Why Outsource Your Risk Analysis?

I’ll admit, I’m a little biased when clients ask if they should outsource their risk analysis. Afterall, I'm a HIPAA consultant and expert with a practice that focuses on risk assessment and penetration testing. I make my living conducting risk analysis. But, my bias aside, I genuinely believe that most healthcare organizations are better off outsourcing their risk analysis.

For more information on why you should outsource your risk analysis and how to meet regulations, download our free eBrief, "6 Reasons You Should Outsource Your Risk Analysis":

There are a number of reasons for this. One, is that most organizations don’t have the resources or the expertise for the methodical processes necessary for conducting a risk analysis. And, self-assessment tools, such as the one provided by the ONC, are problematic because they are often poorly designed and inaccurate.

Another reason to outsource is that accuracy matters because inadequate Risk Analysis is just as dangerous as missing it altogether. If we look at Advocate as a prime example of this we can see that they actually had risk analysis but it wasn’t as robust as it should have been. Therefore, their corrective action required better, more adequate risk analysis:

“All Advocate facilities, whether owned or rented, and evaluate the risks to the ePHI on all of its electronic equipment, data systems, and applications controlled, administered or owned by Advocate or any Advocate Entity, that contain, store, transmit, or receive ePHI… a complete inventory of all of its facilities, electronic equipment, data systems, and applications that contain or store ePHI...”

And, let’s not forget that risk analysis is the cornerstone of all your information security activities. Meaningful Use is a critical initiative for healthcare organizations and risk analysis is requirement #1 (Protect ePHI) for the modified stage 2 criteria. It’s a requirement that you don’t want to mess around with because, let’s face it, your reputation is at stake. You want to keep your security and privacy on lockdown.

Lastly, you should consider outsourcing because experts will have more faith in it. Third-party risk analyses are considered to be more objective and credible by regulators. As an information security specialist, I’ve had the opportunity to talk with regulators, experts and auditors and without fail, they see that third-party assessment is more objective. Self-assessments are usually unable or unwilling to take the steps necessary to comply with the risk analysis requirement even if they have the expertise to conduct one.