According to the Department of Health and Human Services Office for Civil Rights’ “wall of shame,” data breaches and security incidents have impacted more than 450,000 individuals so far this year. With no solution or end to the pervasive threat landscape in sight, this begs the question: what more could the healthcare industry do to protect their patients’ PHI, provide quality healthcare services, and ensure that their security posture remains strong against the threats of hackers and human error? We believe that investing in penetration testing will support healthcare entities, both covered entities and business associates alike, to ensure HIPAA compliance.

What is Penetration Testing?

With an increasing number of data breaches and security incidents being reported to the OCR, the healthcare industry has a responsibility, now more than ever, to protect their sensitive assets. PHI, security systems, expensive research and prototypes, drugs, scheduling information, and operations of facilities – they’re all vulnerable to malicious hackers. By undergoing penetration testing, organizations will be able to identify and mitigate vulnerabilities that could result in access to ePHI. What exactly is penetration testing?

Penetration testing is a critical line of defense when protecting your organization’s sensitive assets from malicious outsiders. It is the process of performing authorized security testing, or ethical hacking, of an environment to identify and exploit weaknesses associated with the targeted systems, networks, and applications before those weaknesses can be exploited by a real attacker. Ultimately, penetration testing is a proactive step covered entities and business associates can take in support of their HIPAA compliance efforts.

Penetration Testing and HIPAA Compliance: Is it Required?

Although penetration testing is not explicitly required in order for covered entities and business associates to maintain HIPAA compliance, according to 45 CFR 164.308(a)(8), covered entities and business associates should “perform a periodic technical and nontechnical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity’s security policies and procedures meet the requirements of this subpart.” Here, the technical evaluation is often interpreted as security testing like vulnerability assessments and penetration testing.

Case Studies: Penetration Testing for HIPAA Compliance

Not convinced that your healthcare entity needs to undergo penetration testing? Take a look at these recent breaches and how the organizations could have benefited from some form of penetration testing.

  • BenefitMall, a business associate, fell victim to a phishing attack that left 111,600 individuals at risk. Undergoing social engineering would have been a proactive way this organization could’ve prevented this from happening. Do your employees know how to identify and withstand a phishing attempt?
  • Valley Hope Association, a healthcare provider, experienced a breach where malicious outsiders gained unauthorized access to email messages and file attachments stored in an employee’s email account, impacting almost 71,000 individuals. What network protections do you have in place to protect hackers from getting in?
  • DeLuca, Dr. Marciano & Associates, P.C., a healthcare provider, experienced a ransomware attack that infected two servers containing PHI and impacted nearly 24,000 customers. Ransomware is a major threat to the healthcare industries. What devices, systems, and networks could ransomware enter at your organization?
  • All-Star Orthopaedics, a Texas-based Las Colinas Orthopedic Surgery and Sports Medicine center, notified the OCR that an unencrypted hard drive containing the PHI, such as X-rays, names, and dates of birth, of 76,000 patients was stolen. Are your hard drives encrypted? What security measures do you have in place to ensure they’re secure?

Need further proof that security testing is vital to healthcare organizations? The number of breaches reported to the OCR just keeps growing. Penetration testing may have changed the outcome of the following breaches.

Case Studies: Penetration Testing for HIPAA Compliance

If you’re a covered entity or business associate committed to HIPAA compliance, we’re here to help! Contact us today to learn how our penetration testing can take your security to the next level and keep your name out of the headlines.

More Penetration Testing and HIPAA Resources

7 Reasons Why You Need a Manual Penetration Test

Not All Pen Tests Are Created Equal

How Can Penetration Testing Protect Your Assets?

HIPAA Compliance Checklist: Security, Privacy, and Breach Notification Rules

How Can Mobile Devices Impact Protected Health Information?

SOC 2 and ISO 27001 audits are similar in intention; they both help organizations protect the data that they are responsible for. How are they different, though, and which one meets your organization’s needs?

What is a SOC 2 Audit?

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria.

