HIPAA Security Risk Analysis Tips – Solve HIPAA and PCI DSS Requirement Once
No surprise! The Payment Card Industry (PCI) is raising the bar when it comes to performance of an annual risk assessment a.k.a. risk analysis. It’s no surprise after all since completing an annual risk analysis is foundational for any legitimate information security program. In fact, many HIPAA Covered Entities and Business Associates have to meet both HIPAA and PCI Data Security Standard (PCI DSS) requirements. Here’s today’s big tip – kill two birds with one stone by completing a bona fide risk analysis according to NIST SP 800-30!
HIPAA Security Risk Analysis Tips & PCI Risk Analysis Tip!
When the Payment Card Industry (PCI) Security Standards Council updated the PCI Data Security Standard (PCI DSS) Requirements and Security Assessment Procedures with Version 2.0 in October 2010, they included the explicit requirement to complete an annual risk assessment in Section 12.1.2 which states:
12.1 Establish, publish, maintain, and disseminate a security policy that accomplishes the following:
12.1.1 Addresses all PCI DSS requirements.
12.1.2 Includes an annual process that identifies threats, and vulnerabilities, and results in a formal risk assessment. (Examples of risk assessment methodologies include but are not limited to OCTAVE, ISO 27005 and NIST SP 800-30.)
12.1.3 Includes a review at least annually and updates when the environment changes.
The PCI DSS auditing / testing procedures for 12.1.2 risk assessment requirement include:
12.1.2.a Verify that an annual risk assessment process is documented that identifies threats, vulnerabilities, and results in a formal risk assessment.
12.1.2.b Review risk assessment documentation to verify that the risk assessment process is performed at least annually.
In November 2012, the Risk Assessment Special Interest Group (SIG) of the PCI Security Standards Council published the Information Supplement: PCI DSS Risk Assessment Guidelines.
The objective of this PCI DSS Risk Assessment Guidelines document is to provide supplemental guidance and recommendations for performing a risk assessment in accordance with PCI DSS Requirement 12.1.2. A risk assessment, as required in the PCI DSS, is a formal process used by organizations to identify threats and vulnerabilities that could negatively impact the security of cardholder data.
Two Birds One Stone – Meet Both PCI DSS and HIPAA Security Requirements At Once
Both PCI DSS V2 and the latest PCI DSS Risk Assessment Guidelines cite a number of industry-accepted methodologies that can be used to meet the PCI DSS risk assessment requirement. One of these methodologies is that detailed in “NIST SP800-30 Revision 1 Guide for Conducting Risk Assessments“.
Organizations adopting the NIST SP800-30 approach for conducting a risk analysis can comply with both HIPAA Security Rule and PCI DSS risk analysis requirements with this one approach.
Wanna be even more hip on HIPAA? Learn more…
If you’d like keep up to date on Risk Analysis or HIPAA-HITECH in general, please also consider (all optional!):
- Joining our AboutHIPAA LinkedIn Group: http://AboutHIPAALI.org
- Following me: http://Twitter.com/AboutHIPAA
- Subscribing to our eNewsletter: https://app.e2ma.net/app/view:Join/signupId:61331/mailingId:3310893/acctId:36048
- Checking our company web site: http://clearwatercompliance.com/
- Attending a HIPAA HITECH live webinar: http://abouthipaa.com/webinars/upcoming-live-webinars/
- Attending a HIPAA HITECH Blue Ribbon Panel Live Web Event: http://abouthipaa.com/webinars/blue-ribbon-panel-live-events/
- Viewing a pre-recorded webinar: http://abouthipaa.com/webinars/on-demand-webinars/