Cybercrime Is On The Rise for the Healthcare Industry
Know What You Don’t Know To Ensure Your HIPAA Compliant
The healthcare sector tops the list of industries with the most cyberattacks – even more than the financial and manufacturing sectors. Reports indicate the most common healthcare cyberattacks come from criminals gaining access to systems and data and injecting malicious content, manipulating or corrupting resources (files, applications, infrastructure, etc.), and for the distribution of ransomware.
What may be even more shocking according to a PwC Health Research Analysis is the astronomical cost of post-breach repair of an estimated $200 per patient record, which includes the cost of lost business due to reputational damage, when compared to how little it costs to prevent a single patient record breach, approximately $8.
No healthcare organization in 2017 can afford to ignore the threat that cybercriminals pose to your business and your patients. How can you ensure your digital security? GiaSpace HIPAA Audits are the answer.
Protect Your Clinical Environment With A Customized Threat Intelligence Report
Our HIPAA Audits will help you achieve effective risk management and HIPAA compliance by revealing where your internal IT, networks, and external business partners put your healthcare organization and patients at risk of cyber threats.
GiaSpace HIPAA Audits Cover Key HIPAA Requirements
- §164.308 – Risk Analysis: Conduct a precise assessment to look for potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI.
- §164.308 – Information System Activity Review: Implement procedures to consistently review records of information system activity, such as audit logs, access reports, and security incident tracking reports.
- §164.308 – Access Authorization, Establishment, and Modification: Implement policies and procedures that grant, establish, document, review, and modify a user’s access to assets.
- §164.308 – Log-in Monitoring: Procedures for monitoring log-in attempts and reporting discrepancies.
- §164.308 – Protection from Malicious Software: Procedures for guarding against, detecting, and reporting malicious software.
- §164.308 – Password Management: Procedures for creating, changing, and safeguarding passwords.
- §164.308 – Security Incident Response and Reporting: Identify and respond to suspected or known security incidents; mitigate harmful effects of known security incidents and document security incidents and their outcomes.
- §164.310 – Device and Media Controls: Implement policies and procedures that govern the receipt and removal of hardware and electronic media that contain ePHI.
- §164.312 – Encryption and Decryption: Implement a mechanism to encrypt and decrypt ePHI
Your comprehensive security report, delivered on conclusion of the assessment, will include:
- An executive summary
- Overview of the assessment scope and objectives
- Review of the current environment or systems
- Security requirements
- Summary of findings and recommendations, including:
- Risk Assessment
- Identified Threats
- Recommended Actions
HIPAA Policies & Procedures. The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the HIPAA Security Rule. The policies spell out what your organization will do while the procedures detail how you will do it. In the event of an audit, the first thing an auditor will inspect are the Policies and Procedures documentation. This is more than a suggested way of doing business. The Policies and Procedures have been carefully thought out and vetted, referencing specific code sections in the Security Rule and supported by the other reports include with the HIPAA Compliance module.
HIPAA Risk Analysis. HIPAA is a risk-based security framework and the production of a Risk Analysis is one of the primary requirements of the HIPAA Security Rule’s Administrative Safeguards. In fact, a Risk Analysis is the foundation for the entire security program. It identifies the locations of electronic Protected Health Information (ePHI,) vulnerabilities to the security of the data, threats that might act on the vulnerabilities, and estimates both the likelihood and the impact of a threat acting on a vulnerability. The Risk Analysis helps HIPAA Covered Entities and Business Associates identify the locations of their protected data, how the data moves within, and in, and out of, the organization. It identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of ePHI. The value of a Risk Analysis cannot be overstated. Every major data breach enforcement of HIPAA, some with penalties over $1 million, have cited the absence of, or an ineffective, Risk Analysis as the underlying cause of the data breach. The Risk Analysis must be run or updated at least annually, more often if anything significant changes that could affect ePHI.
HIPAA Risk Profile. A Risk Analysis should be done no less than once a year. However, GiaSpace has created an abbreviated version of the Risk Analysis called the HIPAA Risk Profile designed to provide interim reporting in a streamlined and almost completely automated manner. Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that may have otherwise been missed and resulted in a data breach.
HIPAA Management Plan. Based on the findings in the Risk Analysis, the organization must create a Risk Management Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, GiaSpace provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Management plan defines the strategies and tactics the organization will use to address its risks.
Evidence of HIPAA Compliance. Just performing HIPAA-compliant tasks is not enough. Audits and investigations require evidence that compliant tasks have been carried out and completed. Documentation must be kept for six years. The Evidence of Compliance includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. When all is said and done, the proof to proper documentation is accessibility and the detail to satisfy an auditor or investigator included in this report.
External Network Vulnerability Scan. Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.
HIPAA Compliance PowerPoint. Our generated PowerPoint presentation is a basis for conducting a meeting presenting our findings from the HIPAA Audit. General summary information along with the risk and issue score are presented along with specific issue recommendations and next steps.
HIPAA On-Site Survey. The On-site Survey is an extensive list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from how facility doors are locked, firewall information, how faxes are managed, and whether servers are on-site, in a data center, or in the Cloud.
Disk Encryption Report. Encryption is such an effective tool used to protect data that if an encrypted device is lost then it does not have to be reported as a data breach. The Disk Encryption Report identifies each drive and volume across the network, whether it is fixed or removable, and if Encryption is active.
File Scan Report. The underlying cause identified for many data breaches is that the organization did not know that protected data was stored on a device that was lost or stolen. After a breach of 4 million patient records a hospital executive said, “Based on our policies that data should not have been on those systems.” The File Scan Report identifies data files stored on computers, servers, and storage devices. It does not read the files or access them, but just looks at the title and file type. This report is useful to identify local data files that may not be protected. Based on this information the risk of a breach could be avoided if the data was moved to a more secure location, or mitigated by encrypting the device to protect the data and avoid a data breach investigation.
User Identification Worksheet. The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have been terminated and should have had their access terminated can also be identified. This is an effective tool to determine if unauthorized users have access to protected information. It also is a good indicator of the efforts the organization goes to so terminated employees and vendors have their access quickly disabled. Another benefit is that you can review the user list to identify generic logins, such as Nurse, Billing Office, etc., which are not allowed by HIPAA since each user is required to be uniquely identified. To save time the system allows you to enter default settings for all users and just change some as needed.
Computer Identification Worksheet. The Computer Identification Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption. To save time the system allows you to enter default settings for all computers and just change some as needed.
Network Share Identification Worksheet. The Network Share Identification Worksheet takes the list of network shares gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption. To save time the system allows you to enter default settings for all network shares and just change some as needed.
HIPAA Supporting Worksheets. A set of individual documents are provided to show detailed information and the raw data the backs up the Evidence of Compliance. These include the various interviews and worksheets, as well as detailed data collections on shares and login analysis.