Is information security gap analysis important for HIPAA compliance?

Security gap analysis is a strong, reliable technique for enterprises looking to assure HIPAA compliance. Expert Mike Chapple explains how to perform the analysis.

Mike Chapple, University of Notre Dame

Some sources say healthcare organizations should perform "gap analysis" to find weak spots in HIPAA compliance....

Step 2 of 2:

You forgot to provide an Email Address.

This email address doesn’t appear to be valid.

This email address is already registered. Please login.

You have exceeded the maximum character limit.

Please provide a Corporate E-mail Address.
- I agree to TechTarget’s Terms of Use, Privacy Policy, and the transfer of my information to the United States for processing to provide me with relevant information as described in our Privacy Policy.
Please check the box if you want to proceed.
- I agree to my information being processed by TechTarget and its Partners to contact me via phone, email, or other means regarding information relevant to my professional interests. I may unsubscribe at any time.
Please check the box if you want to proceed.

Is this a good idea? How should we go about performing compliance gap analysis?

It is absolutely a good idea. Security gap analysis is a time-tested compliance technique that is well-suited for organizations subject to HIPAA, PCI DSS and other security and privacy regulations. A gap analysis or assessment basically consists of measuring the performance of IT assets to see if they are meeting the expected performance metrics. A security or compliance gap analysis, therefore, would measure the current compliance efforts of an organization against the stated requirements of a regulatory body or standards group.

Organizations conducting an information security gap analysis should first decide who will perform the assessment. If the assessment is for internal use, it may be appropriate to have internal staff conduct the assessment, if they are qualified to evaluate regulatory compliance. On the other hand, if the assessment will be shared with external stakeholders, the organization may wish to leverage the independence of a third-party audit firm.

The meat of the information security gap analysis is a requirement-by-requirement assessment of the organization's compliance with the HIPAA rules. The assessor should document how the organization complies with each part of the regulation and then identify any gaps that require remediation before the organization is fully compliant. This gap assessment then provides the organization's leadership with a roadmap to full compliance.

Ask the Expert:
Got a vexing problem for Mike Chapple or any of our other experts? Ask your enterprise-specific questions today. (All questions are anonymous.)

Next Steps

Find out what privacy regulations enterprises should follow

Learn how companies should handle SaaS compliance

Discover who should perform HIPAA and HITECH compliance assessments

This was last published in March 2016

Dig Deeper on Security audit, compliance and standards

Related Q&A from Mike Chapple

The difference between AES and DES encryption

Choosing to encrypt confidential data with AES or DES encryption is an important cybersecurity matter. Learn about the important differences between ... Continue Reading

How to prevent DoS attacks in the enterprise

It's not possible to eradicate the risk of DoS attacks, but there are steps infosec pros can take to reduce their impact. Mike Chapple shares ... Continue Reading

How should HIPAA covered entities respond to healthcare ransomware?

The HHS OCR ruled that healthcare ransomware attacks are HIPAA violations, so these covered entities need to react according to the HHS's guidance. ... Continue Reading

Have a question for an expert?

Please add a title for your question

Get answers from a TechTarget expert on whatever's puzzling you.

Meet all of our Information Security experts

View all Information Security questions and answers

SearchCloudSecurity

Lyft's open source asset tracking tool simplifies security

Security teams need information and context about data in order to keep it safe. Learn how Cartography, Lyft's open source asset ...

Understanding the CSA Cloud Controls Matrix and CSA CAIQ

Uncover how the CSA Cloud Controls Matrix and CSA CAIQ can be used to assess cloud providers' controls and risk models, ensure ...

5 steps to a secure cloud control plane

A locked-down cloud control plane is integral to maintaining cloud security, especially in multi-cloud environments. Here are ...

SearchNetworking

SD-WAN explained: The ultimate guide to SD-WAN architecture

Evaluating SD-WAN architecture can be confusing, especially as the market grows. This guide helps IT pros learn SD-WAN basics, ...

VMware acquisition of Nyansa combines LAN, WAN analytics

The VMware acquisition of Nyansa is expected to provide network traffic analytics that cover the SD-WAN and the wired and ...

The 5 steps to a successful MPLS-to-SD-WAN migration

A solid migration plan is necessary in order to successfully transfer MPLS to SD-WAN and avoid contract mishaps, unexpected costs...

SearchCIO

Preparing for the new forms of cybersecurity threats in 2020

In the first part of a series on the new forms of cyberthreats in 2020, we're diving into the many infiltration points being ...

What is the state of CIO tenure today?

CIO tenure remains significantly lower than other C-suite positions, and according to experts, it's a result of the age of ...

The evolution of RPA, from macros to process transformation

RPA evolved from technology debuted in the 1950s and '60s and was developed to today's standards by the industry's leading ...

SearchEnterpriseDesktop

New Ivanti CEO plans to stay close to the customer

New Ivanti CEO Jim Schaper is no stranger to the C-suite of an IT company. And he's got a plan to push the company forward.

With support for Windows 7 ending, a look back at the OS

With support for Windows 7 ending and Microsoft ushering in the end of life for the OS, tech experts and IT pros look back at its...

Image-level methods for Windows application deployment

Imaging is a crucial process, but IT must also consider application deployment. Here are methods to deploy different types of ...

SearchCloudComputing

Reduce cloud latency for remote employees and offices

Latency remains an issue for cloud users with remote facilities. See how SD-WAN and satellites can improve network performance ...

AWS multi-account management best practices with Control Tower

With the help of AWS Control Tower, organizations who own and operate multiple cloud accounts can manage them all under one roof ...

Beat vendor lock-in with a cloud exit strategy

Without a comprehensive cloud exit strategy, an organization might fall victim to vendor lock-in and find itself dependent on ...

ComputerWeekly.com

Canonical offers scalable mobile Android apps in the cloud

New Android technology allows enterprise users to offload compute, storage and energy-intensive applications from devices to the ...

Air New Zealand taps AI in airside operations

Air New Zealand has teamed up with Auckland Airport to test the use of computer vision to turn around its fleet faster

Data Literacy Project research finds UK workers putting off data work

Research from Qlik and Accenture finds a big majority of UK workers lack the data literacy skills and confidence to capture ...

Join the conversation

1 comment

Send me notifications when other members comment.

Oldest

[-]

abuell - 11 Mar 2016 2:11 PM

This really is a necessity for any organization subject to HIPAA rules. Each rule needs to be evaluated, and research done to make sure that the requirement is being met in all cases.

Datadog Log Management is now HIPAA-compliant

Compliance Manager tool aims to ease security audit process

To prep for OCR HIPAA audits, try tech risk assessment

How can HIPAA security risk analysis help with compliance?

Please create a username to comment.