Security, Incident, Response, Repeat

There are several challenges when it comes to understanding security incidents and incident response. Our goal for this webinar is to answer several questions that occur while considering your organization’s incident response plan and creating policies and procedures to accompany your plan.

How would you define “security incident” for a practical, real-world setting?

The regulatory definition of a “security incident” includes the access, use, disclosure, modification, or destruction of information or system operations interference. You can have an activity that doesn’t actually access PHI, but it interferes with system operations just enough to establish a security incident. The definition also includes successful and unsuccessful attempts, which is important to remember when creating policies.

How often and to whom should security incidents be reported? How should it be documented?

Incident reporting should be considered initial, ongoing, and final. Initial reporting should be done immediately and directed towards security officers or to a security incident response team. The second phase, ongoing reporting, includes security officers, a security incident response team, management, and legal counsel. The third phase is a report on the final outcome of the investigation, which may need to be delivered to business associates or covered entities. Your organization needs to have policies and procedures in place to facilitate the documentation of initial, ongoing, and final reporting.

What about the “response” part; what are the appropriate responses?

There are four steps when responding to a security incident: investigation, mitigation, restoration, and correction. After investigating what security incident occurred, your organization should enter the mitigation phase. Mitigation is taking steps to reduce the harmful effects and temporarily fixing whatever security issues were found. Then, you should completely and fully restore the functionality you had before the security incident occurred. Then, your organization will determine what corrective actions need to be made beyond restoring the system to functionality.

Is identifying patterns of attempted security incidents reasonable and appropriate?

Certain incidents happen with such frequency that keeping track of trending may not be appropriate, like firewall attacks. Other incidents, though, like phishing attacks, need to be tracked so your organization can determine if it’s testing something that may be a weakness in your security management system. Using your organization’s Risk Analysis is vital when determining whether or not to identify trends and patterns. You can use the information to see where your highest risks and highest impacts are, so that those areas are given the consideration they deserve when conducting trending.

What is the difference between a security incident and a breach?

A security incident is something that can turn into a breach; think of a security incident as a baseline for a breach notification requirement. A security incident becomes a breach when PHI is compromised. If a compromise of PHI does not occur, then it is defined as a security incident.

Download the full webinar to hear from our HIPAA expert, Mark Hinely, hear enlightening examples, and learn about the details of each of these topics.

PCI Requirement 11: Validating Your Security Program

This session in our PCI Readiness series focuses on Requirement 11. This requirement requires regular monitoring and testing of security systems and processes, which validates an organization’s risk/threat management program and determines if it’s functioning correctly. To successfully validate your system, scans should validate your risk identification and risk ranking program. Internal scan results should be used to address risk through your risk management program.

The sub-requirements of Requirement 11 include:

PCI Requirement 11.1 – Identify rogue wireless devices that may have been placed in your environment, at least quarterly. You must keep a list of what is authorized so you can define what isn’t authorized. Physical inspection is the best way to meet this objective.

PCI Requirement 11.2 – Every 90 days you are required to scan for internal and external vulnerabilities. Also, any time a significant change is made to your environment, you must perform a scan.

PCI Requirement 11.3 – You must perform a penetration test at least annually and after any time a significant change is made. It must be performed by a qualified individual, cover internal and external, cover the application and network layers, validate if the segmentation is effective, and keep the results of the test and remediation for your audit.

PCI Requirement 11.4 – Install an IPS ISD at the perimeter and at critical locations within the CDE. It needs to be configured and maintained according to the manufacturer standards. It can also be host-based IPS IDS.

PCI Requirement 11.5 – Install a File Integrity Monitoring (FIM) Solution, which needs to monitor critical files and needs to run analysis at least weekly and follow-up on any expectations.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.

4 Key Elements of HIPAA Compliance Training

This webinar discusses training your workforce for HIPAA compliance. You may feel some push-back or a lack of enthusiasm from your workforce about HIPAA training, but it may be helpful to remind them that training is not only required, but it’s the key to HIPAA compliance. An effective workforce training program makes an effective HIPAA compliance program. Although it’s a challenge, it is one of the best ways to ensure enterprise-wide HIPAA compliance.

There is some flexibility to HIPAA training because there are so many types of entities, levels of maturity, different sizes, etc. The goal of HIPAA training is to protect the privacy and security of information. HIPAA training is not just to advise employees about different laws; they need to know what their company’s specific rules are in respect to PHI. There are four required elements of workforce training:

  1. Universal Application – Everyone is subject to HIPAA training requirements and everyone is a part of maintaining the confidentiality of PHI. HIPAA training is not only for staff who interact with patients. It’s for everyone, even someone who rarely has access to PHI. Universal application is also required by the Privacy Rule and the Security Rule.
  2. Define PHI – Every entity needs to identify the elements of PHI so that everyone is aware of risks and responsibilities. Ask your organization the question, what does PHI mean to you?
  3. Minimum Necessary – Convey to business associates that just because there is authorized access to PHI doesn’t mean that all PHI should be shared with all people. What PHI do we normally disclose for this task? What do we do about exceptions? For example: what PHI is appropriate to leave on a voicemail?
  4. Authorized Personnel Only – Employee access to PHI must be authorized, and employees should only access PHI when it’s necessary to fulfill job duties. This goes hand-in-hand with the minimum necessary element. If accessing PHI is not a part of an employee’s job duties, then it’s a violation of HIPAA.
  5. Security Awareness – Create a security awareness program that includes security reminders, protection from malicious software, training on log-in monitoring, and password management.

