Healthcare Information Security
Information Security is essential to the broad utilization of, and confidence in, Electronic Health Records (EHR); and to realizing their promise of quality improvement and cost containment. However, Healthcare Information Security is unique because organizations must:
Financial organizations are characterized by:
✔ Not only keep information confidential but also accurate and always available.
✔Secure the devices and wireless networks necessary to support mobility requirements.
✔ Manage ePHI (Electronic Protected Health Information) access in a manner that does not impede patient care.
✔Ensure the security of medical devices throughout their lifecycle.
Ensure the security of medical devices throughout their lifecycle.
Diagnosis: Financial Pain Points
✔ Demonstrating compliance with the myriad of overlapping and ambiguous standards (e.g., HIPAA, HEDIS, SOX, PCI).
✔ Addressing the challenges associated with Financial Identity Theft while concurrently providing higher levels of service and access in an increasingly competitive industry. Integral to this is a need to understand and manage risk relating to organized crime and crimeware (e.g. Zeus, Spy Eye).
✔Managing third-party risk associated with the growing need to share sensitive data with partners (e.g., brokers, investor communications, transaction cost analysts) to achieve business/operational goals.
✔ Ensuring that Online and Mobile banking systems are secured and operationalized so as to guarantee that access to capital and PII is restricted to those authorized.
The Information Assurance “Prescription”
Typical engagements include:
✔ HIPAA Gap Assessment – Is the design of our environment consistent with HIPAA / HITECH guidance?
✔ ISO 27002 Gap Assessment – The benefit of leveraging 27002: Is the design of our environment consistent with HIPAA, PCI, NIST and PII Guidance?
✔ Assessment support via Vulnerability Assessments and Penetration Tests to ensure net security objectives are being achieved.
It is critical to optimize the scale (e.g., agency, location, application) and scope (e.g., 800-53, OWASP) of the engagement to achieve the specific assurance required.
Protecting PII is exceptionally challenging because it requires a holistic approach to ensuring the security of the processes that act on the information – as well as the assets (servers, networks, applications, personnel, facilities) that support these processes.
✔ Secure Data Flow Diagrams (SDFD) — Identify critical risks and the required security controls at each point where the information is acted on in your environment.
✔ Risk Assessment — The SDFD can easily be extended into a formal Risk Assessment to comply with relevant HIPAA requirements.
✔ SDFD Dependent — Use the SDFD to determine optimal assurance activities required to achieve PHI security objectives (e.g., Policy Development, Web Application Security Assessment, Network Architecture Assessments, Social Engineering, etc.).
Our Vendor Risk Management practice ensures:
✔Third-party security risks and compliance requirements are identified and communicated.
✔ Agreements evolve as business, technologies, and threats do.
✔ Monitoring mechanisms ensure third parties achieve your security objectives.
✔ Security Incidents are identified, responded to, and learned from.using on the core group of security assessment services you need.
Why Partner with Pivot Point Security?
Pivot Point Security has the right combination of Information Security/Compliance domain expertise, healthcare industry knowledge and experience, and organizational character to help you define and execute on the best course of action so you can know you’re secure and prove you’re compliant.
✔ Domain expertise means we know the ins and outs of HIPAA/HITECH, PCI, Sarbanes Oxley and the other regulations you need to comply with. It also means that we are experts in the Security Frameworks (ISO 27001, HITRUST, ISO 27002, OWASP, NIST 800-66) that should form the basis of Information Security Management Systems.
✔ Healthcare experience means you won’t have to spend time explaining to us why standard password policies can’t be applied in an emergency room, or describing the challenges of updating a 24×7 mission critical environment (akin to painting a moving bus).
✔ Organizational character means we have the competence to do the job well in a transparent and straightforward manner that you’ll value.
Pivot Point Security is a great choice for your Information Security demand.
The optimal activities vary with the project phase:
✔ Requirements Gap Assessment during the Requirements phase to ensure that the security requirements are sufficient to achieve security and compliance requirements.
✔ Design Gap Assessment during the Design phase to ensure that the systems design is consistent with the specified requirements.
✔ Security Certification & Accreditation activities prior to deployment, to ensure that the implementation is fully consistent with the design and that the supporting organizational elements are in place and operating as intended.
✔ Monitoring and ongoing Risk Management during the Operations phase to ensure that the security and compliance posture is maintained.
Representative Energy Clients
View more representative Healthcare Industry clients of Pivot Point Security