Information Security is essential to the broad utilization of, and confidence in, Electronic Health Records (EHR); and to realizing their promise of quality improvement and cost containment. However, Healthcare Information Security is unique because organizations must:
- Not only keep information confidential, but also accurate and always available.
- Secure the devices and wireless networks necessary to support mobility requirements.
- Manage ePHI (Electronic Protected Health Information) access in a manner that does not impede patient care.
- Ensure the security of medical devices throughout their lifecycle.
Diagnosis: Healthcare Pain Points
- Demonstrating compliance with a myriad of overlapping and ambiguous standards (e.g., HIPAA, HEDIS, SOX, PCI).
- Addressing the challenges associated with Healthcare Identity Theft in an increasingly mobile industry.
- Managing third-party risk associated with the growing need to share sensitive data with vendors/business associates to achieve business goals, and monitoring business associates to ensure they are compliant with HIPAA.
- Ensuring that EHR, the technology necessary to support it, and new policies, standards and procedures required to operationalize it, all ensure that access to ePHI is restricted to those authorized.
The Information Assurance “Prescription”
Addressing the unique challenges of healthcare information security requires a unique and flexible approach.
- Compliance Simplified
Typical engagements include:
- HIPAA Gap Assessment – Is the design of our environment consistent with HIPAA / HITECH guidance?
- ISO 27002 Gap Assessment – The benefit of leveraging 27002: Is the design of our environment consistent with HIPAA, PCI and SOX guidance?
- Assessment support via Vulnerability Assessments and Penetration Tests to ensure net security objectives are being achieved.
It is critical to optimize the scale (e.g., a location, an EMR, a WLAN, an organization) and scope (e.g., HIPAA, OWASP) of the engagement to achieve the specific assurance required.
- PHI/PII Security Simplified
Protecting PHI/PII is exceptionally challenging in that it requires a holistic approach to ensuring the security of the processes that act on the information, and on the assets (servers, networks, applications, personnel, facilities) that support these processes.
- Secure Data Flow Diagrams (SDFD) — Identify critical risks and the required security controls at each point where the information is acted on in your environment.
- Risk Assessment — The SDFD can easily be extended into a formal Risk Assessment to comply with relevant HIPAA requirements.
- SDFD Dependent — Use the SDFD to determine optimal assurance activities required to achieve PHI security objectives (e.g., Policy Development, Web Application Security Assessment, Network Architecture Assessments, Social Engineering, etc.).
- Third Party Risk Simplified
Our Vendor Risk Management practice ensures:
- EMR/EHR Security Simplified
The optimal activities vary with the project phase:
- Requirements Gap Assessment during the Requirements phase to ensure that the security requirements are sufficient to achieve security and compliance requirements.
- Design Gap Assessment during the Design phase to ensure that the systems design is consistent with the specified requirements.
- Security Certification & Accreditation activities prior to deployment, to ensure that the implementation is fully consistent with the design and that the supporting organizational elements are in place and operating as intended
- Monitoring and ongoing Risk Management during the Operations phase to ensure that the security and compliance posture is maintained.
Why Partner with Pivot Point Security?
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.
- Domain expertise means we know the ins and outs of HIPAA/HITECH, PCI, Sarbanes Oxley and the other regulations you need to comply with. It also means that we are experts in the Security Frameworks (ISO 27001, HITRUST, ISO 27002, OWASP, NIST 800-66) that should form the basis of Information Security Management Systems.
- Healthcare experience means you won’t have to spend time explaining to us why standard password policies can’t be applied in an emergency room, or describing the challenges of updating a 24×7 mission critical environment (akin to painting a moving bus).
- Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll value.
Pivot Point Security is a great choice for your Information Security demand.
Representative Healthcare Clients
View more representative Healthcare Industry clients of Pivot Point Security
Healthcare Industry Issues
The HITECH Act was enacted to reduce healthcare costs through the adoption of electronic medical records (EMR). The funding elements of ARRA/HITECH have been advantageous – but there is no free lunch. HITECH also imposes new security requirements around Electronic Patient Health Information (ePHI) on healthcare organizations (covered entities) and their business associates.
The new requirements include a broader definition of what Protected Health Information (PHI) must be protected, increased penalties for violations of rules, provisions for more aggressive enforcement, and explicit authority for state Attorney Generals to enforce HIPAA rules and pursue criminal cases. The HITECH Act also creates stringent data breach notification provisions that include reporting of all breaches to the Secretary of Health and Human Services (HHS).
Unfortunately, the migration to electronic health records (EHR) comes at a time when economic conditions are forcing healthcare organizations to do more with less — making it challenging for Information Security and audit personnel to deal with relevant challenges.
As required by the “Security standards: General rules” section of the HIPAA Security Rule, each covered entity must:
- Ensure the confidentiality, integrity, and availability of ePHI that it creates, receives, maintains, or transmits.
- Protect against any reasonably anticipated threats and hazards to the security or integrity of ePHI.
- Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule.