HIP – Two

HIPAA Implementation Model Two

Yearly Renewable License

Our HIP TWO model provides a Cybersecurity Risk Assessment with a set Voluntary Guidelines through a Software as a Service (SaaS) automated reporting Client Portal.

Our automated Cybersecurity Framework (CsF) Program is made possible through our partnership with ACR2 Solutions.  Experts in the field of Risk Management and IT Compliance Solutions, their tools provide state of the art automated software as a service (SaaS) on risk management. 

CsF’s consists of standards, guidelines, and best practices to manage cybersecurity-related risks.  The Cybersecurity Framework’s was specifically designed as a prioritized, flexible, and cost-effective approach for protection and resilience of critical infrastructure and other sectors important to the economy and national security.

Although HIPAA is mandated, CsF  provides “voluntary guidance”.   “Voluntary” except for sub-contractors with a Department of Defense contracts who are required to comply with DFARS clause 252.204-7012, commonly referred to as NIST 800-171.  Compliance is accomplished through use of NIST’s Framework for Improving Critical Infrastructure Cybersecurity; otherwise known as the Cybersecurity Framework. 

Cybersecurity Risk Assessment

Step 1. System Characterization (Section 3.1)
Step 2. Threat Identification (Section 3.2)
Step 3. Vulnerability Identification (Section 3.3)
Step 4. Control Analysis (Section 3.4)
Step 5. Likelihood Determination (Section 3.5)
Step 6. Impact Analysis (Section 3.6)
Step 7. Risk Determination (Section 3.7)
Step 8. Control Recommendations (Section 3.8)
Step 9. Results Documentation (Section 3.9)

Manual risk assessment using the NIST protocols is a long process. A typical small organization could require up to 3 days of expert services from an experienced consultant who has mastered the NIST protocols.

However, many of these steps can be automated using standard expert system computer simulation methods well known to persons skilled in the field. Learn More…


Cybersecurity Framework – Voluntary Guidelines
Function and Category Unique Indentifiers

Function Unique IdentifierFunctionCategory Unique IdentifierCategory
IDIdentifyID.AMAsset Management
  ID.BEBusiness Environment
  ID.RARisk Assessment
  ID.RMRisk Management Strategy
  ID.SCSupply Chain Risk Management

The Cybersecurity Framework was developed as a means to standardize best practices in cybersecurity across organizations. To assist providers with implementing the Framework, while remaining in compliance with the HIPAA Security Rule, the Department of Health and Humans Services Office for Civil Rights (“OCR”) published a HIPAA Security Rule Crosswalk (“the Crosswalk”) to tie the standards together and help strengthen cybersecurity preparedness.

Specifically, the Crosswalk “maps each administrative, physical and technical safeguard standard and implementation specification in the HIPAA Security Rule to a relevant NIST Cybersecurity Framework Subcategory.”

The expected result is that the new guidance will aid both compliance with the HIPAA Security Rule and overall cybersecurity of healthcare organizations.

Optional Services

Security Awareness Training and Testing

Our staff Security awareness training is provided through our Client’s Portal and includes the following:

  • Course materials in an on-demand video streaming format
  • Testing that documents subject mastery
  • Course certificates to training attendees by email
  • Log of all tests results for all employees, temps and contractors
  • Custom training and testing options are available

Includes flexible security and privacy reminders tool for keeping  documentation of your efforts to comply with staff training mandates

1-Year HIPAA On-line Implementation Service

We also offer a one-year (hand-holding) program where one of our consultant meets monthly with your Compliance Officer for the purpose of guiding them through HIPAA implementation. 

The meeting is for 1 hour per month on a pre-established scheduled date to discuss and provide guidance on HIPAA policies and procedures.

Provided your Compliance Officer attends each monthly session and completes the work, within the year, most of your HIPAA policies and procedures should be implemented. 

Cybersecurity Framework Automated Compliance Client Portal

The Automated Risk Management program from our Vendor ACR2 features safeguards from NIST 800-53. Mapping of these safeguards to the four threat sources (Environmental, Human error, Malicious insider and Malicious outsider) is done by inspection. For each threat source, the vulnerable areas of management (Procedure implementation and Internal controls), operations (Data acquisition, Data storage, Data retrieval, Data modification, Data transmission), and technology (System Design) are also fairly obvious. With over 7,000 entries, this mapping is complex and time consuming, but fairly rigorous.

The validation of the safeguards map into an expert system computer program was done
by observing experienced risk assessment consultants and tweaking the risk calculation
engine to produce the same results using either a human expert or the expert system computer program. The development team had access to federally audited risk assessments, which greatly facilitated the validation process.

Information security risk assessments produced with this automated system have been audited by dozens of OCC, FDIC and HHS experts. No failed audits have been experienced.

  1. Program automates many of the processes required for real compliance all the way to “real time”
    1. Utilizes state of the art Department of Defense (DOD) technology SCAP Scanners and automated syslog parsing to save time
    2. Most “tools” are just snapshots taken by consultants
  2. Cybersecurity Framework Guidelines Automated Tools
    1. Assessment uses NIST’s latest guidance
    2. Program is NIST based which is directly traceable to Federal Standards
  3. Massively Scalable and Flexible
    1. Compliance Portal for quick management of all your risk assessment sites (Single to 1,000’s sites)
    2. Single site, Enterprise and Megaprise offerings
  4. Document Management and Logging System
    1. Program has an interface that logs all submitted activities and uploaded documents
    2. Documents your activities – proof of actions taken and by whom
    3. Tracks all training with easy to use tests
  5. Compliance Task Scheduler for managing ongoing compliance
    1. Able to send 1 email to 1 person or perodic emails to groups
    2. Annual Subscription with unlimited access for a ‘real ongoing’ Compliance program