News Feature | October 17, 2014

Risk Assessment: A Smart Investment For You And Your Healthcare IT Clients

By Megan Williams, contributing writer

Healthcare Study

Due diligence is the foundation of any good client relationship, and a proper risk assessment is an indispensible tool in accomplishing that work.

Regulations like HIPAA, the HITECH Act, and the Omnibus Rule have made risk assessment even more complex to navigate, but thankfully, there are resources and tools you can use not only in your work, but also as a service that is marketable to a client base that is increasingly concerned with organizational health around data and information security.

Potential Benefits

It’s essential that you know what you’re getting into before you commit to any work with a customer.

Performing a risk analysis will mean that you, according to Mark Winter, VP of Sales for RapidFire Tools, “get a baseline snapshot of what you’re inheriting. It’s a bad way to start a relationship to not be aware of problems and to have to go back and immediately increase your price.”

It can also help you bring in new business. Bob Coppedge, CEO of Simplex-IT says that his company performs risk analysis as an assessment tool to generate reports for prospects. He also notes that they also find issues, but that once the issues are found, they allow the prospect to contact their existing solutions provider. It’s a win-win, since if the current vendor didn’t know anything about the issue, they appear incompetent. If they knew, but didn’t do anything, the customer is aware of a service issue.

Additionally, assessments can be used to generate revenue, by offering them as a paid service. Dan McCoy, IT Service provider, uses this method and has found that 75 percent of prospects who sign on for the assessment, actually end up purchasing service with him. It can also be used as a revenue generation tool when packaged as a maintenance, or “checkup” type service.

HIMSS Toolkit

HIMSS has launched a toolkit composed of resources to aid healthcare entities (and solutions providers) understand assessments and serve as “a foundational step in the development of a comprehensive security program.” Security risk assessments are required by the HIPAA Security Rule and the CMS Meaningful Use Incentive Program.

The toolkit introduction includes the following documents available for download:

  • Introduction to the Risk Assessment Toolkit and Security Risk Assessment Basics
  • HIMSS Security Risk Assessment Guide/Data Collection Matrix
  • How to use the HIMSS Security Risk Assessment Guide/Data Collection Matrix
  • Sample Risk Assessment for Cloud Computing
  • Sample Risk Assessment for a Physician Practice