It's budget season and I want to validate my information security program. What should I look for in a good firm...
to come in and do a soup-to-nuts inspection of my security program, with a focus on being compliant with HIPAA and HITECH compliance requirements?
It's always a good idea to have an independent firm look at your information security program, no matter how confident you are in your own team. It's easy for those within an organization to become blind to security vulnerabilities, simply because they're working with the plan every day. Engaging a fresh set of eyes to conduct a thorough security review may point out opportunities to improve security controls and reduce the organization's exposure to information security risk.
The first major criteria to use when selecting a partner to perform this assessment is its information security expertise. How many similar engagements has the firm performed in the past? What are the credentials of the team that will be on-site performing your assessment? Don't be fooled by the flashy résumés of top executives the sales team shares; make sure you understand the background of the "feet-on-the-ground" staff that will actually perform the assessment.
It's also important to find a partner that has expertise in your industry. The more familiarity a consultant has with your particular field, the less explaining you'll need to do and the more likely they will be able to complete a useful assessment at minimal cost. Take HIPAA and HITECH compliance, for example: Make sure the assessment team you hire has experience in the healthcare industry. Also, you may want to structure the engagement so it not only meets the organization's needs, but also satisfies the requirements for regular HIPAA risk assessments.
Finally, ensure you're comfortable with the partner. As with any knowledge-based engagement, the product you receive is simply the written report of its findings based on its professional expertise. If you don't have confidence in the accuracy, integrity and expertise of the firm conducting the assessment, the final product will have little value to the organization.
Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)
Check out more from Mike Chapple on how security risk analysis can help with HIPAA compliance, whether HIPAA does enough to protect PHI and how to use the HHS security risk assessment tool for HIPAA audit prep.
Dig Deeper on HIPAA
Related Q&A from Mike Chapple
It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading
The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading
HIPAA regulations incorporate NIST guidelines and standards, so do healthcare organizations need to be compliant with both? Expert Mike Chapple ... Continue Reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.