Healthcare Information Security


Diagnosis: Healthcare Pain Points

  • Demonstrating compliance with a myriad of overlapping and ambiguous standards (e.g., HIPAA, HEDIS, SOX, PCI).
  • Addressing the challenges associated with Healthcare Identity Theft in an increasingly mobile industry.
  • Managing third-party risk associated with the growing need to share sensitive data with vendors/business associates to achieve business goals, and monitoring business associates to ensure they are compliant with HIPAA.
  • Ensuring that EHR, the technology necessary to support it, and new policies, standards and procedures required to operationalize it, all ensure that access to ePHI is restricted to those authorized.

The Information Assurance “Prescription”

Addressing the unique challenges of healthcare information security requires a unique and flexible approach.

Compliance Simplified

Typical engagements include:

It is critical to optimize the scale (e.g., a location, an EMR, a WLAN, an organization) and scope (e.g., HIPAA, OWASP) of the engagement to achieve the specific assurance required.

PHI/PII Security Simplified

Protecting PHI/PII is exceptionally challenging in that it requires a holistic approach to ensuring the security of the processes that act on the information, and on the assets (servers, networks, applications, personnel, facilities) that support these processes.

  • Secure Data Flow Diagrams (SDFD) — Identify critical risks and the required security controls at each point where the information is acted on in your environment.
  • Risk Assessment — The SDFD can easily be extended into a formal Risk Assessment to comply with relevant HIPAA requirements.
  • SDFD Dependent — Use the SDFD to determine optimal assurance activities required to achieve PHI security objectives (e.g., Policy Development, Web Application Security Assessment, Network Architecture Assessments, Social Engineering, etc.).
Third Party Risk Simplified

Our Vendor Risk Management practice ensures:

  • Third party security risks and compliance requirements are identified and communicated.
  • Agreements evolve as business, technologies, and threats do.
  • Monitoring mechanisms ensure third parties achieve your objectives.
  • Security Incidents are identified, responded to, and learned from.
EMR/EHR Security Simplified

The optimal activities vary with the project phase:

  • Requirements Gap Assessment during the Requirements phase to ensure that the security requirements are sufficient to achieve security and compliance requirements.
  • Design Gap Assessment during the Design phase to ensure that the systems design is consistent with the specified requirements.
  • Security Certification & Accreditation activities prior to deployment, to ensure that the implementation is fully consistent with the design and that the supporting organizational elements are in place and operating as intended
  • Monitoring and ongoing Risk Management during the Operations phase to ensure that the security and compliance posture is maintained.

Why Partner with Pivot Point Security?

Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.

  • Domain expertise means we know the ins and outs of HIPAA/HITECH, PCI, Sarbanes Oxley and the other regulations you need to comply with. It also means that we are experts in the Security Frameworks (ISO 27001, HITRUST, ISO 27002, OWASP, NIST 800-66) that should form the basis of Information Security Management Systems.
  • Healthcare experience means you won’t have to spend time explaining to us why standard password policies can’t be applied in an emergency room, or describing the challenges of updating a 24×7 mission critical environment (akin to painting a moving bus).
  • Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll value.

Pivot Point Security is a great choice for your Information Security demand.

Representative Healthcare Clients

View more representative Healthcare Industry clients of Pivot Point Security




She’s a new CSO – elevated there after a breach.

She’s responsible for several rehabilitation facilities and a growing mobile practice.

She and her team have identified five critical things they need to address – fast.

She needed help.

Read More