Chat with us, powered by LiveChat

GDPR and Windows 10 Compliance

This is the second post in a 2-part series on GDPR. Guest post written in collaboration with Microsoft.

On April 14, 2016, the European Union (EU) ratified the final version of the General Data Protection Regulation aka GDPR. The new GDPR regulation has been characterized as the most sweeping and impactful change to privacy and data protection regulations in history. GDPR goes into effect on May 25, 2018 with broad reaching implications for EU-based organizations and multinationals around the globe. It is critical to note that GDPR imposes new rules on organizations that offer goods and services to people in the EU or those that collect and analyze data tied to EU residents, no matter where they are located.  This means that US based healthcare covered entities and organizations defined as controllers or processors of an EU citizen’s or resident’s healthcare data will be directly affected by GDPR and must be prepared to meet these regulatory requirements.

The General Data Protection Regulation (GDPR) sets a new bar for privacy rights, security, and compliance, which will be enforced through heavy penalties. Microsoft has made the commitment that all its online services will be GDPR compliant and backed by contract, providing assurance that any of their personal info is protected and in compliance. With Privacy-by-design as a core guiding principle, Microsoft provides a comprehensive set of software services to enable customers to meet their GDPR requirements.  Microsoft recognizes that end-to-end compliance is required and must be implemented as a holistic process across the organization including (and beginning with) the protection of endpoints. Windows 10 enables organizations to begin their GDPR compliance journey.

GDPR Focus: Data Protection and Security – Not Technology

Like the HIPAA regulations, GDPR makes no direct reference to technical or technology requisites. However, GDPR does require organizations to build a holistic & structured approach to data protection and overall security.

More specifically, GDPR states the following:

(Art. 24.1) Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary,

(Art. 24.2) Where proportionate in relation to processing activities, the measures referred to in paragraph 1 shall include the implementation of appropriate data protection policies by the controller,

(Art. 28.1) Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.

Microsoft GDPR Readiness and Assessment Tool

Microsoft Windows 10 enables an organization’s GDPR security and privacy requirements with its cloud-enabled security stack that includes device protection, identity protection & management, information protection, threat detection and protection, and security management and operations. For example, beginning with the Windows 10 Anniversary Edition, Microsoft includes the Windows Information Protection (WIP) component that provides integrated protection against accidental data leaks.

With WIP Windows 10 can:

  • Protect data at rest locally and on removable storage
  • Enable corporate versus end user data to be identified wherever it rests on the device with the ability to wipe that data
  • Provide a common experience across all Windows 10 devices and prevent unauthorized apps from accessing business data and users from leaking data with copy and paste protection
  • Enable seamless integration into the Microsoft cloud platform
Additional Resources

GDPR and the Impact on U.S. Healthcare Providers

A new acronym has begun popping up within the healthcare technology community and is slowly beginning to gain momentum in the way of media coverage and industry articles. If you’ve heard the term GDPR in the past few months and did not understand what it was referring to, know that you’re not alone. In fact, we conducted a recent webinar poll with over 300 registrants and found that 81% of providers did not know what GDPR was referring to, let alone its potential impact on the U.S. healthcare industry.

Defining GDPR

GDPR stands for General Data Protection Regulation, a new set of rules drafted by the European Union (EU) to give citizens more control over their personal data. Think of a “stricter” HIPAA compliance for EU countries. Back in January 2012, the European Commission began working on plans to create data protection reform across the EU so that European countries would have greater controls in place to manage information in the digital age. Additionally, GDPR aims to simplify the regulatory environment for businesses so both European citizens and businesses can benefit from a digital economy. Fast forward six years and now in just a few short weeks GDPR will take effect internationally (May 2018.)

The Stateside Implications

The primary question we are asking ourselves at HIPAA One is how will this framework impact U.S. based healthcare providers? Here’s what we know, U.S. companies do not need to have business operations in one of the 28-member states of the EU to be impacted by GDPR. The new set of rules will require organizations around the world that hold data belonging to individuals who live in the EU to a high level of protection and must be able to account for where every bit of data is stored.

The good news is a large majority of U.S. based healthcare providers will be relatively safe in terms of complying with GDPR. If your organization is not actively marketing your services in the EU or practicing in the EU, a data breach where an EU citizen’s PHI is compromised would most likely be your most realistic brush with GDPR. For instance, a walk-clinic in New York City seeing many international tourists has a much higher chance of being impacted than say a rural clinic treating mostly local residents. Providers in larger cities with more diverse patient groups will need to be extra vigilant regarding their breach notification standards and security posture.

Controller vs. Processor

An important concept for healthcare entities to grasp when thinking about GDPR is controllers vs processors which can be defined similar to the way we view covered entities and business associates. A processor (business associate) processes data on behalf of a data controller (covered entity) and is required to protect the data just as a controller would. Much like the HIPAA regulations, GDPR requires controllers/data processes to ensure a level of security appropriate to the risk by implementing technical and organizational measures to mitigate the risk. One way that controllers or processors can demonstrate such compliance is adopting existing leading practices such as COBIT, ITIL, NIST or ISO standards.

How to Prepare

With still many unknowns about the true implications of GDPR on the American provider, there are few ways your organization can prepare now to ensure a proper level of readiness.

  • Conduct HIPAA Security and Privacy and Breach Notification Risk Analysis – The HIPAA One SRA and PRA software addresses most of the recommended GDPR controls and checks the box on an important mandatory HIPAA requirement. Double win!
  • Review your current risk governance – An evaluation of your organization’s security posture is a great step in preparing for the growing international cybersecurity climate.
  • Conduct a GDPR Assessment – Our internal research concludes GDPR encompasses approximately 60% of the same standards and regulations as OCR’s HIPAA Audit Protocol (e.g. performing a HIPAA Security Risk Analysis per 45 CFR §164.308(a)(1)(ii)(A)). A complete and comprehensive set of Policies and Procedures can be used to bridge the gap of the remaining 40% of standards covered by GDPR.

Just as we try to do with all cybersecurity and HIPAA related happenings in both the U.S. and aboard, the team at HIPAA One is committed to closely monitoring GDPR requirements and providing our readers with the most up-to-date information we have. As with all aspects of healthcare, sometimes it feels like the only constant is change. By getting your house in order now, your workplace will be well equipped to navigate any changes brought on by GDPR in the months and years to come.

Learn more about how your practice can get started with a bona fide HIPAA risk analysis today.

Cloud Security in Healthcare

Guest Blog by Yiannis Koukouras, TwelveSec in collaboration with HIPAA One

In our culture, something or someone is always trending. Whether it be bell-bottom jeans in the ’70’s, playing Nintendo in the ’80’s or watching stock market go up and down (whenever!), trends are a lenses through which we see the world. Much like trends in fashion or entertainment, our workplaces showcase various trends as well and the healthcare information technology (HIT) community is no different. Currently, organizations migrating their data to cloud based systems is a trend which shows no signs of slowing down anytime soon. The migration of healthcare records from being placed “in the closet down the hall” to the cloud, is becoming commonplace for both single doc practices and large health plans alike. The cloud allows organizations of all sizes to compete effectively in the new digital era and stabilize costs.

As this IT shift occurs, we can’t help but wonder, is Cloud Security truly secure? After all, an organization may transfer their security risks to an external provider, however does that organization understand the responsibility for safeguarding the data cannot be transferred? For example, under HIPAA/HITECH it is the responsibility of the data-owner to report the breach and assume costs even if the breach occurred by the Business Associate (45 CFR §§ 164.400-414.)

Is Your Cloud Provider Really Secure?

Currently the marketplace is saturated in cloud service providers. Public providers like Amazon Web Services (AWS), Microsoft Azure or Google cloud, dominate the landscape and offer cloud services at very competitive prices. Despite their brand recognition and reputation, do we have any assurances AWS or Microsoft Azure are secure? Is the feeling of security with these companies real or a convenient illusion?

