The Carosh Security Risk Assessment focuses on 45 CFR 164 308(a)(1) with an in-depth analysis of the three key areas, Administrative, Physical and Technical safeguards. The determination of risk for a particular threat or vulnerability is a function of:

  • The likelihood if a given threat-source’s attempting to exercise a given vulnerability.
  • The magnitude of the impact should a threat-source successfully exercise the vulnerability.
  • The adequacy of planned or existing security controls for reducing or eliminating risk.

These Security Rules identify over 78 controls to include “required” and “addressable” controls; each is evaluated, and included in the delivered Gap Analysis, as the first step in the compliance process.