Culminating Project Title
Date of Award
Culminating Project Type
Information Assurance: M.S.
Information Assurance and Information Systems
Herberger School of Business
Creative Commons License
This work is licensed under a Creative Commons Attribution-Noncommercial-No Derivative Works 4.0 License.
Keywords and Subject Headings
"HIPAA" "risk assessment" "cyber security" "information security" "healthcare" "clinic"
Cyber security risk assessments in the healthcare industry are legally required and demand an ongoing investment of time and resources. Small healthcare clinics are less likely to have streamlined processes in place to meet these requirements. This work presents two case studies featuring qualitative Health Insurance Portability and Accountability Act (HIPAA) security risk assessments of small dental clinics using the free Security Risk Assessment (SRA) tool provided by the US Department of Health and Human Services. One clinic used a cloud service provider to safeguard protected health information (PHI) while the other used an on-premises server. The data revealed detailed information relating to the cyber risk posture of each organization within the scope of the HIPAA Security Rule. Analysis included suggestions to mitigate the compliance gaps and vulnerabilities within the environment. Based on the data gathered, a comparative analysis of using the cloud vs. on-premises to manage PHI was conducted to provide insight into the need to balance security with other business requirements. This work provides greater context to the process of conducting HIPAAcompliant security risk assessments, including the responsibilities that small healthcare providers must own to protect their business reputation in the event of a major security incident.
Lisbon, Scott, "A Comparative Analysis of HIPAA Security Risk Assessments for Two Small Dental Clinics" (2018). Culminating Projects in Information Assurance. 55.