Category Archives: Managing the Risk Assessment

What Happens if OCR Shows up – Asking about your HIPAA Compliance?

With only 2 weeks (15 days) left to meet the HIPAA Omnibus Rule, let’s say you have
done everything you could 
possibly do, to be in full compliance with every part of HIPAA:

1.  Finish a current HIPAA Risk Analysis – CHECK
2.  Rewrite Business Associate agreements – CHECK
2.  Rewrite Policies & Procedures – CHECK
3.  Get PHI off the office copiers – CHECK
4.  Gather Documentation in one place – CHECK
5.  Start HIPAA Security Awareness Program – CHECK
6.  Update HR Sanctions Policies – CHECK
7.  Finalize Contingency Plans – CHECK
8.  Add more encryption – CHECK
9.  Implement Plan for Smartphones & Mobile  Devices – CHECK
10. Have staff sign new affirmation Agreements – CHECK

And in spite of your careful preparation, you walk into work on Monday, and the regulators from
OCR are sitting in the Lobby, and they’ve been there since 7:00 AM!

No matter what else you have done, or started, and have not done, your insurance policy is to be
able to pull out your most current (in months, not years) HIPAA Risk Analysis and then pull out all
your supporting documentation including:

1. All information, including network diagrams, on where the PHI is on your network, and the automated
network controls you have implemented.

2.  A record of every application, every database, etc. that hold PHI, are used to create, manage, or
share PHI, in both electronic and paper form.

2.  Rosters going back 3 years of everyone in the organization who’s taken HIPAA training.

3.  A copy of the Policies and Procedures, and Security Plans, printed out and labeled in 3-ring

4.  List of all HIPAA controls that are currently in place and verification documents.

5.  Copies of all Business partners agreements and contracts

6.  A notarized statement signed by the Board Director, CEO or Administrator re-stating
the organization’s Commitment to HIPAA Security & Privacy & Omnibus Rules..

7.  Copies of recent employee surveys validating their stated compliance with all HIPAA
Security,  Privacy, and Omnibus rules.

All of these elements should be printed in their most current versions and put in D-Ring
binders, which you will pull out of a cabinet designed for high security.  Nothing thrills a regulator
or auditor more than getting everything you ask for in a neatly labeled, giant 3-ring binder.

It says “PREPARED”  in a way that having files on the network never will.

And, BTW, you HAVE completed all these steps – right?






The HIPAA Countdown continues, with the HIPAA Omnibus Rule compliance date of September 23rd looming in the distance.

Now that everyone is coming back to work, relaxed from the long weekend (we hope), it’s time to get back to work.

As a HIPAA Risk Analysis expert, I have gotten more than 300 calls and emails in the last 5 days (yes, even on Sunday) about
what NEEDS to be done right now.   Here’s a sample of the questions,

“Should I do a penetration test before Sept 23rd?”
“Should we update our policies before Sept. 23rd?”
“Should I hurry and get the laptops encrypted by Sept 23rd?” 
“We re-wrote our business agreements – what else do I need to do before Sept. 23rd?

To quote Leon Rodriguez, the Director of the Department of Health and Human Services, Office of Civil Rights, which is
the lead federal agency for HIPAA Enforcement, “The Number One Thing you need to do before September 23rd
is to update, or start a new 
HIPAA Risk Analysis.”  

According to the OCR Guideline on Risk Analysis,  “Conducting a risk analysis is the first step in identifying and
implementing safeguards that comply with and carry out the standards and implementation specifications in the Security
Rule. Therefore, a risk analysis is foundational, and must be understood in detail before OCR can issue meaningful
guidance that specifically addresses safeguards and technologies that will best protect electronic health information.”

This is why the First Area that OCR will address when they visit is:  “Where is your HIPAA Risk Analysis?”

Where is yours?  And has it been updated lately?

And did you know that Leon Rodriguez is on Twitter!  His twitter handle is @OCRLeon.




Countdown for HIPAA — Less than 25 days to Deadline & How to Get A Free HIPAA Risk Analysis Guide

NEW DEADLINE:  September 23, 2013

The new HIPAA Omnibus rule became law on March 23, 2013.   The main provisions of the Rule, which include new requirements for healthcare organizations, insurance companies, hospitals, clinics, pharmacies, dental practices and many other organizations, also include Business Associates, which means any organization that has access to patient medical records (PHI- Protected Health Information).

So all the data managers, the data storage companies, the lawyers and countless other companies who are part of flow of healthcare and medical data also have to have a completed HIPAA Risk Analysis by September 23, 2013!

For primary healthcare providers, to be in compliance with the HIPAA Omnibus Rule, they have to revise all their policies and procedures, and also rewrite their contracts with business associates, to place responsibility for data protection on the business associates. And business associates have to apply the same policies to their subcontractors too.  So thousands of policies and contracts are being furiously re-written, as I write this!

