But Reny Mathew, InfoSec Analyst, and Reid Leake, Information Security and Compliance Analyst at Cambia thought they could get a lot more from HIPAA assessments to understand risk in financial terms, provide data for cost-benefit analysis and justify investments for protecting data – with FAIR™ (Factor Analysis of Information Risk).
Watch the 30-minute video of the Cambia session at FAIRCON2020, Enhancing HIPAA Risk Assessment with FAIR. A free FAIR Institute membership is required – join the FAIR Institute now
They saw that nine mandated steps in HIPAA risk analysis…
…and so on, all neatly lined up with the FAIR model and method.
To launch and get up to speed quickly on a FAIR program, Cambia partnered with RiskLens and took advantage of the Rapid Risk Assessment capability of the RiskLens platform. In a three-day period, they identified key assets that were in scope, and a list of 25 primary risks (or loss events), then chose a subset for deeper analysis.
The Cambia team also learned that the collaborative process of gathering data for FAIR analysis—including interviews with SMEs and discussions, even disagreements, among stakeholders -- yields far richer insights than simple controls maturity scoring.
As Reny Mathew explained, the learnings included these points:
The Cambia team also came away with a list of tips for overcoming challenges in FAIR analysis – watch the video to learn more (but first join the FAIR Institute, free to risk, security and business professionals and students).
Related:
FAIR Institute and HITRUST Plan Integration of FAIR Standard and HITRUST CSF
3 Steps to Combine MITRE ATT&CK and FAIR to Focus Cyber Risk Management
Secrets to Gathering Good Data for a Risk Analysis