HIPAA-Watch for Security Speeds Up Compliance Part Two: Phase III and IV, and Product and User Recommendations

HIPAA-Watch for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations

Featured Author -


The HIPPA-Watch for Security tool was developed by RiskWatch a company founded in Maryland (US) in 1993. The tool is designed to aid companies through US risk analysis to eventual US regulatory compliance. Its risk analysis engine is embedded in the product and consists of four phases. Phase I assists users with establishing compliance case boundaries, and phase II values are defined, audit questions are created, and respondents are determined in order to formulate boundaries. Phase III and IV pertain to evaluation and reporting.

This is Part Two of a two-part note.

Part One provided the vendor background and described Phase I and II of the HIPAA-Watch for Security tool.

Part Two will detail Phase III and IV, and will offer product suggestions and user recommendations.

Phase III and IV: Evaluation and Reporting

Phase III launches the risk analysis engine and performs the evaluation. Clearly preparing for the evaluation is a lot more time consuming than running the evaluation engine. Before you actually run the evaluation however, HIPAA-Watch allows you to review the links created between Asset Categories with Loss Categories. If you need to change the default recommendations for the links between Asset Categories and Loss Categories, it is simple to make the change. You simply uncheck the assets that are not prone to the type of loss indicated. For example, supplies and consumables are likely not prone to data disclosure and therefore should not be linked. Figure 4 illustrates how Assets are linked to Losses.

Figure 4. Linking Assets with Losses

In Phase III, you decide which calculations you want to compute based on the relationships of the threats, assets, vulnerabilities, and seriousness of potential incidents.

Phase IV generates a final report that has a variety of options that can be included. The options include

  • an executive summary
  • recommendations for resolving vulnerabilities
  • a full asset report
  • a summary by asset report
  • a full threat report
  • a summary by threat report
  • a full vulnerability report
  • a vulnerability distribution report
  • a full safeguard report
  • a cost benefit report
  • a safeguard threat report
  • an audit trail question report
  • an audit trail respondent report

The reports generate color pie charts and bar charts and can be saved in either rich text format or Microsoft Word format. While the reports are verbose in their recommendations, most organizations will want to apply some edits to customize them further.

Suggestions for Product Improvement

Relevant Technologies would like to see the aesthetics of the user interface improved in HIPAA-Watch for Security. The engineering of the tool is so sophisticated, that this product deserves a user interface with cutting edge aesthetics and a vanguard look. While the existing graphic design and reporting engine is adequate, it could evolve into a market sensation if the developers enlisted the help of a top-notch design artist. Relevant Technologies believes that software is art, and when a product excels, we expect the look and feel of it to excel also. The look and feel of HIPAA-Watch for Security is basic and for that reason, using it may not elicit as many "oos and ahs" as it might otherwise receive given its capabilities.

Relevant Technologies would prefer to see the survey questions worded in the form of a true interrogative sentence instead of a statement with a question mark at the end. For example, instead of "Access to system log data is restricted to approved personnel?", we would prefer the question to be worded, "Is access to system log data restricted to approved personnel?" However, it's fair to say that the survey questions that exist are certainly on topic and apropos to a HIPAA audit.

Since LAFE values vary according to geographic location, Relevant Technologies would like to see this feature automated so that when you put in your organization's zip code, the LAFE values are automatically adjusted. For example, if your organization is in Omaha, Nebraska (US), you would have a much higher likelihood of tornados that if your organization is in Portland, Maine (US). Today HIPAA Watch for Security allows you to manually adjust these values, however, this presumes that you know what the adjustment should be and it may take you some time to look it up and find out.

Recommendations for Users

HIPAA-Watch for Security works as advertised and has all the appropriate features that experts in risk analysis expect to see. It's ability to make appropriate calculations from which quantitative risk-based decisions can be made is first-rate. The automated reports that it generates will be useful for chief financial officers, chief information officers, and chief security and privacy officers. Since HIPAA-Watch for Security has the ability to accommodate multiple respondents that can login to the system from different locations, it can be particularly useful for large, disparate organizations. By using HIPAA-Watch for Security, it is possible to understand which safeguards will give you the greatest return on investment, ranking them from highest to lowest. If you are ready to tackle a HIPAA compliance risk analysis, and don't know where to start, using HIPAA-Watch for Security will likely speed up your ability to comply with the CFRs.

