Loading images...

Security Risk Analysis

Certification and Regulatory Compliance

An accurate assessment of potential risks is essential to your entity’s health in relation to ongoing compliance with information security regulations and standards. Whether you’re a covered entity or business associate subject to HIPAA, or an organization looking to certify for ISO or SOC, Apgar & Associates, LLC’s Security Risk Analysis (SRA) services help your organization  reduce the risk of non-compliance with Security Rule requirements, meet MACRA requirements for an SRA, and protect you from other threats such as legal risk and other tangible and intangible costs. The security risk analysis is also an essential step in checking the strength of your security protocol and preparing for ISO or SOC 2 certifications.

The HIPAA Security Rule: A reminder

If you use, disclose or store ePHI (electronic Protected Health Information), HIPAA’s Security Rule mandates that covered entities and business associates periodically conduct a Risk Analysis. The Security Rule describes the Risk Analysis as including “an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity and availability of electronic Protected Health Information.”[1] This mandate also applies to non-electronic PHI per the HIPAA Privacy Rule.[2]

Security Risk Analysis Activities

Whether you’re a hospital preparing against an OCR HIPAA Audit, or you’re preparing for SOC 2 certification, the SRA Cycle is surprisingly similar: 

Risk Analysis Cycle Image

  • Prioritized asset inventory review
  • Threat and vulnerability identification
  • Existing security control evaluation
  • Impact and cost assessment

Security risk analysis techniques are applicable across industries and sectors. Once your risk analysis is complete, we classify and identify your risks as high, medium or low. You then receive a Risk Analysis Report to use as a tool to plan risk mitigation and present strategies to senior management. We’ve provided Simplified Risk Analysis guidelines here

Turn Security Risk Results into Risk Mitigation & Management

After the Risk Analysis, Apgar & Associates can help you turn the results into a Risk Management action plan, which will allow you to move your entity from risk-vulnerable to risk-managed, using step-by-step risk mitigation activities.

Apgar & Associates’ privacy and security experience stems from years of working with covered entities and business associates, financial firms and digital application developers, single professional offices to multi-national corporations.

For more information about our Risk Analysis services, contact us via email or at 503.384.2538.

[1] 45 CFR 164.308(a)(1)
[2] 45 CFR 164.530(c)

"AIS has worked with Chris Apgar regularly on HIPAA privacy and security issues for more than 10 years and our experiences with Chris, in every instance, have been outstanding. He is incredibly knowledgeable, very responsive, and a true pleasure to work with, in every respect."

Richard Biehl, Publisher
Atlantic Information Services, Inc.

Mailing & Office Address

Apgar and Associates, LLC
P.O. Box 80278
Portland, OR 97280
p 503-384-2538
p 877-376-1981




7100 SW Hampton St.
Suite 137
Tigard, OR 97223