The truth is these public providers are by-design very secure, however, they are also delicate and susceptible to common, simple and unintentional configuration errors that can lead to data leakage and/or data loss. Like safety belts in automobiles are statistically-proven to save lives, it is up to the driver and passengers to fasten before embarking on the next drive.   Within the last two years, over 1.5 million private medical records have become publicly available through Amazon Web Services due to mis-configurations on the security settings of the latter. The exposed data, impacted organizations like Kansas’ State Self Insurance Fund, CSAC Excess Insurance Authority, and the Salt Lake County Database.

Cloud Security Impacts Everyone

The common misconception is only small organizations pay little regard on Cloud Security. However, recently two stories became publicly known regarding military data exposed on the Internet. The first included “dozens of terabytes” of social media posts identifying and profiling persons of interest for the U.S. Intelligence, while the other one, included a classified toolkit for potentially accessing U.S. military intelligence networks. Both examples were found on an open Amazon-hosted data silo, due to misconfigured access rights.

A large number of other data leakage stories have also made headlines recently including major international players like Accenture, Verizon and Viacom. All of these stories have the same underlying theme, the affected companies where all placed in the awkward position of having to comment on misconfigured cloud accounts. These data breaches revealed that every cloud deployed solution is not bullet-proof and can only be as safe as their privileged users / administrators (the weakest link of this chain) allow them to be.

In an attempt to address cases like the aforementioned misconfigurations, in the 4th quarter of 2017 Amazon announced new security features and safeguards. These new features, which include data encryption and user warnings when data is publicly accessible, are a step in the right direction. However, due to the fact that cloud services become more and more complex with new features added every day, no one can solely rely upon these new features to secure their cloud infrastructure.

Tip of the Iceberg

Due to the fact these cases were discovered on large public cloud providers, like AWS, Microsoft Azure and Google cloud, one can easily assume that any organization regardless of size is at risk. As IT professionals, we can only speculate about the cloud security vulnerabilities of private cloud environments as not many cases have been analyzed in the international literature. In private cloud systems, functionality is prioritized over security. Irrelevant but interdependent configurations are to be sorted out in limited amount of time, using different and possibly incompatible software vendors. These characteristics showcase just some of the potential misconfiguration threats for the confidentiality of your data in private cloud storages.

It is important to remember that all the aforementioned risks, are placed on healthcare providers while they try to remain HIPAA compliant and does not take into any account the usual risks imposed for all online content. Negligent user activity or becoming a target of cyber-criminals remain a valid risk that requires urgent mitigation.

Cloud Security in Healthcare

Whether public or private, all cloud systems should be tested in order to identify vulnerabilities in an effort to become “cyber-proof.” Any exposure of sensitive data heavily impacts the image and reputation of healthcare providers. Cloud security testing is truly a necessity and should be implemented from the very first day your organization begins saving sensitive data on a cloud system. After weighing the cost of a data exposure, the value of investment in external IT security services absolutely increases.

At TwelveSec and HIPAA One, our group of certified consultants can offer your organization a thorough assessment of your cloud systems’ security posture. By identifying gaps and vulnerabilities that may harm your enterprise and customer data, we are able to work together to secure your systems and address the following:

  • Assess the security of your cloud infrastructure,
  • Review your cloud security policies and
  • Test your cloud Applications against unauthorized usage.

As a team at HIPAA One, we understand through first hand experience Platform-as-a-Service security concerns.  Contact us today for a free application security consultation to find the most effective way to assure the risks of unauthorized access to your organization’s data are minimized.

Missed your SRA in 2017? Here’s How to Avoid a MIPS Penalty

First, do your HIPAA Security Risk Analysis immediately to reduce chances of a breach while maintaining compliance with all Federal reimbursement programs. With just mere days left before the March 31st MIPS submission deadline, if you have not already pulled together the necessary documentation for the previous calendar year, it is the time to do so! For all those last “minute’ers,” we have some guidance to assist in your efforts.