Completing a  HIPAA Risk Analysis is the best way to prepare for the deadline, and also to pinpoint any area where your organization needs to
improve a control, a policy or their operating procedures.   As a core HIPAA requirement, the Risk Analysis is a kind of summary of where the organization is in relation to all the HIPAA Rules, including HIPAA Privacy, HIPAA Security, NIST SP 800-66, the Office of Civil Rights, and the
Breach Notification Act.

There are great software tools available to help managers do a HIPAA Risk Analysis (like my HIPAA Risk-Pro program), available online at, or, as another option, many other organizations are hiring HIPAA consultants to come in and do a Risk Analysis for them.

So if you are a healthcare organization, or a designated business associate, you can start your HIPAA Risk Analysis on Tuesday, Sept. 3,
and have it completed by the deadline.

The Office of Civil Rights has a big pot of money, collected from fines, and they have hired more investigators to go out and audit all these organizations for HIPAA Compliance.  Recently a small hospice in Idaho was fined $50,000, and a physicians practice in Arizona was fined $100,000, and
many other organizations, including states and health plans, have been fined more than $1,000,000 for a variety of violations, including not
having a current Risk Analysis.

For more information on how to do a HIPAA Risk Analysis, you can write to: and get a free HIPAA Risk Analysis Guide, a free Project Plan, and a copy of exactly what the OCR Regulators look for when they conduct a HIPAA audit.


How to Easily Update your HIPAA Business Associate Agreements Before Sept. 23, 2013

One of the major changes for every business involved with the new HIPAA Omnibus Rule is that you are required to 
“Review and,  if Necessary, Amend Business Associate Agreements”
Whether your organization is defined as a Hospital, a Physician Practice, a Group Health Plan, a Managed Care organization, a Pharmacy, a Dental Office, or any kind of “Covered Entity” (CE), you have to change your business agreements with all the people who access, create, manage, store, or view your Protected Health Information (PHI).
The new HIPAA Omnibus Rule (45 CFR § 164.314(a) and .504(e)) added new elements that require you to adjust the Business Associate agreements to make sure they agree (in writing) to comply with the HIPAA Security Rule, to make sure they perform their own Risk Analysis to assess how they protect PHI.
Covered entities and business associates must ensure that their existing and future agreements contain the elements required by . In addition to previous requirements, the agreement must require the business associate to:

1.  Comply with the security rule.

2.  Execute business associate agreements with their subcontractors. 

3.  To the extent the business associate carries out an obligation of a covered entity, comply with any HIPAA
      rule applicable to such obligations.

4.  Report breaches of unsecured protected health information to the covered entity (organization).
If you’re not sure how to adjust all these agreement, DHHS-OCR has updated sample business associate language for you
to use at :

The HIPAA Omnibus Rule has made accountability more important because it says that the Covered Entity (CE) is

are liable for the misconduct of business associates if the business associate is acting as the agent of the covered entity.

In the same way, business associates should review their agreements with their Covered Entities and also their Sub-Contractors to make sure that the language in their contracts is up to date and makes it clear that the subcontractors are acting as independent contractors and not as the agents of the covered entity or business associate, and that the agreements do not give the covered entity too much control over day-to-day operations of you, their business associate.

As of today, August 19, 2013, both the Healthcare Provider (CEs), and the Business Associates have 34 more Days to modify these agreements modified and up to date, making sure they match the new HIPAA Omnibus Rule if :

(1) the agreement they had in place on January 25, 2013, complied with the HIPAA rules as of that date, and

(2) the agreement does not expire or renew (other than through evergreen clauses) prior to September 23, 2014!

So get out those pencils, and those agreements and start reviewing, amending and modifying those agreements!
SPECIAL TIP:  Here’s a web site with sample Business Associate language to use as a resource:

Benghazi Hearing Demonstrates Attack Uncovered A Fatal Lack of Coordination & Funding for Embassy Security

Just two weeks ago, we were talking about the lack of coordination between DHS agencies and known intelligence on the brothers responsible.

Now we have the Benghazi Senate hearings, and here is the same problem again – lack of coordination between different parts of the State Department, and with the Defense Department, AND with the CIA and the intelligence community.

Add to this, the appalling cuts in funding for diplomatic security, and a flawed process about what needs to be done about security and protection to our embassies around the world.

“In these tight budget times, the committee has had to make some tough choices to prioritize funding.”, said a GOP aide in The Hill article (GOP cuts to embassy security draw scrutiny), by Alexander Bolton on September 18, 2012.   In spite of the uncertainly of the Arab Spring, the demonstrations every Friday in streets from Bahrain to Tunesia, the embassies had their budgets cut.

