Healthcare Information Security
Information Security is essential to the broad utilization of, and confidence in, Electronic Health Records (EHR); and to realizing their promise of quality improvement and cost containment. However, Healthcare Information Security is unique because organizations must:
- Not only keep information confidential, but also accurate and always available.
- Secure the devices and wireless networks necessary to support mobility requirements.
- Manage ePHI (Electronic Protected Health Information) access in a manner that does not impede patient care.
- Ensure the security of medical devices throughout their lifecycle.
Diagnosis: Healthcare Pain Points
- Demonstrating compliance with a myriad of overlapping and ambiguous standards (e.g., HIPAA, HEDIS, SOX, PCI).
- Addressing the challenges associated with Healthcare Identity Theft in an increasingly mobile industry.
- Managing third-party risk associated with the growing need to share sensitive data with vendors/business associates to achieve business goals, and monitoring business associates to ensure they are compliant with HIPAA.
- Ensuring that EHR, the technology necessary to support it, and new policies, standards and procedures required to operationalize it, all ensure that access to ePHI is restricted to those authorized.
The Information Assurance “Prescription”
Addressing the unique challenges of healthcare information security requires a unique and flexible approach.
Typical engagements include:
- HIPAA Gap Assessment – Is the design of our environment consistent with HIPAA / HITECH guidance?
- ISO 27002 Gap Assessment – The benefit of leveraging 27002: Is the design of our environment consistent with HIPAA, PCI and SOX guidance?
- Assessment support via Vulnerability Assessments and Penetration Tests to ensure net security objectives are being achieved.
It is critical to optimize the scale (e.g., a location, an EMR, a WLAN, an organization) and scope (e.g., HIPAA, OWASP) of the engagement to achieve the specific assurance required.
PHI/PII Security Simplified
Protecting PHI/PII is exceptionally challenging in that it requires a holistic approach to ensuring the security of the processes that act on the information, and on the assets (servers, networks, applications, personnel, facilities) that support these processes.
- Secure Data Flow Diagrams (SDFD) — Identify critical risks and the required security controls at each point where the information is acted on in your environment.
- Risk Assessment — The SDFD can easily be extended into a formal Risk Assessment to comply with relevant HIPAA requirements.
- SDFD Dependent — Use the SDFD to determine optimal assurance activities required to achieve PHI security objectives (e.g., Policy Development, Web Application Security Assessment, Network Architecture Assessments, Social Engineering, etc.).
Third Party Risk Simplified
Our Vendor Risk Management practice ensures:
EMR/EHR Security Simplified
The optimal activities vary with the project phase:
- Requirements Gap Assessment during the Requirements phase to ensure that the security requirements are sufficient to achieve security and compliance requirements.
- Design Gap Assessment during the Design phase to ensure that the systems design is consistent with the specified requirements.
- Security Certification & Accreditation activities prior to deployment, to ensure that the implementation is fully consistent with the design and that the supporting organizational elements are in place and operating as intended
- Monitoring and ongoing Risk Management during the Operations phase to ensure that the security and compliance posture is maintained.
Why Partner with Pivot Point Security?
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.
- Domain expertise means we know the ins and outs of HIPAA/HITECH, PCI, Sarbanes Oxley and the other regulations you need to comply with. It also means that we are experts in the Security Frameworks (ISO 27001, HITRUST, ISO 27002, OWASP, NIST 800-66) that should form the basis of Information Security Management Systems.
- Healthcare experience means you won’t have to spend time explaining to us why standard password policies can’t be applied in an emergency room, or describing the challenges of updating a 24×7 mission critical environment (akin to painting a moving bus).
- Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll value.
Pivot Point Security is a great choice for your Information Security demand.
Representative Healthcare Clients
View more representative Healthcare Industry clients of Pivot Point Security
She’s a new CSO – elevated there after a breach.
She’s responsible for several rehabilitation facilities and a growing mobile practice.
She and her team have identified five critical things they need to address – fast.
She needed help.