One of the most important concepts to understand about the 2017 MIPS program is the grace that is being extended by CMS.  In fact, 2017 is being considered a “transitional year” meaning providers do not need to have all three measurements in place to avoid penalties and gain incentives – GOOD NEWS! As a reminder, these measurements include: Quality Measures, Advancing Care Information (security risk analysis required) and Improvement Activities.

“Some key information on the process of submission is included in the Data submission fact sheet  and a Merit-based Incentive Payment System (MIPS) data submission video.” – CMS Division of Health Information Technology

Additionally, if the provider is in an Alternative Payment Model (APM) group, CMS broke down the groups below:

For Shared Savings Program Participants

“ACOs in the Shared Savings Program submit quality measures to the CMS Web Interface on behalf of their participating providers and MIPS eligible clinicians.  The Shared Savings Program measures and corresponding benchmarks will also be used to determine the MIPS quality performance category score for all MIPS eligible clinicians in each ACO. Therefore as long as your ACO submits all of the required Shared Savings Program Web Interface measures, then you do not need to report the MIPS quality performance category separately.”

For Next Generation ACO Model Participants

“ACOs in the Next Generation ACO Model submit quality measures to the CMS Web Interface on behalf of their participating clinicians.  The Next Generation ACO measures and corresponding benchmarks will also be used to determine the MIPS quality performance category score for all MIPS eligible clinicians in each ACO.”

For All Other MIPS APMs

“Under the Quality Payment Program, the APM Entity group in these APMs will not be required to report  quality in the first MIPS performance period.  This does not change any CMS requirements to report quality measures as part of your participation in the APM.”

A few important FYI’s related to penalties:
  • To Avoid the 4% Penalty – Providers must submit something, at least one item from one of the measurements listed above
  • To Avoid the Penalty and ATTEMPT to Earn a Positive Payment Adjustment – Providers can participate partially and CMS determines payment based on what is submitted
  • To Avoid the Penalty and RECEIVE a positive payment adjustment – Providers will need to participate for the full year and complete all measurements
  • If No Participation or Action is Taken – A 4% penalty will be applied

In the event your workplace did not conduct a HIPAA security risk analysis in 2017, you can still avoid the 4% penalty by submitting something from the other measurement categories (Quality or Improvement Activities.)

Finally, there is no time like the present to complete a bona fide HIPAA Security Risk Analysis! Checking this box will immediately reduce your changes of a breach while maintaining compliance with all Federal reimbursement programs. Get started today!

Consequences for HIPAA Violations

A recent HHS Office for Civil Rights email blast outlined a story that many of us have heard before, another business closed with significant monies paid out in fines. Filefax, Inc. has agreed to pay $100,000 in order to settle potential violations of the HIPAA Privacy Rule. Once a medical records storage company for covered entities, Filefax shut their doors during the OCR investigation yet could not escape additional fines and penalties that followed after their doors were closed. The bottom line, HIPAA violations do not stop just because a business closes.

The consequences of HIPAA violations are significant and far reaching. Beyond the financial ramifications, organizations stand to lose their good standing reputation, client/patient trust and their ability to operate a business. It can take organizations months, even years to recover from penalties if they ever do, so why have so many of us read the headlines but not heeded the warnings?

What Qualifies as a HIPAA Violation?

A HIPAA violation occurs when either a covered entity (CE) or business associate (BA) fails to comply with one of more provisions of the HIPAA Security, Privacy or Breach Notification Rules. Violations may result for a number of reasons and may be deliberate or unintentional.

