RiskAssess On-line Risk Assessment Tool

Information security begins with a risk assessment, the cornerstone of effective computer security.  RiskAssess is an on-line expert system which incorporates a rules-oriented knowledge base constructed from a deep understanding of the operating practices of medical practices, up-to-the-minute knowledge of security threats and risks, and the risk-assessment methodology defined in NIST SP 800-30.  

RiskAssess begins with questions about the practice, for example:

  • Size of staff and number of offices

  • Type of operating system and number of stations in the network

  • Approach to applying operating system security patches

  • E-mail technologies and usage patterns

  • attributes of any web site, internet connection and firewalls

  • Types of remote access to the system (on-line support from VAR, home access by physician to EMR) and security measures employed (VPN, etc.)

  • Type of virus protection and update procedures

  • Type of software used at practice (practice management, EMR, Word Processing, internet applications)

  • Use of wireless and/or portable equipment

  • Method of medical transcription (employees vs. contractors, on-location vs. at-home, e-mail vs. hand delivery, etc.)

Using its rules engine, a risk assessment report is created in the format specified in NIST SP 800-30.  Each report is reviewed by a security consultant as part of the quality assurance process, and e-mailed back.  This report serves as the starting point of the practice’s security management process.  

RiskAssess provides the best results when the VARs work with their client to answer questions and create the risk assessment.  The output is then used as the basis for subsequent discussions regarding products and services to mitigate risks identified in the report.  

Individual User IDs and passwords are provided for each client using RiskAssess.  The VAR cost is negotiated on a per-client basis and can be priced to the client at the VAR’s discretion.  VARs can assign an itemized price to the client or bundle RiskAssess  with a professional service charge for a HIPAA Security engagement. 

VARs are uniquely qualified to help their clients with the HIPAA-mandated security risk assessment.  RiskAssess supports the VAR with help from a certified security expert.  For more information on RiskAssess, contact Eagle at (216) 432-0519 or inquire via e-mail to Gary Pritts at Eagle Consulting.