The security risk assessment report conducted for the Department of Health and Human Services outlines the necessary steps to protect patient information under HIPAA and HITECH regulations. Key findings indicate the need for improved data encryption, business continuity planning, and employee training to address identified vulnerabilities. A detailed risk management plan should be developed based on the gaps identified to mitigate potential threats to electronic protected health information.

1. SAMPLE
SECURITY
RISK
ASSESSMENT
REPORT
January 29
2014
This security risk assessment exercise has been performed to support the
requirements of the Department of Health and Human Services (HHS),
Office for the Civil Rights (OCR) and other applicable state data privacy laws
and regulations.
Prepared for
<Company
Name>

2. Table of Contents
1. Executive Summary
2. Risk Assessment Approach
3. Scoping
4. System Characterization
5. Threat Statement
6. Risk Assessment Results
7. Summary
2, Davis Drive NC 27709
|
ehr20.com |
info@ehr20.com
| 802-448 2255

3. EXECUTIVE SUMMARY
Under the HIPAA Privacy and Security Rule, business associates are required to perform active
risk prevention and safeguarding of patient information that are very important to patient privacy.
The HITECH act allows only minimum necessary to be disclosed when handling protected
health information (PHI).
This security risk assessment exercise has been performed to support the requirements
of the Department of Health and Human Services (HHS), Office for the Civil Rights (OCR) and
other applicable state data privacy laws and regulations. Upon completion of this risk
assessment, a detail risk management plan need to be developed based on the gaps identified
from the risk analysis. The gaps identified and recommendations provided are based on the
input provided by the staff, budget, scope and other practical considerations.
RISK ASSESSMENT APPROACH
Our risk assessment approach is expected to identify only reasonably anticipated threats or
hazards to the security or integrity of electronic Protected Health Information (“ePHI”).
Assessing risks is only a first step. The results of the risk assessment have to be used to
develop and implement appropriate policies and procedures. IT, management and support
representatives have been interviewed in order to complete the risk assessment. Interviews,
questionnaires and automated scanning tools are used for gathering information required for
this security risk analysis. When mitigating significant risks, not all are equally important. Take
into account the cost of intervention and the business impact of loss of confidentiality, integrity,
or availability of data.
SCOPING
Please refer to the ePHI inventory sheet for the complete list of system hardware, software and
other applications that are processing electronic Protected Health Information (ePHI). Scoping
exercise is done on systems, processes and applications based ePHI data created, shared,
stored and transmitted.
SYSTEM CHARACTERIZATION
Systems are characterized, including hardware (server, router, switch), software (e.g.,
application, operating system, protocol), system interfaces (e.g., communication link), data, and
users based on ownership of the systems, ePHI processing and location of data.
THREAT STATEMENT
EHR 2.0 has conducted risk assessment to determine the extent of the potential threat and the
risk associated with IT systems owned or operated by Company Name To determine the
likelihood of a future adverse event, threats to ePHI handled by Company Name Inc. are
analyzed in conjunction with the potential vulnerabilities and the controls in place for the IT
systems. EHR 2.0’s assessment framework includes guidance from NIST, US-CERT, and other
2, Davis Drive NC 27709
|
ehr20.com |
info@ehr20.com
| 802-448 2255

4. authoritative sources along with expertise from decades of experiences in protecting IT systems
and complying with several regulatory requirements including PCI-DSS, SoX, and HIPAA.
RISK ASSESSMENT RESULTS
Risk Topics
Addressed
High
Medium
Not Addressed
High
Medium
Partially Addressed
High
Medium
Grand Total
Total Number of
Domains
10
9
1
15
5
10
20
14
6
45
For a detailed list of observation please review the risk analysis sheet. Following are the list the
key observations:
1. Encryption of data at rest
a) Desktop –based applications which could potentially store PHI data need to
have at least encrypted volume for storage
2. Business continuity and disaster recover planning
a. Need to identify key systems which are required without which Company Name
provide service and validate the plan by testing the backup.
SAMPLE
3. Information Access Review and Auditing
a. Key system access need to be reviewed periodically including AD service
accounts and exception based monitoring to be in place
4. Network scanning
a. It’s a good practice to continuously run basic vulnerability scanning of the
network to make sure the network infrastructure is patched, ports restricted, etc.
5. Administrative Controls
2, Davis Drive NC 27709
|
ehr20.com |
info@ehr20.com
| 802-448 2255

5. a. Background checks for employees
b. IT professionals administering data need to be provided more in depth security
and compliance training
6. Information security policy
a. Develop comprehensive information security policy (master doc.)
b. Develop simple, easy-to-use department-wise policy on information access,
usage and sharing. This policy document needs to be used for training each
department employees handling ePHI.
SAMPLE
7. Insurance
a. Ensure any potential network breach, virus infection and regulatory fines are
covered under your business general liability insurance or cover using specialty
products like Cyber Liability insurance.
Detail line items are available in the risk analysis spreadsheet with specific next
steps.
SUMMARY
Since cost, timeliness, and ease of use are a few of the many important factors in managing the
identified risks, Company Name should attempt to implement security measures sufficient to
reduce risks and vulnerabilities to a reasonable and appropriate level. In addition, an active
security risk management plan needs to be in place to handle any evolving security threats.
Disclaimer: EHR 2.0 conducts assessment and prepares recommendations based on point-in-time interaction with customer’s
workforce, analysis of systems and existing processes. EHR 2.0 is not directly liable for any inaccuracies reported due to the
change in processes, people and technology.
2, Davis Drive NC 27709
|
ehr20.com |
info@ehr20.com
| 802-448 2255