  • Example of a Deliberate Violation – Inadequate Privacy training for clinical staff which results in a patient complaint regarding disclosing their full identity through a verbal announcement in a waiting area or hospital emergency room.
  • Example of a Unintentional Violation – Commonly this is a symptom of negligence such as: failure to complete a Security Risk Analysis, failure to employ encryption for laptops/electronic media resulting in loss/theft or failure to maintain policies and procedures instructing staff members on how to appropriately handle protected health information (PHI.)
Penalties and Fines

The penalties and/or fines administered by OCR are based on the severity of each HIPAA violation. Some HIPAA violations can be expensive and vary greatly in cost based on the level of negligence displayed. Contrary to what the headlines may lead you to believe, OCR will first strive to resolve violations using non-punitive measures such as issuing guidance to help the provider fix the areas without issuing a fine however that is not always possible.

If a penalty is issued, it can range in cost from $100 to $50,000 per violation (or record) with a maximum penalty of $1.5 million per year of violations of an identical provision. OCR takes many different factors into account when determining what is the appropriate financial penalty and uses a four tiered approach as shown in the image below. A few of these factors include: number of patients affected, what specific data was exposed and for how long, etc. Along with the financial ramifications, HIPAA violations can also carry criminal charges that may result in jail time if warranted.

Avoidance is Key

Being that the stakes are high and much is on the line, how does a practice or organization protect themselves against HIPAA violations? Show due-diligence.  The best task to start with is complete a comprehensive, organization wide HIPAA risk analysis to determine any gaps in compliance. Without a baseline knowledge about their security, privacy and breach-notification posture, both CE’s and BA’s operate day to day unaware of their security vulnerabilities which can directly lead to HIPAA violations and data breaches.

Unsure where your organization stands? Take our short 5-minute HIPAA compliance quiz designed to quickly outline your organization’s basic level of compliance.

We’ve Helped Many Access the LADMF! Need Assistance?

Last May, we wrote a “How To” blog on the Social Security Limited Access Death Master File (LADMF) aka DMF and the response has been overwhelming! The HIPAA One team is delighted by how many of you have come forward and asked us to assist your organization in accessing this file. As the rest of the industry catches up and the need continues to grow, we want to revisit the content again. Being that this file contains critical information for healthcare providers, continue reading on to learn “how and why” HIPAA One can act as an Accredited Conformity Assessment Body (ACAB) for your organization.

What is the LADMF

The DMF is essentially a database maintained by the Social Security Administration and contains over 86 million records on deceased individuals. Used to verify death, the online file has many purposes and is used by a variety of users, including: medical researchers, hospitals, oncology programs (tracking former patients and subjects), investigative firms (payment of pension funds), insurance organizations, etc.

In November 2016, changes were made to the access requirements for individuals or organizations seeking to access the DMF. Due to the sensitive nature of the information coupled with an effort to prevent identify theft and fraud, individuals or entities must now submit a written attestation form an ACAB to prove that the appropriate systems, facilities and procedures are in place to safeguard information and maintain the confidentiality and security of that information.

Complete an SRA

In order for a healthcare entity to prove they have the appropriate safeguards in place to access the DMF file, they must complete a Security Risk Analysis (SRA.) Along with a myriad of other benefits; an SRA accurately displays an organization’s safeguards and subsequent remediation plan to correct any deficiencies. By completing an SRA, healthcare organizations prove their commitment to properly securing sensitive information and building an overall “culture of compliance” at their workforce.

HIPAA One = ACAB

As your HIPAA compliance vendor, we are happy to offer our services and act as your ACAB if you used our software to complete your SRA*. However; we are unable to assume that role for clients who conducted an SRA independently or without using our tools.

If your organization meets our requirements and would like us to act as your accredited assessment body to access the DMF, these are the steps you must complete prior to sending us the attestation form:

  1. There is an annual fee for processing the LADMF Subscriber Certification Form, payment can be processed here: https://classic.ntis.gov/Search/Home/titleDetail?abbr=DMFCERT0002. Additionally, every three years a processing fee of $525.00 LADMF ACAB Systems Safeguards Attestation Form is required.
  2. After the payment has been accepted, complete and submit the LADMF Subscriber Certification Form at https://dmfcert.ntis.gov. Certification must be renewed each year.
  3. An order number will be assigned to the organization
  4. HIPAA One will then fill out the ACAB form free of chare
  5. HIPAA One will submit the form on behalf of the client to the email provided on the form

*completed within the past 3 years, remote or onsite

EXAMPLE OF THE ACAB ATTESTATION FORM

Questions?

