are configured to communicate to the other devices in your program, but some are configured to allow access in and out of your system that probably shouldn’t be allowed. Remote access systems are often set up incorrectly. Make sure your remote access is set up with two-factor authentication.

I would suggest you check up with your IT staff is making sure to update your systems and applications regularly, especially the following:


HIPAA compliance doesn’t have to be unmanageable. Break it up into manageable pieces. Start with small changes, such as designating a privacy and security officer, beginning your risk analysis, and outlining your specific plans for data security at your organization.

If you’re still overwhelmed, talk to a company like SecurityMetrics, who can assist you in a guided HIPAA compliance process.

Remember, your security matters.

Brand Barney (CISSP, HCISPP, QSA) is a Security Analyst at SecurityMetrics, has over 10 years of data security experience, and will totally geek out if you mention Doctor Who. Brand loves to play jazz piano and daydreams about being as great as Dave Brubeck or Thelonious Monk. Connect with him on Twitter or check out his other blog posts.

HIPAA compliance learning center