This means that a SOC 2 audit report focuses on a service organization’s internal controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. The Trust Services Criteria are relevant to the services of organizations in these ways:

  • Security – Is the system protected against unauthorized access?
  • Availability – Is the system available for operation and use as agreed?
  • Processing Integrity – Is the system processing complete, valid, accurate, timely, and authorized?
  • Confidentiality – Is the information that’s designated as confidential protected as agreed?
  • Privacy – Is personal information collected, used, retained, disclosed, and destroyed in accordance with the entity’s privacy notice?

The result of a SOC 2 audit is a report validating the organization’s commitment to delivering high quality, secure services to clients. This compliance can be a powerful market differentiator.

What is an ISO 27001 Audit?

ISO 27001 is the only internationally-accepted standard for governing an organization’s information security management system (ISMS). The ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed.

The ISO 27001 standard regulates how organizations create and run an effective ISMS through policies and procedures and associated legal, physical, and technical controls supporting an organization’s information risk management processes.

An ISMS preserves the confidentiality, integrity, and availability of information by applying a risk management process and gives confidence to interested parties that risks are adequately managed. It’s vital that an ISMS is integrated with the organization’s processes and overall management structure, and that information security is considered in the design of processes, information systems, and controls.

Sections four through ten of the ISO 27001:2013 requirements provide the core guidelines for compliance with the standard.

  • Section 4: Context of the Organization
  • Section 5: Leadership
  • Section 6: Planning
  • Section 7: Support
  • Section 8: Operation
  • Section 9: Performance evaluation
  • Section 10: Improvement

Organizations may choose to perform an internal audit against the ISO 27001 standard and not pursue certification. Like many other frameworks, certification is possible but not mandatory. If an organization wants a professional, independent auditing firm to perform the ISO 27001 audit, be sure to perform due diligence to verify they have the knowledge and expertise to do so.

ISO 27001 certification does require an accredited certification body to issue certification. Undergoing an ISO 27001 audit, even if certification isn’t pursued, can be an effective way to meet the requirements of your international business partners.

What’s the Difference Between SOC 2 vs ISO 27001?

The difference between SOC 2 and ISO 27001 is that an ISO 27001 audit is an internationally-accepted, certifiable framework. Organizations actually must go through two processes to become certified: an audit, plus a certification process by a certifying body. A SOC 2 audit culminates in an attestation rather than a certification and is not accepted worldwide.

A SOC 2 audit evaluates internal controls, policies, and procedures that directly relate to the AICPA’s Trust Services Criteria. In contrast, an ISO 27001 is an internationally-accepted audit that tests the confidentiality, integrity, and availability of an information security management system (ISMS).

No one wants to work with an at-risk vendor. Do you want to give consumers a reason to trust your services?

Both ISO 27001 and SOC 2 compliance can help your organization maintain loyal clients and attract new ones, operate more efficiently, avoid fines for non-compliance or from breaches, and most importantly: assure clients that their sensitive data is protected. But which one meets your organization’s needs?

It all comes down to who your clients are, where your clients are, and what they require of you. If you are proactively pursuing compliance and the majority of your client base is in the United States, we recommend starting with a SOC 2 audit. If you are operating internationally or have a specific requirement from a client to undergo an ISO 27001 audit, then that internationally-accepted standard would be a better fit for your organization.

Both of these audits provide a competitive advantage that is priceless in today’s threat landscape. If you need help deciding which audit meets your organization’s needs, we are here to help. Contact us today.

More Assurance & Auditing Resources

ISO 27001 FAQs

What’s the Difference Between SOC 2 Type I and SOC 2 Type II?

SOC 2 Compliance Handbook: The 5 Trust Services Criteria

What Type of Compliance is Right for You?

All SOC 2 Resources

Independent Audit Verifies Chartio’s Internal Controls and Processes

San Francisco, CA – Chartio today announced that it has completed its SOC 2 Type II audit. This attestation provides evidence that Chartio has a strong commitment to delivering high quality services to its clients by demonstrating that the company has the necessary internal controls and processes in place.

SOC 2 engagements are based on the AICPA’s Trust Services Criteria. SOC 2 service auditor reports focus on a service organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Chartio’s controls to meet the standards for these criteria.

“Our security architecture is at the core of everything we do at Chartio,” said Brian Hartsock, VP of Engineering at Chartio.  “As more companies are moving their data to the cloud and more organizations are using Chartio’s data analytics product to enable everyone to get to insights, we want to provide our clients with solutions that adhere to the highest standards. This SOC 2 report confirms our commitment to the most rigorous security, integrity and availability standards and procedures in the industry.”

“The SOC 2 audit is based on the Trust Services Criteria. Chartio has selected the security and availability categories for the basis of their audit,” said Joseph Kirkpatrick, President of KirkpatrickPrice. “Chartio delivers trust-based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Chartio’s controls.”

About Chartio

Chartio is on a mission to democratize data across organizations so that everyone can access, explore, transform, and visualize their data. To that end, Chartio has built a cloud-based data analytics platform that’s simple enough for every department yet powerful enough for the data team. Chartio has been named a “Leader” in Self-Service Business Intelligence software by G2 Crowd. For more information, follow us on Twitter (@Chartio).

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 800 clients in more than 48 states, Canada, Asia, and Europe. The firm has more than a decade of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, PCI DSS, HIPAA, HITRUST CSF, GDPR, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Privacy and security are terms that are often believed to be synonymous, but they’re actually quite different. Understanding what that difference is plays a key role in ensuring that your organization maintains a strong security posture, while also performing your due diligence to protect your customers’ sensitive data. In this webinar, our Director of Regulatory Compliance, Mark Hinely, discusses the differences between privacy and security, why understanding the difference matters, and how knowing the difference could benefit your organization.

What is the Difference Between Privacy and Security?

The difference between privacy and security comes down to what they’re safeguarding: either data or user identity. To better understand the difference between privacy and security, however, there are 7 key components to look at.

  • Scope
  • Particularity/Uniqueness
  • Disclosures
  • Access
  • Data Usage and Third-Party Transfers
  • Minimization
  • Retention

Why Does Knowing the Difference Matter?

In a day and age when cybersecurity attacks are at an all-time high and the threat landscape continues to evolve, knowing which security and privacy requirements your organization must adhere to is critical. This is where the importance of understanding the difference between privacy and security comes into play. Why? We’ll give you a few reasons.

  • People excel in their efforts when they know why they are doing what they’re doing. If your organization doesn’t understand why you need to follow certain security or privacy requirements, you might not actually comply with those requirements.
  • Just because an organization keeps data secure doesn’t mean they’re keeping that data private.
  • Everybody wants every privacy and security guarantee, but that’s not necessary or possible.
  • Organizations might actually underachieve compliance if they’re not well-versed in the difference between which security and privacy requirements they must comply with.
  • Businesses could make unnecessary efforts to achieve challenging compliance objectives that do not apply to them, wasting time, money, and personnel resources.
  • Organizations could implement privacy and security controls or requirements incorrectly.

With the rise in data privacy regulations, organizations must make it a priority to know and understand the difference between privacy and security. To learn more about privacy and security, download the full webinar. For more information on how KirkpatrickPrice can help you meet your compliance needs, contact us today.

Updating Your Privacy Policy for CCPA Compliance

If 2018 was the year spent anticipating the GDPR enforcement deadline, 2019 will be the year US states begin enforcing their own data privacy laws. While the California Consumer Protection Act (CCPA) isn’t the first US data privacy law to go into effect, it has certainly gained more attention than others. This could largely be in part because of its similarities to GDPR, but it could also be because it’s the strictest US data privacy law of our time. And though the CCPA doesn’t go into effect until January 1, 2020, provisions within the law require that businesses provide data collected from up to 12 months prior to the enforcement date, which means that organizations must begin their CCPA compliance efforts now. If you’re a US-based company or have clients located in California, you’ll need to update your privacy policy to ensure compliance with CCPA. Check out these 10 ways that you can accomplish this.

What Should a CCPA-Compliant Privacy Policy Include?

Many of the best practices that organizations are using to comply with GDPR will be effective when beginning to comply with CCPA, but there are some slight differences when meeting the CCPA’s privacy policy requirements. Section 1798.130(b) of the CCPA states the required information that should be provided when personal data is collected from California data subjects, which includes, but is not limited to:

  • A description of consumers’ rights under CCPA
  • A description of the purposes of processing personal information
  • A description of the categories of personal information to be collected
  • A definition of the process for requesting the personal information collected about individuals
  • A description of the right to deletion
  • A description of the right to disclosure