Contact us at info@hipaaone.com or call 801-770-1199  to speak with one of our experienced auditors.

Newly Released Whitepaper Co-Authored with Microsoft

The concept of the “Internet of Things” (IoT) is becoming an increasingly growing topic of conversation as  more and more companies are interconnecting everyday objects around us to the internet, such as: medical devices, appliances, voices and faces, HVAC systems, TVs, vehicles, money and health information.  These devices are now enabled to record and exchange data about individuals’ behavior, habits and personal information through the Cloud.

Microsoft Windows 10 Enterprise allows PC users to decide for themselves if they want their Personally Identifiable Information shared with the IoT, or not. In the healthcare industry where cybersecurity, privacy, and compliance can make or break an organization, Microsoft recognizes the importance of supporting these communities by designing our software and cloud services to be flexible, secure and to meet regulatory compliance mandates.

As a core component to Microsoft’s ecosystem, properly configuring Windows 10 for Enterprise not only assists healthcare entities with HIPAA security and privacy compliance, but also introduces numerous security capabilities to help protect sensitive environments against dynamic and increasingly complex malicious cyberattacks, viruses and malware.  Windows 10 Enterprise is highly-evolved with a built-in, deep-level security architecture balanced with industry-leading compatibility to drive improved user productivity.  Threat, Identity, and Information protection risks are significantly reduced by simply by using Windows 10 (you can read about some of Windows 10’s latest enhancements here).

Last year, we partnered with Microsoft and developed a third-party, detailed recommendation on how to configure Windows 10 in a manner that maintains the security of PHI in accordance to HIPAA. It is great excitement that we share the news that the latest version of the “HIPAA Compliance with Microsoft Windows 10” whitepaper including updates found in the most-recent Fall Creators Update is now available. Any of our customers pondering upgrading to Windows 10 will find assurance and value in the recommendations found in this whitepaper, and that the real-world tested configurations will serve as a complement to their security baselines.

Download your copy today!

 

2017 Deadlines for EHR Incentive Programs

Does your workplace accept any payments from EHR incentive programs like MACRA or Meaningful Use? If so, the fourth quarter is probably a busy time preparing and finalizing documents for submission. At HIPAA One, we understand the amount of extra work that can add to a workforce. Therefore, we would like to provide a little assistance and guidance on the specific HIPAA security risk analysis requirement so there is not any delay in receiving those crucial payments.

Date to Remember

The Meaningful Use reporting deadline for this calendar year is December 31, 2017. To the best of our knowledge, an extension has not been granted – therefore all activities must be completed in the next 6 working days of the calendar year.

HIPAA Security Risk Analysis Requirement

As mentioned above, to qualify for Meaningful Use or MACRA (MIPS) dollars, an annual HIPAA security risk analysis is a requirement for every healthcare provider attesting. If your workplace was to be audited due to a patient complaint, random audit, etc; failure to have a current documented HIPAA risk analysis could result in a mandatory requirement to give back awarded Meaningful Use dollars.

A HIPAA security risk analysis is not only a critical element in building a secure, compliant environment in any healthcare setting but also required under HIPAA. As a reminder, HIPAA requires organizations that handle electronic protected health information (ePHI) to regularly review the administrative, physical and technical safeguards they have in place to protect the security of the information. By conducting these risk assessments, health care providers can uncover potential weaknesses in their security policies, processes and systems. Risk assessments also help providers address vulnerabilities, potentially preventing health data breaches or other adverse security events. (SOURCE: HHS.gov)

In order to attest for Meaningful Use, your risk analysis needs to be completed in the same calendar year for which you at attesting. The Final Rule for MU Stage 3 states the following regarding protection of health information: “The measure must be completed in the same calendar year as the EHR reporting period. If the EHR reporting period is 90 days, it must be completed in the same calendar year. This may occur either before or during the EHR reporting period; or, if it occurs after the EHR reporting period, it must occur before the provider attests or before the end of the calendar year, whichever date comes first.” To learn more about the necessary supporting documentation for audits, click here.

