EPISODE · Mar 17, 2026 · 15 MIN
Why Your Security Risk Analysis is Probably Wrong (ep. 3 Part 1)
from Practical Cybersecurity with Jen Stone · host SecurityMetrics
Are your IT or cloud providers handling your security? Does your site claim you're "HIPAA Compliant"? Donna Grindle, CEO of Kardon and co-host of Help Me With HIPAA, delivers a massive reality check for small business owners. We break down the difference between gap analysis and a true SRA, why IT speaks a different language, and how the "CREMATE" method finds your data.Key TakeawaysResponsibility Can't Be Outsourced: Cloud apps and IT companies don't make you secure; you outsource liability, not responsibility.Real SRA vs. Gap Analysis: If your risk analysis lacks likelihood, impact, and strategy, it’s just a gap analysis—and you're exposed.CREMATE Your Data: Map PHI by tracking where you Create, Receive, Maintain, and Transmit itBusiness Associates (BA): If unauthorized access by a vendor would count as a breach, they are a BA.Documentation & AI: Use AI to draft policies from your bullets, but treat it like a fallible assistant and always verify the output.Frameworks: Use HICP 405(d) to get IT and management speaking the same security language."If you put on your website that you're HIPAA compliant, immediately I'm concerned." — Donna GrindleLinks:Kardon: https://kardonhq.comHelp Me With HIPAA Podcast: https://helpmewithhipaa.com/HHS Website: https://www.hhs.gov/about/agencies/asa/ocio/cybersecurity/security-awareness-training/index.htmlHICP 405(d) Guidelines: https://405d.hhs.gov/Timestamps0:00 – Why a "HIPAA Compliant" Badge is a Red Flag1:26 – Understanding HIPAA Covered Entities & Obligations2:14 – The Difference Between Awareness Training and Security3:18 – Why Your SRA Might Just Be a Gap Analysis4:40 – Building an Inventory: You Can’t Protect What You Don’t Find6:22 – Using the "CREMATE" Method for Data Mapping8:21 – Why IT Cannot Be the "Department of No"9:40 – Standardizing Communication with the HICP 405(d) Framework10:41 – How to Document Your Policies (and Use AI to Help)12:39 – The Easy Way to Tell if a Partner is a Business Associate13:50 – Business Associate Red FlagsA note from Jen: We built Practical Cybersecurity because we were tired of the fear-mongering in this industry. Security shouldn't be a secret club.If you're trying to figure out PCI compliance or need a pen test, my team at SecurityMetrics can help you out: https://www.securitymetrics.com/contact/lets-get-you-to-the-right-place But if you just want to learn how to protect yourself for free, start here: https://academy.securitymetrics.com/
What this episode covers
Are your IT or cloud providers handling your security? Does your site claim you're "HIPAA Compliant"? Donna Grindle, CEO of Kardon and co-host of Help Me With HIPAA, delivers a massive reality check for small business owners. We break down the difference between gap analysis and a true SRA, why IT speaks a different language, and how the "CREMATE" method finds your data. Key Takeaways Responsibility Can't Be Outsourced: Cloud apps and IT companies don't make you secure; you outsource liabilit...
NOW PLAYING
Why Your Security Risk Analysis is Probably Wrong (ep. 3 Part 1)
No transcript for this episode yet
Similar Episodes
Mar 26, 2026 ·1m
Jan 2, 2026 ·47m
Dec 21, 2025 ·46m