A High-Level "Big Rocks" Information Security Risk Assessment

Question Title

* 1. Enter your email (I will send you a report of all your responses):

Question Title

* 2. What type of organization are you looking to evaluate? Select as many that apply.

My org is a covered entity as defined by HIPAA.

My org is a business associate as defined by HIPAA.

My org is a vendor that develops software for the healthcare industry.

I am an independent consultant in the healthcare industry, and I collect PHI data as part of my services/operations.

Other (please specify)

This 10-question survey is designed to give you a quick 5-minute assessment of your high-level information security risk at your organization. Reminder: This is not a complete HIPAA-based information security risk assessment as most information security frameworks have some 100-600 controls that complete the full assessment.

This high-level assessment is based on my 30 years of experience in healthcare and as an operational healthcare CIO/CISO/CTO, responsible for creating and maintaining Information Security Management Systems (ISMS) primarily in the federal, not-for-profit, and startup domains. I have been on the receiving end of developing an ISMS and then certifying that program for over 15 years with ZERO non-conformities (the highest achievement you can receive). I am a Certified Information Security Manager (CISM) and have been an evaluator for HITRUST and DirectTrust, where I assisted over a dozen companies in developing and then achieving their certifications.

This is a "big rocks" risk assessment of your Information Security Management System (ISMS) program (or lack thereof) to help you determine whether you're overly exposed to unnecessary risk of a data breach and the avoidable damage that breach could cause to your operations.

Question Title

* 3. Do you have an appointed and properly trained Chief Privacy Officer, separate and apart from an appointed and properly trained Chief Security Officer?

No, we have appointed neither position within our organization.

Not really—we have appointed people to those roles, but we're not sure whether they are trained.

Sort of—we have appointed a CPO and CISO, but it is one person doing both roles.

Yes, we have appointed a trained Chief Privacy Officer (CPO) and a trained Chief Information Security Officer (CISO).

Question Title

* 4. Does your organization have an established Information Security Management System (ISMS) to address all the federal and state mandates that ensure the confidentiality, integrity, and availability of sensitive data? And are you reviewing and updating annually, as well as requiring staff to acknowledge these policies and procedures annually?

No, we do not have policies and procedures (security controls) in place

Not really—we do have some policies and procedures, but not a complete ISMS and not training staff

Sort of--we have established an ISMS and train staff at onboarding, but we are not reviewing and updating it annually, nor requiring staff to acknowledge the policies and procedures.

Yes, we have a well-established ISMS that we routinely review and update (at least annually). We also ensure staff review the ISMS Policies and Procedures at least annually.

Question Title

* 5. Does your organization use an industry best-practice framework, such as SOC, ISO, NIST, or HITRUST, to base its ISMS and establish appropriate security controls?

No, we don't even know about those frameworks

Not really—we make sure that our data is encrypted.

Sort of--we have established an ISMS but it's not based on any framework

Yes, we have a well-established ISMS based on an industry best-practice framework.

Question Title

* 6. Has your organization identified all sensitive data (e.g., personally identifiable information (PII)) that is federally mandated to be protected by such regulations as HIPAA, GDPR, CCPA, and PCI?

No, we have no idea what data we collect, where, or how it's stored/used.

Not really—we know we have sensitive data, but are not sure how we collect it or where it is stored.

Sort of, we have identified that we collect sensitive data, but we're not sure how or if we protect it according to federal/state mandates.

Yes, we have identified how we collect, transmit, and store all of our sensitive data.

Question Title

* 7. Has your organization established an information security incident response team that has well-established protocols on how to respond to an incident and report any breach to the appropriate authorities (e.g., law enforcement, Office of Civil Rights, patients, etc.)?

(TIP: This incident response team is a control that is typically required in any of the aforementioned security frameworks.)

No, we have no idea what data we collect, where, or how it's stored/used.

Not really—we know we have sensitive data, but are not sure how we collect it or where it is stored.

Sort of, we have identified that we collect sensitive data, but we're not sure how or if we protect it according to federal/state mandates.

Yes, we have identified how we collect, transmit, and store all of our sensitive data.

Question Title

* 8. Has your organization identified all assets and personnel that come into contact with sensitive data (e.g., HR, clinical, and IT staff; servers; devices)?

TIP: You need an inventory of all "actors/assets" involved in processing sensitive data and to demonstrate you are protecting devices or training staff on the proper use of those assets.

No, we have no idea who has access to our sensitive data or on which devices we store it.

Not really—we know who handles sensitive data, but we're not sure whether they are trained or whether the devices are protected.

Sort of--we have identified all assets and personnel handling sensitive data, but we are not sure if the assets are protected or if the staff is trained correctly.

Yes, we have identified all sensitive data flows from staff to assets, know how the data is protected, and ensure staff are trained.

Question Title

* 9. Has your organization conducted a Risk Assessment (RA) and Business Impact Assessment (BIA) against all of the actors/assets handling sensitive data that are used to inform your Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP)?

TIP: HIPAA mandates that all entities, covered or business associate, are required to conduct an annual risk assessment. And don't forget that if you're using outsourced platforms like AWS, Google Cloud, or any other third-party as part of your infrastructure ... It is your responsibility to evaluate their compliance with your established ISMS!

No, we have no idea what risks we need to manage or the impact on our business should a risk materialize into an incident.

Not really—we know who handles sensitive data and know we have risks, but haven't produced a business impact assessment.

Sort of--we have identified risks to our operations and the impact of a possible breach, but do not have it documented in a plan that is reviewed at least annually.

Yes, we conduct annual risk assessments that inform our business impact assessment, which in turn informs our business continuity and disaster recovery plans.

Question Title

* 10. Has your organization used a third-party audit firm to assess compliance with federally mandated regulations? For example, achieved SOC 2 or ISO 27001 certification?

No, we don't even have an established ISMS.

Not really—we do have an ISMS based on a security framework and conduct our own risk assessments.

Sort of--we use a consultant to review our work, but never to achieve a certification.

Yes, we routinely evaluate our program and have undergone an independent third-party evaluation of our ISMS compliance against industry best-practice frameworks such as NIST, ISO, SOC, and HITRUST.

Question Title

* 11. Has your organization used a third-party company to conduct a vulnerability and penetration test (VAPT) of your network and associated assets that are used to process sensitive data?

No, we have not had a third-party VAPT.

Not really—we rely on big-name tech vendors like Microsoft to send regular patches.

Sort of--we conduct our own VAPT, but don't use a third party.

Yes, we routinely evaluate our network and hire an external third party to conduct an annual VAPT.

Question Title

* 12. Does your organization use a SaaS platform like Vanta, Drata, Sprinto to establish and maintain its ISMS program?

No, we don't even have an ISMS.

Not really—we rely on emails and spreadsheets to establish our ISMS.

Sort of--we built our own database to manage the controls in our ISMS.

Yes, we use a SaaS platform as our centralized command and control of our ISMS where much of the evidence gathering (up to 95%) can be automatically culled from the technology stack to demonstrate compliance.

Thank you for taking the time to respond ... That's it, you've answered all the questions! If you answered NO to more than half of these questions, I would consider your business operations to be at a HIGH RISK of adverse consequences in the event of a security incident, such as a breach of Protected Health Information (PHI) or other Personally Identifiable Information (PII). If you provided your email, I will send you a copy of all responses submitted.