for Security Speeds Up Compliance
Author - Laura
- August 28, 2004
Part Two: Phase III and IV, and Product and User Recommendations
The HIPPA-Watch for Security tool was developed by RiskWatch a company founded in Maryland (US) in 1993. The tool is designed to aid companies through US risk analysis to eventual US regulatory compliance. Its risk analysis engine is embedded in the product and consists of four phases. Phase I assists users with establishing compliance case boundaries, and phase II values are defined, audit questions are created, and respondents are determined in order to formulate boundaries. Phase III and IV pertain to evaluation and reporting.
is Part Two of a two-part note.
One provided the vendor background and described Phase I and II of the HIPAA-Watch
for Security tool.
Two will detail Phase III and IV, and will offer product suggestions and user
Phase III and IV: Evaluation and Reporting
III launches the risk analysis engine and performs the evaluation. Clearly preparing
for the evaluation is a lot more time consuming than running the evaluation
engine. Before you actually run the evaluation however, HIPAA-Watch allows you
to review the links created between Asset Categories with Loss Categories. If
you need to change the default recommendations for the links between Asset Categories
and Loss Categories, it is simple to make the change. You simply uncheck the
assets that are not prone to the type of loss indicated. For example, supplies
and consumables are likely not prone to data disclosure and therefore
should not be linked. Figure 4 illustrates how Assets are linked to Losses.
4. Linking Assets with Losses
In Phase III, you decide which calculations you want to compute based on the relationships of the threats, assets, vulnerabilities, and seriousness of potential incidents.
Phase IV generates a final report that has a variety of options that can be included. The options include
for resolving vulnerabilities
full asset report
summary by asset report
full threat report
summary by threat report
full vulnerability report
vulnerability distribution report
full safeguard report
cost benefit report
safeguard threat report
audit trail question report
audit trail respondent report
The reports generate color pie charts and bar charts and can be saved in either rich text format or Microsoft Word format. While the reports are verbose in their recommendations, most organizations will want to apply some edits to customize them further.
Suggestions for Product Improvement
Relevant Technologies would like to see the aesthetics of the user interface improved in HIPAA-Watch for Security. The engineering of the tool is so sophisticated, that this product deserves a user interface with cutting edge aesthetics and a vanguard look. While the existing graphic design and reporting engine is adequate, it could evolve into a market sensation if the developers enlisted the help of a top-notch design artist. Relevant Technologies believes that software is art, and when a product excels, we expect the look and feel of it to excel also. The look and feel of HIPAA-Watch for Security is basic and for that reason, using it may not elicit as many "oos and ahs" as it might otherwise receive given its capabilities.
Relevant Technologies would prefer to see the survey questions worded in the form of a true interrogative sentence instead of a statement with a question mark at the end. For example, instead of "Access to system log data is restricted to approved personnel?", we would prefer the question to be worded, "Is access to system log data restricted to approved personnel?" However, it's fair to say that the survey questions that exist are certainly on topic and apropos to a HIPAA audit.
Since LAFE values vary according to geographic location, Relevant Technologies would like to see this feature automated so that when you put in your organization's zip code, the LAFE values are automatically adjusted. For example, if your organization is in Omaha, Nebraska (US), you would have a much higher likelihood of tornados that if your organization is in Portland, Maine (US). Today HIPAA Watch for Security allows you to manually adjust these values, however, this presumes that you know what the adjustment should be and it may take you some time to look it up and find out.
Recommendations for Users
HIPAA-Watch for Security works as advertised and has all the appropriate features that experts in risk analysis expect to see. It's ability to make appropriate calculations from which quantitative risk-based decisions can be made is first-rate. The automated reports that it generates will be useful for chief financial officers, chief information officers, and chief security and privacy officers. Since HIPAA-Watch for Security has the ability to accommodate multiple respondents that can login to the system from different locations, it can be particularly useful for large, disparate organizations. By using HIPAA-Watch for Security, it is possible to understand which safeguards will give you the greatest return on investment, ranking them from highest to lowest. If you are ready to tackle a HIPAA compliance risk analysis, and don't know where to start, using HIPAA-Watch for Security will likely speed up your ability to comply with the CFRs.
