Why Your Security Risk Analysis is Probably Wrong (Part 1)

Show Notes

Are your IT or cloud providers handling your security? Does your site claim you're "HIPAA Compliant"? Donna Grindle, CEO of Kardon and co-host of Help Me With HIPAA, delivers a massive reality check for small business owners. We break down the difference between gap analysis and a true SRA, why IT speaks a different language, and how the "CREMATE" method finds your data.

Key Takeaways

• Responsibility Can't Be Outsourced: Cloud apps and IT companies don't make you secure; you outsource liability, not responsibility.
• Real SRA vs. Gap Analysis: If your risk analysis lacks likelihood, impact, and strategy, it’s just a gap analysis—and you're exposed.
• CREMATE Your Data: Map PHI by tracking where you Create, Receive, Maintain, and Transmit it
• Business Associates (BA): If unauthorized access by a vendor would count as a breach, they are a BA.
• Documentation & AI: Use AI to draft policies from your bullets, but treat it like a fallible assistant and always verify the output.
• Frameworks: Use HICP 405(d) to get IT and management speaking the same security language.

"If you put on your website that you're HIPAA compliant, immediately I'm concerned." — Donna Grindle

Links:

Kardon: https://kardonhq.com

Help Me With HIPAA Podcast: https://helpmewithhipaa.com/

HHS Website: https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.html

HICP 405(d) Guidelines: https://405d.hhs.gov/

Timestamps

0:00 – Why a "HIPAA Compliant" Badge is a Red Flag

1:26 – Understanding HIPAA Covered Entities & Obligations

2:14 – The Difference Between Awareness Training and Security

3:18 – Why Your SRA Might Just Be a Gap Analysis

4:40 – Building an Inventory: You Can’t Protect What You Don’t Find

6:22 – Using the "CREMATE" Method for Data Mapping

8:21 – Why IT Cannot Be the "Department of No"

9:40 – Standardizing Communication with the HICP 405(d) Framework

10:41 – How to Document Your Policies (and Use AI to Help)

12:39 – The Easy Way to Tell if a Partner is a Business Associate

13:50 – Business Associate Red Flags

A note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.

If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place 

But if you just want to learn how to protect yourself for free, start here:  https://academy.securitymetrics.com/ 

Chapters

• 0:00: Why a "HIPAA Compliant" Badge is a Red Flag
• 1:26: Understanding HIPAA Covered Entities & Obligations
• 2:14: The Difference Between Awareness Training and Security
• 3:18: Why Your SRA Might Just Be a Gap Analysis
• 4:40: Building an Inventory: You Can’t Protect What You Don’t Find
• 6:22: Using the "CREMATE" Method for Data Mapping
• 8:21: Why IT Cannot Be the "Department of No"
• 9:40: Standardizing Communication with the HICP 405(d) Framework
• 10:41: How to Document Your Policies (and Use AI to Help)
• 12:39: The Easy Way to Tell if a Partner is a Business Associate
• 13:50: Business Associate Red Flags