There’s Still Time

If this post has increased your heart rate a little or given you reason to worry about the upcoming December 31st deadline, don’t fret! There is still time to complete a bona fide HIPAA security risk analysis using our automated, self-guided software.

Our sales team members would love to answer your questions. Get started now.

Not All Risk Analysis Tools Created Equal

One of our favorite phrases at HIPAA One is “free like a puppy.” Our President, Steven Marco uses it regularly on webinars to convey the sentiment that nothing is ever truly free and there is always some kind of hidden string attached. This sentiment absolutely applies to some of the “free” HIPAA risk analysis solutions in the marketplace today. Regardless of whether you are seeking a spreadsheet/checklist or paid software tool to complete your risk analysis, this post will review what you need to look for and how to spot a risk analysis phony.

Paid Services – External Consultants

Selecting a vendor or tool to complete your risk analysis is an important task and doing your due diligence is KEY. With a few questions and a bit of research, you can help protect your workplace from massive consequences should a patient complain or security issue arise down the line. Just because a vendor makes the claim that they will help you complete a bona fide HIPAA security risk analysis, does not mean that risk analysis would stand up (or pass) in an industry audit.

Before committing to a vendor, consulting firm or paper shredding company (hey, we’ve heard of it before!), it’s important to ask what’s included, wins/losses and assurances. Below is a list of what you need to be looking for in a risk analysis solution or service:

  1. Industry-Certified Auditors on Staff – Verify the vendor has:
    1. Auditors who are certified professionals, such as CHPS, CISSP, HCISPP, CISA, etc. and
    2. Previous experience responding to AND PASSING government and private-sector audits.
  2. Compliance Gap-Assessment – This assessment determines if your workplace meets each of the HIPAA requirements as selected the Office for Civil Rights’ (OCR) HIPAA Audit Protocol.
  3. Mock-Audit – Put your money where your mouth is. If your workplace maintains HIPAA compliance, prove it with proper supporting documents and examples per the OCR’s HIPAA Audit Protocol.
  4. Risk Analysis –Bona Fide security risk analysis which digs into any non-compliant areas along with a calculation tool that addresses which gaps are low, medium or high risk to the organization using NIST-based methodologies (i.e. at minimum NIST800-30 rev1 and NIST 800-53 rev 4).
  5. Remediation Plan – This documented plan answers the questions: “Who will do what by when” in regards to remediating gaps in compliance.
  6. Final Report – Key deliverable proving compliance with HIPAA security risk analysis.
  7. Ongoing Tracking – Track the resolution of those gaps in compliance by proving due diligence in the event of an audit.
  8. Periodic Re-evaluation – Each year take a new “snapshot” performing steps 2-6 on any changes that happened from the previous year.

Beware! Free Services – ONC SRA Tool

Through the years we have heard many times how many small to medium size practices have two main struggles as it pertains to HIPAA compliance: lack of knowledge and/or training and lack of financial resources allocated to HIPAA compliance objectives. We understand there may be years where you or another member at your workplace will need to look up some free tools online to complete your HIPAA risk analysis manually. As you can imagine, this solution is not ideal due to the fact that many free services or tools do not include the above list of required documentation, regulatory updates or audit protection assures, however, something is better than nothing.