from helping your organization comply with the Final Security Rule, HIPAA-Watch
can help your organization make better business decisions by making recommendations
on how cost effective it is to apply particular safeguards. To take advantage
of the sophisticated business decision recommendations, users of HIPAA-Watch
may want to educate themselves on basic quantitative risk analysis equations
including how to calculate annualized loss expectancy (ALE), single
loss expectancy (SLE), annualized rate of occurrence
(ARO), and exposure factor (EF). The information HIPAA-Watch generates
can also be used to populate a Disaster Recovery planning exercise.
An auxiliary addition to HIPAA-Watch is a bonus CD that includes a data collection kit, that has forms, PowerPoint presentations, and various shortcuts and tips that will make the analyst's job easier. A complete risk analysis project plan is included both in Microsoft Project and in Excel formats for reference purposes.
Consultancies that specialize in assisting healthcare organizations on the road to HIPAA compliance may want to consider using HIPAA-Watch for Security as a tool for standardizing their service offering. Since the audit questions can be refined and added to, it is possible to build up comprehensive question libraries that can be used with different types of covered entities. The different types of covered entities that can take advantage of HIPAA-Watch for Security include
care providers include hospitals, doctors, clinics, pharmacists, and mental
health care specialists. Health care plans include insurance companies, health
maintenance organizations (HMOs), medicare plans, Medicaid Plans, veteran's
health care Programs, and Indian health service programs. Health care clearinghouses
include organizations that process or facilitate billing or transmittal of electronic
health information data for other covered entities such as community or local
health information systems.
Conducting a risk analysis manually is not an intuitive process and use of
HIPAA-Watch for Security will be a definite timesaver for any organization that wants to conduct a true risk analysis. A two-day training class is available every month at RiskWatch's headquarters in Annapolis (US).
feature that Relevant Technologies found to be particularly notable was the
ability to actually see the HIPAA Final Security Rule, which is expressed as
a control standard. This feature enables organizations to actually understand
why they need to pay attention to a particular security policy and whether or
not it is considered a required or addressable CFR. While
Required CFRs are mandatory, addressable CFRs are optional.
Relevant Technologies spent a considerable amount of time researching possible market competitors and was not able to find any other HIPAA security compliance products that appeared competitive with HIPAA-Watch for Security. However, since the market for HIPAA compliance products is still young, Relevant Technologies expects new competing products to emerge within the coming year.
federal agencies will like that the safeguards list includes the deliverables
that are typically required to pass a FISMA-based security certification and
accreditation audit. Federal agencies that already have a Certification
and Accreditation (C&A) package can apply these C&A reports to their HIPAA
risk analysis and reuse much of the pre-existing information.
concludes Part Two of a two-part note.
One provided the vendor background and described Phase I and II of the HIPAA-Watch
for Security tool.
Two detailed Phase III and IV and also offered product suggestions and user
of Health and Human Services, What is HIPAA?
of Health and Human Services, Health Insurance Reform: Security Standards;
Final Rule http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
February 20, 2003
Uday, Getting Started with HIPAA, Premier Press, 2003
Institute, HIPAA Security Implementation, SANS Press, Version 1.0
Goguen, and Feringa, Risk Management Guide for Information Technology Systems,
National Institute of Standards, Special Publication 800-30
Laura, Risk Analysis Tools & How They Work, Relevant Technologies, Inc. http://www.riskwatch.com/Press/RiskAnalysis_Tool_EvalB.htm
May 5, 2002
Laura, Security Scanning is not Risk Analysis, Jupiter Media http://www.intranetjournal.com/articles/200207/pse_07_14_02a.html
July 14, 2002
and Krause, Information Security Management Handbook, 4th Edition,
Auerbach Publications, 2004
Taylor is the President and CEO of Relevant Technologies (http://www.relevanttechnologies.com)
a leading provider of original information security content, research advisory
services, and best practice IT management consulting services.
Copyright 2004, Relevant Technologies, Inc. All rights reserved.