Of course, security experts are used to this, security doesn’t directly generate revenue, and it is often one of the first functions on the chopping block.  However, to cut funding to the critical embassy functions in this volatile environment, is obviously a very bad decision on the part of the GOP.

For example, the security risk assessment which are routinely done on these embassies are not done on a systematic basis.  As a risk expert, these security risk assessments should be done WEEKLY, and they should be automated so they can instantly be compared to environments in other embassies, and comparisons made by month, by year, and trends can be tracked.

If we can’t afford to do these assessments and just as important, if we can’t afford to fix the problems that assessments reveal, then we should not have embassies in these places.

The security risk assessments that are done properly must also include complete threat assessments.  “We need to develop a paradigm for managing risk“, said Gregory Hicks, a Foreign Service Officer who testified today on Capitol Hill.

These paradigms for managing risk already exist and they have been totally ignored by the State Department, which makes it almost impossible to get a clear, unfiltered view of the security situation at any embassy, at any point in time.

At least both sides of the political aisle agree, we do not want this to happen again!  Benghazi is not a political problem, it is a massive security failure problem!


Tragedy at the Boston Marathon – What Went Wrong?

Looking at the CNN footage of the Boston Marathon finish line yesterday, I was struck by the shock of the bystanders and the chaos that followed the blasts.

Having just giving two seminars on security controls, I pulled out my list to see what could possibly have been done differently to prevent this devastating outcome, and there was the first word on the list ACCESS CONTROL.

After thirty years as a security expert and risk-threat analyst, I am about 85% sure that this was a lone wolf attacker who made his crude bombs to address some personal perceived problem, whether it was fear of gun legislation, spillover from the Israeli-Palestinian conflict, the Neo Con torture initiative, or something else.

Putting the attacker aside for a moment, the tragedy happened because SOMEONE WAS ABLE TO WALK RIGHT UP TO THE FINISH LINE AND PUT AT LEAST 3 BOMBS right near the finish line!   THiS IS NOT RIGHT.

There has to be SCREENING and ACCESS CONTROL PROCEDURES IN PLACE!  You can’t have security if you have open access to a major event like the Boston Marathon.  For year, security experts have cautioned that large crowds make a great target, and so events have paid lip service to this concept, without staying on the task, and making sure that SECURITY CONTROL NUMBER ONE –  ACCESS CONTROL  is ALWAYS in place.

But people don’t like access control, it’s too much trouble, they say.  They don’t like metal detectors, too expensive, too much trouble, too intrusive.  Well, it’s not as intrusive as having a major injury.   There are ways to secure these high profile sites, but the security community has to lead on this.

Yes, it is very sad and depressing that the world has come to this — but it has.  And it will happen again.  As long as security is perceived as too much trouble, too expensive, too tough to do, and too intrusive, there will be more tragic events like this one.



Will the Risk of the Sequester Affect Security Budgets in 2013?

Every time the TV is on, every anchor is crying about the dreaded Sequester.

Will it have an impact on security budgets?  I have seen security budgets, especially for the facilities security departments, swing from almost unlimited budgets after 2001, to bare bones in 2009 and 2010, and thought they were trending back up for 2013.

Now, with the uncertainty about what a Sequester  actually is, (please note my use of the capital “S”), how will it affect our security departments?

Obviously, the most obvious casualty are the government contractors who’s contracts may be arbitrarily cut, and civilian managers of federal programs will see lost days and furloughs.

The trickle-down effect will probably extend to state, county and municipal governments, too.   So that means it’s even more important to start budgeting new security controls so that the most important get the funding!

One of the themes we go over in our webinar programs is how important it is to create a COST JUSTIFICATION and Return on Investment information so that you can create a business case for every control you need to improve security.

And one more thought on the Sequester – we often see an increase in crime, white collar crime and fraud when things are unsettled and people aren’t sure what’s going to happen next.

Maybe it’s a good time to do another risk assessment?  Maybe the Sequester is the next new Threat!



What do Benghazi and Newtown have in common? Flawed Security!

After the attack on the Benghazi mission and the tragic mass shooting at Sandy Hook Elementary, its apparent that what these two terrible incidents have in common is that security was not adequate.

In Benghazi, after the hearings and the pundits and speculation, the bottom line is that there was insufficient security.  In-place security controls were not sufficient to deter an attack, and the emergency controls were also not sufficient to recover and deal with the emergency attack.

In Newtown, at Sandy Hook Elementary, security was inadequate.  Security people often say that security is just as good as the weakest link, and despite adding new security controls, it was defeated because of the glass entry.  The shooter wasn’t allowed in so he simply broke the glass.  That slowed him up by 2 minutes, maybe. Also backup security controls were non-existent.  The shooter was observed and still there was no effective response.

There are three elements to security – DETER, DENY and RESPOND:

DETER – means to make the facility look too difficult to attack, and so the attacker thinks it’s too hard and goes away.

DENY – means that it is impossible for the attacker to get into the facility to launch an attack.

RESPOND/PROTECT means that after the attack is launched, the facility can defend itself, or to protect the individuals and/or property inside the facility.
Both Benghazi and Newtown did not deter, didn’t deny access, and didn’t have an adequate security response.

The Newtown shooting showed that this school, like many others across the country, had a false sense of security, because while some security elements were in place, the shooter easily entered the school, making the other elements irrelevant and  him to inflict mass casualties.

In both cases, the response was not adequate, it was ‘too little too late’.  And ‘too late’ means the attack can’t be stopped or contained.

The WHY is easy, because the security budget was inadequate.  These facilities did not have adequate risk assessments that could have demonstrated the critical assets contained within them.  What is more critical than classrooms of 6 year old children?  What is more critical than a State department facility with a U.S. ambassador inside?  Yet both didn’t have the protective security controls they deserved because their wasn’t enough budget for enough security.

Another element these incidents have in common is that they are both government facilities.  Yes, one was the Federal government and one was a local school district – but they both had the same problem of being short on budgets.  And when organizations are short on budgets, security is one of the first things to get their funding cut, or reduced.

Every facility needs a SECURITY risk assessment up front, how else can you allocate the funding and make sure that there is ENOUGH security in place to protect our most critical assets, our children?

Data-Driven Security – Using Metrics to Focus & Target Security Programs

Security programs can be dramatically improved by using a metrics-based assessment to focus them on the areas of greatest threat, and to use metrics as a management tool to keep the security program targeted on the areas that need the most attention.

Using a data-driven approach – that is, using real numbers to measure
and quantify security, always results in tangible improvements.

Management of a security program is no different than management of any other department, whether it’s human resources, cash flow, employee productiveness, profitability, or any other set of metrics that organizations use to measure how well something is being done, and how it could be improved.

Security officers may complain that management is not listening to their complaints, including not making enough money available to implement new technology, or to fix a loophole that has the potential to create havoc in the organization.

Most security conferences feature sessions with titles like “How to Sell Security to Management” and try to address this disconnect between senior management and their security programs. Peter Drucker, the world famous management consultant, said “If you can’t measure it, you can’t manage it.”

Fortunately, recent improvements in security technology and in development of wider reporting of threats and vulnerabilities, allow management metrics to be applied to the management of the security program to target the program to be maximally effective, to focus the available dollars in the areas which would provide the most protection for the least amount of money, and to prioritize the controls that need to be implemented,  based on their return on investment.

Risk assessments are the foundation of a data-driven security program. Through the process of risk assessment, managers can measure the effectiveness of the organization’s total security program, including analyzing the value of the organizational assets, the threat level (based on the mission of the organization), the existing vulnerabilities, and the effectiveness of existing controls.

Basing the risk assessment on the concept of data-driven security means that real numbers are used in the following areas:

1.  Determining the value of the assets of the organization, including the facilities, the personnel, the security systems and the current controls.

2.  Analyzing the Threat Level, based on either internal incident reports, or industry data, including the Uniform Crime reports. 

3. Identifying vulnerabilities in the organization, including surveying individuals at every level of the organization, from the local facility manager to the CEO to find out how they are implementing security in their workplace.

4. Identifying potential categories of loss, which help focus the security program on the problem areas.

5. Analyzing current Controls that are currently in place, or that could be added to protect an organization.

By gathering data in these 5 categories, it becomes possible to run scenarios that pair the threat and vulnerability, match it to organizational assets, analyze the loss potential, and evaluate the cost effectiveness of a variety of different controls and prioritize security controls by “bang for the buck”.

Using data-based security builds a bridge between executive management and the security professionals in the organization who now have an avenue for open communication and consideration of the role of security throughout the organization.




What’s the Risk of Backing Newt Gingrich?

Hundreds of the shakers and movers in the Republican party AND the Democratic party are doing their risk assessments this week on who to openly support, and doing the risk calculation on whether it is better to wait and see what emerges, or make their comments/endorsements now and worry about the fall out later!

Here is the kind of risk model for politics that people use, often unconsciously- to make those decisions. Political risk is especially tricky because there are 2 stakeholders to consider:

1. what’s good for ME personally
2. what’s good for THE PARTY, DISTRICT, or COUNTRY.

Here’s a list of threats that politicians worry about in a situation like this:

1. Lose my current position
2. Lose my Power in the Party/Coalition/Media
3. Lose campaign contributions
4. Lose voters
5. Lose tea party support
6. Lose respect from peers
7. Lose future election
8. Lose income
9. Look wrong in the media
10. Create bad sound byte
11. Face Reprisals Later from Establishment
12. Lose Media Support (however it exists).

More tomorrow on how to value the assets of an ongoing campaign.