Aside from helping your organization comply with the Final Security Rule, HIPAA-Watch can help your organization make better business decisions by making recommendations on how cost effective it is to apply particular safeguards. To take advantage of the sophisticated business decision recommendations, users of HIPAA-Watch may want to educate themselves on basic quantitative risk analysis equations including how to calculate annualized loss expectancy (ALE), single loss expectancy (SLE), annualized rate of occurrence (ARO), and exposure factor (EF). The information HIPAA-Watch generates can also be used to populate a Disaster Recovery planning exercise.

An auxiliary addition to HIPAA-Watch is a bonus CD that includes a data collection kit, that has forms, PowerPoint presentations, and various shortcuts and tips that will make the analyst's job easier. A complete risk analysis project plan is included both in Microsoft Project and in Excel formats for reference purposes.

Consultancies that specialize in assisting healthcare organizations on the road to HIPAA compliance may want to consider using HIPAA-Watch for Security as a tool for standardizing their service offering. Since the audit questions can be refined and added to, it is possible to build up comprehensive question libraries that can be used with different types of covered entities. The different types of covered entities that can take advantage of HIPAA-Watch for Security include

  • health care providers
  • health care plans
  • health care clearinghouses

Health care providers include hospitals, doctors, clinics, pharmacists, and mental health care specialists. Health care plans include insurance companies, health maintenance organizations (HMOs), medicare plans, Medicaid Plans, veteran's health care Programs, and Indian health service programs. Health care clearinghouses include organizations that process or facilitate billing or transmittal of electronic health information data for other covered entities such as community or local health information systems.

Conducting a risk analysis manually is not an intuitive process and use of HIPAA-Watch for Security will be a definite timesaver for any organization that wants to conduct a true risk analysis. A two-day training class is available every month at RiskWatch's headquarters in Annapolis (US).

A feature that Relevant Technologies found to be particularly notable was the ability to actually see the HIPAA Final Security Rule, which is expressed as a control standard. This feature enables organizations to actually understand why they need to pay attention to a particular security policy and whether or not it is considered a required or addressable CFR. While Required CFRs are mandatory, addressable CFRs are optional.

Relevant Technologies spent a considerable amount of time researching possible market competitors and was not able to find any other HIPAA security compliance products that appeared competitive with HIPAA-Watch for Security. However, since the market for HIPAA compliance products is still young, Relevant Technologies expects new competing products to emerge within the coming year.

US federal agencies will like that the safeguards list includes the deliverables that are typically required to pass a FISMA-based security certification and accreditation audit. Federal agencies that already have a Certification and Accreditation (C&A) package can apply these C&A reports to their HIPAA risk analysis and reuse much of the pre-existing information.

This concludes Part Two of a two-part note.

Part One provided the vendor background and described Phase I and II of the HIPAA-Watch for Security tool.

Part Two detailed Phase III and IV and also offered product suggestions and user recommendations.


Department of Health and Human Services, What is HIPAA?
July 11, 2004

Department of Health and Human Services, Health Insurance Reform: Security Standards; Final Rule http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
February 20, 2003

Pabrai, Uday, Getting Started with HIPAA, Premier Press, 2003

SANS Institute, HIPAA Security Implementation, SANS Press, Version 1.0
January 2004

Stoneburner, Goguen, and Feringa, Risk Management Guide for Information Technology Systems, National Institute of Standards, Special Publication 800-30
October 2001

Taylor, Laura, Risk Analysis Tools & How They Work, Relevant Technologies, Inc. http://www.riskwatch.com/Press/RiskAnalysis_Tool_EvalB.htm
May 5, 2002

Taylor, Laura, Security Scanning is not Risk Analysis, Jupiter Media http://www.intranetjournal.com/articles/200207/pse_07_14_02a.html
July 14, 2002

Tipton and Krause, Information Security Management Handbook, 4th Edition, Auerbach Publications, 2004

About the Author

Laura Taylor is the President and CEO of Relevant Technologies (http://www.relevanttechnologies.com) a leading provider of original information security content, research advisory services, and best practice IT management consulting services.

Copyright 2004, Relevant Technologies, Inc. All rights reserved.

comments powered by Disqus