Starting in 2012, the HHS Office for Civil Rights (OCR) is piloting a program to perform as many as 150 audits of covered entities to assess privacy and security compliance as mandated under the HITECH Act.
Policy development, incident reporting, employee surveys, and risk assessments are only part of the tasks that must be implemented within a HIPAA compliance program. HIPAA has increased patient privacy, even though it may not always feel as though this has happened as new risks, a constantly changing threat landscape, make the job of securing a healthcare organization difficult without the proper resources and tools. Now, the OCR is going to get even more aggressive.
Read out whitepaper and learn to Avoid the Common HIPAA Compliance Failures
The most important part of any HIPAA compliance program revolves around data security and protecting patient information (PII). Most healthcare organizations use security policies that follow the castle/moat paradigm-we have a bunch of data on a bunch of servers at our data center, and we will control what goes in and out by putting guardians at the front gates and forcing people to come in over a moat.
Firewalls, intrusion detection and prevention systems, and Web application firewalls all work following this paradigm, but every major breach analysis has shown that data is much less likely to be stolen because of a vulnerability in the transport mechanism-for example, attackers figuring out a way to steal money from people walking over the moat’s bridge-than by attacking vulnerabilities in the storage of the data-the king’s treasury is behind an unlocked door.
The biggest risk is not on the outside but involves the people who live and work within the castle-authorized and authenticated users who have legitimate access to patient data whose network access can be taken over by malware and attackers. Cloud services, globalization, and collaboration have changed the security paradigm on its head as legitimate users are using these services to get work done but don’t realize the security implications.
Savid’s consulting services help healthcare organizations meet the needs of HIPAA and HITECH by leveraging our proven risk assessment methodology that helps prioritize risk using asset value, impact, and likelihood based off our extensive attacker research.
Whether you are a hospital or service provider, our structured deliverable and extensive experience with healthcare institutions enables stronger communication from the security or audit teams with the business when discussing security remediation and security controls.
Savid’s Consulting Services include:
Savid’s Technology Implementation Services include the auditing, installation, and configuration of: