Technical controls are sometimes illustrated with physical descriptions in order to help the non-technical person understand the concept. A firewall, for example, existed as a physical representation that everyone understood to be the wall that stopped a fire from moving through a building. This term later illustrated the purpose of a technical device blocking unwanted traffic from the Internet.

Last fall, in a San Franciscan hospital, an incident occurred in a very real and consequential way when a patient went missing and was found 17 days later after having passed away in a stairwell. So many of the hospital procedures can be applied to technical matters to illustrate how security principles operate and contribute to efficient business operability.

One of the key components to proper network security is continuous monitoring. If the hospital had included the stairwells in a regular walk-through of the grounds, the patient would have been recovered. Too often, companies leave gaps in the areas that they monitor. Too much emphasis is placed on perimeter network monitoring but they don’t monitor internal systems because they are, well, internal. This method is faulty because you miss critical events that are right under your nose. Another common occurrence is that network event logs are gathered but no one looks at them in a timely fashion. Regular monitoring of all critical points within an organization is imperative if you hope to identify important event before it’s too late.

Another issue illustrated in the story is the need to have proper training and maintenance of security controls. When the patient went missing, the hospital eventually checked the security video footage. However, when they tried to access the footage, it was not working and had to be sent out to a vendor for repair. If a company invests in key security controls, such as video monitoring and proximity card readers, their working order should be verified daily. It is too common to discover that a tool installed for its intended purpose is not utilized properly and staff is not trained to operate it. Perhaps if the footage had been available, the patient’s location could have been determined sooner.

Another important security issue that was paralleled in this story is a properly working incident response plan, with appropriate follow-up procedures in place. Had the hospital had proper procedures in place in the event of an incident, then it wouldn’t have taken nine days for the first grounds search to be ordered. After the incident was reported, not all personnel were properly briefed, also causing delay in resolving the issue. The hospital personnel also failed to escalate issues as they were reported. Employees had reported that a person was seen and noises were heard in the stairwell, however, the patient was still not found for four more days. Companies should conduct periodic incident response drills in order to test escalation procedures and reporting procedures. The failure to test these procedures usually contributes to delays when real-world incidents occur.

Don’t wait until an incident strikes to realize your network security measures aren’t adequate. Be proactive in your incident response plan and maintain current and relevant policies and procedures to avoid an incident like this one. Contact us today for more information regarding improving your security measures.

It’s one thing to suffer one data breach – there is room to recover. Will Anthem survive a second breach? Don’t let this happen to you. With the Anthem breach still on the forefront of everyone’s minds, as well as the upcoming supervision from the OCR and the new phase of HIPAA audits, we have put together some tips to help get you thinking about what you can do now to better secure your healthcare data.

  1. Control PHI Workflow – Do you know where your healthcare data is? Do you have proper permissions in place to control access to your data? Is it encrypted? Healthcare data should always be encrypted when being stored or transmitted to protect sensitive data from falling into the wrong hands or being compromised. Your organization needs to know where your data lives, where it travels, and how it travels – at all times.
  2. Strong Passwords – This seems like a no-brainer, however, it’s easy to get caught in the convenience of a weak password, or the same password for multiple uses. The longer the password, the better. Strong passwords should be at least 8 characters long, with variations on capitalization, numbers, and punctuation. Two-factor identification is an even stronger way to ensure that only the people who are allowed access, have access.
  3. Vendor Management – HIPAA laws mandate that you have done your due diligence to ensure that not only are you HIPAA compliant, but your vendors who also have access to your PHI are compliant. A signed Business Associates Agreement isn’t acceptable. You can no longer outsource this risk, you must manage it. This means vendor management must be a priority when considering the safety and security of the PHI for which you are responsible. Do you know who your vendors are? Do you have documentation showing you’ve reviewed that they are compliant with industry regulations? These are questions we must know the answers to.
  4. Policies and Procedures – Are you aware of the policies and procedures that are in place to protect healthcare information and comply with HIPAA laws? Employees should be required to demonstrate that they acknowledge, understand, and follow all policies and procedures. They are there to help you, and understanding the importance of why a certain policy and procedure is in place could make the difference in saving your organization from a data breach.
  5. Security Awareness Training – The security tone from the top is the most important step, in any organization, to ensure that the organizational atmosphere is on the same page in being “aware” of PHI security. It’s important to educate all employees, in every facet of your organization, on HIPAA compliance, and the importance of HIPAA compliance.
  6. Annual External and Internal Penetration – Network and application security is critical to your organization. Performing annual penetration tests can be a strategic way to identify weaknesses and vulnerabilities in your organization’s security before someone else does.

Are you confident that you are doing everything you can to ensure the security of your PHI and your compliance with HIPAA laws? Email me at s.morris@3.95.165.71 with any questions about strengthening the compliance controls at your organization, or if you’re in need of a third-party validation of your compliance.

