Multi-Framework Healthcare Risk Assessment
The Drummond Comprehensive Healthcare Risk Assessment evaluates your security controls against ISO 27001/27002, HIPAA/HITECH, and NIST 800-53 simultaneously—one engagement, one consolidated report.
Three Frameworks. One Assessment. One Report
The Drummond Comprehensive Healthcare Risk Assessment (CHRA) is an expert-led, multi-framework security and compliance assessment built for healthcare organizations
A CHRA evaluates how well your organization protects sensitive data—including protected health information (PHI)—by measuring controls against three recognized frameworks simultaneously: HIPAA, NIST 800-53, ISO 27001*.
Most healthcare organizations face overlapping regulatory requirements but lack resources to assess them separately. Running distinct HIPAA, ISO, and NIST assessments with different firms creates redundant effort, inconsistent findings, and fragmented reporting. The CHRA delivers a unified view of risk and compliance in a single engagement..
Evaluate controls across 16+ security domains including information security policies, access controls, network security, physical security, incident management, and electronic health records.
Receive structured risk analysis for every finding: Impact Rating, Probability Rating, Risk Level Classification, and Specific Recommendations—mapped simultaneously to HIPAA, NIST 800-53, and ISO 27001.
The CHRA is designed for healthcare providers, hospital systems, health IT companies, and their business associates that need to demonstrate compliance across multiple frameworks—particularly those facing simultaneous HIPAA, NIST, and ISO obligations without the resources to address each separately.
* Please Note: The ISO 27001 is a compliance audit and not a formal ISO 27001 certification.
Why Healthcare Organizations Choose Drummond
Multi-Framework
Running separate ISO, HIPAA, and NIST assessments with different firms creates redundant interviews, inconsistent findings, and fragmented documentation. The CHRA eliminates that overhead. One Drummond engagement covers all three simultaneously, with each finding mapped across all applicable frameworks. 25+ years in health IT compliance means assessors understand how these frameworks intersect in real healthcare environments.
Built for Healthcare
The CHRA assessment covers 16+ security domains that include EHR-specific workflows, clinical area physical security walk-throughs, and federal tax information handling—requirements specific to healthcare that generic IT security assessments do not address.
Your assessment scope is tailored to your specific requirements including environment, size, number of locations, and data flows. Not a templated questionnaire.
Highlight Dedication
When conducted as a recurring engagement, the CHRA tracks progress against the same framework baseline year-over-year. Organizations can demonstrate measurable compliance improvement to regulators, auditors, and board-level stakeholders that goes beyond apoint-in-time snapshot. This trending capability is particularly valuable for organizations under ongoing OCR scrutiny or CMS program participation requirements.
3rd Party Validation
Organizations that complete the CHRA receive the Drummond Validated™ seal—backed by 25 years in healthcare validation. The seal is recognized by healthcare enterprise buyers, business associates conducting vendor due diligence, and auditors requiring documented impartial third-party compliance evidence. Drummond’s assess-recommend-validate model ensures follow-on verification is independent and conflict-free.
What the CHRA Assesses
Related Resources
- Blog
The Hidden Costs of Fast Compliance
- Blog
Don’t Be the Next Cautionary Tale in Healthcare Security
- Blog
SOC 2 vs. ISO 27001: Different Paths to Security Trust and Governance
- Blog
ONC Certification is Not HIPAA Compliance: Why You Need Both
- Blog
How HIPAA Compliance Helps Startups Build Trust and Grow
- Special Offers
Special Offer – HIPAA, PCI, or SOC 2 Start-up Program
- Special Offers
Special Offer — HIPAA Compliance Audit
- Insights & Guidance
HIPAA Checklist
- Blog
Why Expert Guidance Matters for NYDFS and FTC Compliance
- Blog
Breaking Down NIST Risk Assessments for Smarter Cybersecurity
Frequently Asked Questions
What is the Comprehensive Healthcare Risk Assessment (CHRA)?
The Drummond Comprehensive Healthcare Risk Assessment (CHRA) is an expert-led, multi-framework security assessment designed for healthcare organizations. It evaluates security controls against three frameworks simultaneously: ISO 27001 as the control baseline, mapped to HIPAA and NIST 800-53. The result is a single consolidated report addressing all three frameworks. The assessment covers 16+ security domains including clinical area physical security, EHR-specific controls, and federal tax information handling requirements. It is completed in a single engagement rather than requiring separate assessments for each framework.
How does the CHRA differ from a standard HIPAA assessment?
A standard Drummond HIPAA Gap Assessment evaluates controls against the five HIPAA Security Rule safeguard categories. The CHRA goes significantly further: it uses ISO 27001 as the control baseline (a more comprehensive framework) and maps every finding simultaneously to HIPAA and NIST 800-53. The CHRA also covers physical security walk-throughs, personnel security, business continuity, and 16+ domains that a HIPAA-only assessment may not address in depth. Organizations with multiple compliance obligations benefit from the CHRA’s broader scope.
Does the CHRA result in ISO 27001 certification?
No. The CHRA uses ISO 27001 controls as the assessment baseline and identifies gaps against those controls. It does not result in ISO 27001 certification. ISO 27001 certification requires a separate formal audit process conducted by an accredited Certification Body. Drummond offers ISO 27001 certification as a separate service.
How long does a CHRA engagement take?
Most CHRA engagements are completed in four to eight weeks from kickoff to delivery of the final report. The timeline depends on your organization’s size, number of locations, data flows, third-party relationships, and availability of key personnel for interviews. Drummond scopes each engagement based on the specific environment, larger, multi-site organizations may require more time. Get a Free Consultation to discuss your specific situation and confirm the expected timeline.
Is the CHRA a one-time engagement or recurring?
The CHRA can be conducted as a one-time engagement or a recurring annual assessment. Drummond recommends recurring assessments for organizations that want to track compliance improvement over time against a consistent framework baseline. When conducted annually, the CHRA provides year-over-year trending that demonstrates measurable progress to regulators, auditors, and board-level stakeholders. Organizations that have experienced a significant change (e.g., new locations, major system deployments, acquisition activity) should schedule a reassessment regardless of the annual cycle.
Learn More
A Drummond specialist will contact you to discuss your organization’s compliance obligations, applicable frameworks, and comprehensive healthcare risk assessment scope.