Unfortunately, we are unable to provide feedback on each free risk analysis checklist or spreadsheet available today, however, we would like to spotlight one of them, the Office of the National Coordinator for Health Information Technology (ONC) Security Risk Assessment Tool (SRA Tool.) Back at its inception in 2014, the SRA Tool was recognized in the marketplace as being a rather thorough, good solution for healthcare providers seeking a free tool that covered most of the bases. Now, this three year old solution is outdated and quite frankly, a liability to anyone who uses it. For this reason, we cannot endorse the SRA Tool in good faith as it is truly not a production ready solution and is not updated to meet the updated HIPAA Audit Protocol.

Below is an excerpt from the “SRA Tool User Guide” clearly outlining that the tool does not guarantee compliance with the HIPAA Security Rule or issue any guarantees to an organization in the event of an audit:

Whereas we do not recommend using this tool to complete your organization’s yearly HIPAA risk analysis, the tool can be used for training purposes. Healthcare IT professionals wanting to learn more about risk analysis may find the questions beneficial in advancing their knowledge of HIPAA compliance.

If your organization has not completed your 2017 risk analysis, there is still time! To learn more about the simplest, most-automated and trusted software solution in the industry used by over 5,000 sites to protect their ePHI, CLICK HERE.

Answering the Age Old Question

True or False: Are penetration tests and vulnerability scans one in the same?

If you answered “False” you are correct, however, it can be difficult to understand the difference between the two information security services. Whereas both are incredibly valuable in building a strong threat and vulnerability management program, penetration tests and vulnerability scans are often misunderstood and used interchangeably.

Before defining the two services, let’s start with an analogy from one of our certified audit support team members. Think of a vulnerability scan as walking around the house rattling doorknobs and pushing on windows to see if they are unlocked or open. These easy security items, much like locking the garage’s back door or basement window, can help ensure your house is secure. A penetration test would be entering into your home through an open window or unlocked door to emulate a burglar breaking in. By completing this exercise, you could expose security vulnerabilities before someone with bad intentions may take advantage.

Penetration Tests

A penetration test simulates the actions of an external or internal cyber attacker (AKA ethical hacker) that strives to breach the information security of an organization. Simply, it can be thought of as a person trying to bypass application controls and “break into” a network system to take data or seek further access to other internal databases. There are many different tools and techniques an ethical hacker can use as they attempt to exploit critical systems and gain access to sensitive data. By implementing penetration testing, organizations can identify gaps between possible threats and existing controls.

HIPAA One offers penetration testing and ongoing threat management solutions and tools through our trusted partner, TwelveSec. By partnering with TwelveSec, we are able to provide a wide array of services designed to manage threats against your network including: Assurance Services, Security Management Services and Information Security Training Services.  HIPAA One also offers free, unlimited post-remediation verification for any risks discovered during the Penetration Testing project. For additional information, click here.

Vulnerability Scans

Unlike the manual practice of a penetration test, a vulnerability scan is a software tool designed to inspect the potential points of exploit on a computer or network to identify security holes. By checking internet facing devices against “known” Common Vulnerabilities and Exploits (CVEs) a vulnerability scan can detect and classify system weaknesses in computers, networks and communications equipment. Vulnerability scans are configured for safe checks, meaning the scan will only identify known, unpatched security vulnerabilities for the external IP addresses provided and not conduct any denial of service (DOS).  A free example of a vulnerability scan can be found at www.ssllabs.com and focuses on encryption and certificate exchange.

There are many software options that may be utilized for vulnerability scanning as certain tools are specific to the different types of computing infrastructure. It is important to understand that a vulnerability scanning tool is only as good as the CVE dictionary within the software and one tool may not be all an organization needs. It is fairly standard that a hacker(s) may use anywhere from 6-10 different software scans to speed-up the process of identifying easy ways of bypassing application and infrastructure security controls.

HIPAA One includes a Nessus Professional Feed vulnerability scan with each HIPAA security risk analysis software license. Using Nessus Professional Feed, HIPAA One will run a vulnerability scan on external IP addresses during the course of the HIPAA security risk analysis. For more information or to get started, Contact Us today!