It’s becoming more and more obvious every day, the need for enhanced security. As the security landscape changes, the threats to our sensitive data become more serious, and as a result the controls we put in place have gotten stronger. We see a new data breach in the headlines on an increasingly regular basis, as lots of criminals often target cardholder data, specifically. The PCI Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and keep this sensitive data uncompromised. PCI DSS applies to all organizations or merchants that accept, transmit, or store any cardholder data.

Full compliance with the new requirements of the revised standard, PCI DSS v3.0, became effective January 1st of this year. The new version of the standard has a strong focus on greater risk areas in the threat environment, greater understanding of the purpose of each requirement and how to apply these requirements, increased clarity of requirements, and alignment with changes in industry best practices.

As a PCI Qualified Security Assessor, we find that it is challenging to obtain and maintain a compliant PCI environment. We surveyed our QSA team and the most common PCI gaps reported by far were:

  • Poorly managed firewalls
  • Inadequate policies and procedures
  • Lack of documented system configuration standards
  • No penetration testing and/or vulnerability scanning
  • A formal, annual Risk Assessment is not performed
  • Inadequate encryption key management
  • Undocumented application development standards
  • No formal Security Awareness Training program
  • Audit and security event logs are not enabled or monitored
  • File integrity monitoring is not performed
  • Background checks are not performed
  • Data flow of sensitive data is not documented
  • Incident response plans are not developed
  • Insecure remote access without two-factor authentication
  • Open wireless networks

Compliance does not guarantee security, but a secure environment is a compliant environment. After you’ve checked for these most common gaps, perform a Gap Analysis to determine the steps you need to take in order to reach your information security and compliance goals based on the current state of your organization’s security controls.

For more information about PCI Compliance or for help in performing a Gap Analysis or Self-Assessment, contact us today.

Have you heard of SOC 1, SOC 2, HIPAA, PCI, FISMA, or ISO 27001/27002 frameworks but are unsure of what they entail? Have you been asked for verification of regulatory compliance but don’t know where to begin? This webinar will educate you on the basics of these frameworks so that you are better equipped to discuss your compliance goals with prospects and clients, and are also more informed on your organization’s compliance objectives.

What is the Regulatory Alphabet Soup?

In this webinar, you will learn about the following information security frameworks:

  • SOC 1: A SOC 1 engagement is an audit of the internal controls at a service organization that may be relevant to their client’s internal control over financial reporting (ICFR).
  • SOC 2: A SOC 2 report helps to address third-party risk concerns by evaluating internal controls, policies, and procedures that directly relate to the security, availability, confidentiality, processing integrity, and privacy of a system at a service organization.
  • HIPAA: A HIPAA audit reports on internal controls that protect valuable PHI and ePHI.
  • PCI DSS: If you are a merchant, service provider, or subservice provider who stores, processes, or transmits cardholder data, you are required to comply with the Payment Card Industry Data Security Standard (PCI DSS). This audit focuses on the protection of credit card data and has approximately 394 controls categorized under six control objectives and 12 major subject areas.
  • FISMA: A FISMA audit is a thorough assessment of your information security practices as it relates to NIST requirements.
  • ISO 27001: This is the only internationally-accepted standard for information security governance and is being increasingly and widely adopted.

To learn more about regulatory compliance frameworks, download the full webinar. For more information about these frameworks and how KirkpatrickPrice can help you meet your compliance objectives, contact us today.

The recent Anthem data breach is potentially the largest breach to date in the Healthcare space. When your CEO or your largest clients ask you what your plan is to prevent the same from happening to you, what are you going to tell them? Safeguarding Personally Identifiable Information (PII) is essential for avoiding a data breach. Here are three things you should do immediately to avoid a data breach:

  1. Advanced Penetration Testing – Performing an advanced external penetration test is a strategic approach to identify weaknesses in network and application security, as would a hacker. It is important to undergo regular penetration tests to maintain a secure network due to emerging vulnerabilities and find the gaps in your security before someone else does.
  2. Perform a Formal Risk Assessment – How will you know if you’re doing enough until you systematically identify the appropriate risks? An organized, written risk assessment will identify what you need to be doing and what you don’t need to be doing. The old adage is true; first make the plan, then work the plan.
  3. Assessment of all regulatory requirements for HIPAA – Perform a GAP Analysis against the HIPAA standards to see where you need to make remediations to strengthen your information security.

Take the appropriate steps within your organization to make sure a data breach doesn’t happen to you. KirkpatrickPrice is uniquely qualified to help with all of these. Call us today at 800-770-2701 for immediate assistance in preventing a data breach at your organization or contact us today.

Click here to read more about the recent data breach.