Compliance & Regulatory Audits
HIPAA/HITECH Compliance Assessment
It is vital that healthcare organizations know where they stand with respect to the new HITECH Act privacy and security standards, in order to achieve HITECH compliance and ensure that your data assets are properly safeguarded. A HITECH compliance audit from SECNAP is an important first step.
Failure to comply with regulatory standards can result in the exploitation of vulnerabilities by hackers and other cybercriminals. Identities may be stolen and sensitive or private information abused for malicious profit. Data breaches have far-reaching impacts, and cost the average U.S. organization $6.75 million per breach in terms of remediation, notification, customer churn and similar costs, according to an April 2010 report by the Ponemon Institute.
In just two months (April/May 2010) more than 15 data breaches, affecting more than 659,000 patients, employees and other individuals, were reported in the healthcare industry. Targets ranged from Aetna and Medicaid to private hospitals and medical centers.
SECNAP Network Security is a trusted advisor to clients in the healthcare industry, as well as their business associates, for our ability to effectively address their evolving security and privacy needs. By leveraging our comprehensive suite of compliance services, CIOs, CISOs, compliance officers and IT directors have been able to dramatically reduce vulnerabilities, enhance the protection of sensitive data, and substantially improve their organizations’ compliance positions.
Tools & Expertise
The explosion in healthcare regulation imposes enormous burdens on healthcare organizations as well as their business associates, who must exercise constant vigilance in safeguarding their information systems, transaction processes and sensitive databases.
Professionally certified SECNAP security auditors leverage a complete audit tool kit—in tandem with their extensive, in-depth experience in assessing compliance—to ensure that you receive thorough, actionable information as a result of your HITECH Compliance Assessment. Tools may include automated testing, network and wireless scans, personnel interviews, social engineering techniques, policy reviews, procedural and process evaluations, in-depth analyses and more.
By leveraging third-party support, healthcare providers ensure that experienced, objective experts are engaged appropriately, while in-house IT and audit staff are able to remain focused on mission-critical responsibilities. This is an especially attractive strategy for smaller providers who may lack the internal resources necessary to evaluate their HITECH compliance gaps.
Benefits of a HITECH Compliance Assessment
A SECNAP HITECH compliance audit provides a thorough evaluation of your overall security posture in order to identify vulnerabilities, assist you in making remediation decisions to achieve compliance, and ensure that your information and network assets remain safe from the rising tide of cybercrime. The HITECH Compliance Assessment will:
- Create a security benchmark for your organization with respect to specific compliance requirements of the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, including the Privacy Rule and Security Rule, Standards for the transport, exchange and protection of PHI, and more.
- Identify the strengths and weaknesses of current security practices, including transactional PHI encryption.
- Prioritize the exposures which present the greatest risk.
- Deliver risk mitigation recommendations that address HITECH HIPAA-centric compliance requirements, applicable CFR standards, and best business practices for your organization and industry.
Assessing HITECH Compliance Preparedness
A HITECH Compliance Assessment is a vital tool in achieving compliance by gauging an organization’s compliance-readiness. This review of information flows, policies and practices provides a framework for understanding the scope of remediation required for HITECH compliance. It also assists in identifying key business associates, updating related processes, and planning for development of compliant documentation and programs.
Encryption Requirements for PHI
The federal government continues to drive nationwide conversion to electronic health records (EHR), most recently earmarking $20 billion in IT infrastructure, Medicare and Medicaid incentives to encourage the healthcare industry to record, transmit and exchange patient health information electronically. The proliferation of electronic records and transmission demands that protected health information (PHI) be adequately safeguarded.The HITECH Act requires the encryption of PHI according to standards promulgated by the National Institute of Standards and Technology (NIST) and specified in CFR §170.210.
It further requires that patients and other individuals be notified in the event of a data breach, or unauthorized disclosure or use of their health information. While costly and labor-intensive, such notification can be avoided provided that the PHI is encrypted. However, if PHI is unprotected and unauthorized disclosure occurs, the negligent organization is required to promptly and clearly notify affected individuals of the data breach and what actions are underway to address it.
Vulnerabilities in IP Addresses and Network Devices
The HITECH Compliance Assessment will assist you in applying these requirements by identifying the sources of unsecured PHI and other personal information. Various transmission-related components will be evaluated, leveraging a suite of more than 13,000 specific tests and including but not limited to these activities:
- Inventory of all servers, hosts and services on network
- External penetration and vulnerability testing on all external IP addresses
- Internal vulnerability testing on all IP devices on network
- Full port scanning for every external IP address on network
- User password policy testing
Vulnerabilities in Procedures and Policies
Human error, negligence, and malicious employee intent can undermine even the best systems and safeguards, and the revolution in remote access via laptops and smartphones adds an unprecedented layer of exposure. The HITECH Compliance Assessment addresses these and other components of the overall security landscape through:
- Review of written IT security policies in detail and comparison to actual implementation
- Review of physical security policies and comparison with written policies
- Review of security exception handling procedures, including HIPAA breach notification policy
- Review of encryption specifications
- Review of Internet use policy
- Review of firewall rules and logging
- Review of laptop, smartphone and remote access security
- Interviews of select personnel to evaluate security awareness and policy implementation
- Review of audit controls
- Electronic and manual checks of authorization controls to ensure effectiveness in preventing unauthorized information access
- Review of computer incident response follow-up procedures to ensure intended and accidental alarms are fully investigated, loss determined, and methods implemented to minimize damage and prevent similar intrusions
- Review of security management processes to ensure adequate protections exist to avoid abuses
- Review of physical safeguards and technical security mechanisms to confirm they are adequate to ensure compliance.
Upon completion of the HITECH compliance assessment, deliverables include a draft and final Detailed Report, Executive Summary, and supporting data including scan results. You will have a complete picture of current vulnerabilities along with the actions you can take to address them in order to bring your security program up to date and into compliance.