Although it may be a challenge to get your workforce excited about HIPAA compliance training, remind them and yourself that good training is the key to protecting PHI. Listen to the full webinar for more details about the frequency of training, documenting training, and an insightful Q&A. To learn more about training your workforce, contact us today.

Why Does Business Associate Compliance Matter?

The goal for this session is to identify the importance of the relations between covered entities and business associates, and to identify the issues that business associates and covered entities must navigate. This webinar is not designed just to benefit the covered entities. If you are a business associate, it will be beneficial to learn the issues that covered entities are dealing with and how that affects you.

Why is important to discuss business associate compliance? We see four areas of significance:

  1. Associated Liability: Business associate breaches have great impact, from a regulatory perspective, on a covered entity.
  2. Regulatory Activity: The OCR has begun Phase 2 HIPAA audits, but after Phase 2 is done, the OCR is planning on have a permanent audit program. Regulatory activity is ongoing.
  3. Market Forces: Covered entities are only going to continue to increase their oversight of business associates, which means the market for business associates is going to get more and more competitive. Business associates need to be able to handle covered entities’ concerns to stay in business.
  4. Scope: The nature of healthcare services in our current climate means that if you’re a covered entity, someone else is likely fulfilling a critical role for you. When your number of business associates is growing, there are more and more opportunities for risk and liability.

Who do covered entities need a Business Associate Agreement with?

The Privacy Rule requires that covered entities receive satisfactory assurance that the business associate will safeguard PHI on behalf of a covered entity. The challenge is knowing who your business associates are. Business associates are defined as “A person or an entity that creates, receives, maintains, or transmits PHI for a regulated healthcare function.” Seems pretty cut and dry, right? There are a couple of ways to think about who a covered entity needs to have a Business Associate Agreement with. Some covered entities have a “better safe than sorry” or “just in case” mindset. They have Business Associate Agreements with anyone who could ever potentially come in contact with PHI. The other end of the spectrum believes that because the requirements and challenges of safeguarding PHI are so great, covered entities should only commit to monitoring business associates that are actually business associate, and to only have Business Associate Agreements with those are legitimately business associates. This webinar also dives into the specific requires elements of Business Associate Agreements.

How does the oversight of business associates work?

There are some weird dynamics when it comes to the legal standards for business associates, and it takes a learning curve to overcome that dynamic and discover what are the actual obligations are. Then there are practical oversight considerations, like covered entities’ reliance on business associates, and their audit and inspection rights. Some of the other issues that arise in business associate oversight are: security measures, mobile devices, audit logs, and business associates’ sophistication.

This webinar is packed full of information and details. Download the whole thing, we promise you’ll learn something. This webinar is for covered entities and business associates. To learn more about HIPAA compliance, contact us today and speak to an expert.

PCI Requirement 10: Tracking and Monitoring All Access to Network Resources and Cardholder Data

This session in our PCI Readiness series spotlights PCI Requirement 10, which examines the tracking and monitoring of all access to network resources and cardholder data. Our panelist for this session, Jeff Wilder, explains each part of PCI Requirement 10 in detail, along with some of the common struggles that come along with this requirement.

Complying with PCI Requirement 10 is critical to your organization’s security. The PCI DSS states, “Logging mechanisms and the ability to track user activities are critical in preventing, detecting, or minimizing the impact of a data compromise. The presence of logs in all environments allows thorough tracking, alerting, and analysis when something does go wrong. Determining the cause of a compromise is very difficult, if not impossible, without system activity logs.”

In this webinar, you will learn about topics related to PCI Requirement 10, such as:

  • Why is this a comprehensive requirement?
  • What does this requirement apply to?
  • What are the common struggles of Requirement 10?
  • Requirement 10 focuses on the ability to identify which elements of a breach?
  • Attackers are usually in your environment for weeks, if not months, and the data is long gone before you realize it.
  • The Verizon Breach Report noted that only 3% of breaches are identified by internal staff, all others were based on a third party contacting the organization.
  • All in scope devices must have logging enabled.
  • What will cause an event to be logged?
  • What must each log contain?
  • Synchronize the time on each system so that chronological events can be properly ordered.
  • Logs must be protected from unauthorized modification.
  • Logs must be reviewed at least daily.
  • Logs must be retained for a total of 1 year, at least 3 months must be immediately available.
  • Policies and procedures must be documented, in use, and communicated to all affected users.

To learn more about PCI compliance, check out our PCI Demystified video resources or contact us today.