IT Assessment

Health information technology assessment


Click here to download our HIPAA requirements overview!

The Administrative Safeguards provisions in the Security Rule require covered entities to perform risk analysis as part of their security management processes.

A risk analysis process includes, but is not limited to, the following activities:

  • Evaluate the likelihood and impact of potential risks to e-PHI;
  • Implement appropriate security measures to address the risks identified in the risk analysis;
  • Document the chosen security measures and, where required, the rationale for adopting those measures; and
  • Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

HITECH – Meaningful use

IDTSOA offers a comprehensive and competitively priced computer based risk analysis (CBRA) that meets the required standards for meaningful use.

Controls Based Risk Assessment-

The Controls Based Risk Assessment is used to provide insight into the types of controls in relation to the classification level of information present on each information asset of the organization.


  • A clear description of each information asset
  • Classification of information on that asset
  • Initial risk of the asset
  • Description of controls and types of controls
  • Covering the asset
  • Residual risk after mitigation
  • Prioritized suggestions for improvement
External Vulnerability Assessment-

The External Vulnerability Assessment is designed to not only test available ports and services for known vulnerabilities, but also checks various Internet resources for information that would be harmful or present an exposure to the organization.


  • Identification of detected external vulnerabilities
  • Documentation of ports and services available to “anonymous” sources
  • Documentation of external information from various resources that may present concern to the organization
  • Prioritized suggestions for improvement and mitigation
Internal Vulnerability Assessment-

The Internal Vulnerability Assessment is designed to test available ports and services for known vulnerabilities, as well as various configurations, patch levels and architecture that may be detrimental to the security stance of the organization.


  • Identification of detected vulnerabilities
  • A prioritized list of mitigation steps
  • Documentation of ports and services evaluated
  • Documentation of detected configuration issues
  • An executive level overview report
  • A technical level report

To get a price estimate or if you have additional questions about the CBRA, please call a representative at (800)735-4850.