The U.S. Department of Health and Human Services Office for Civil Rights announced on March 21, 2016 that Phase 2 of the HIPAA audits have officially begun. Now, more than a year later, 200 desk audits have occurred, but covered entities and business associates are still struggling to know what to focus on and in which areas they are lacking safeguards. In this webinar hosted by LockPath, Joseph Kirkpatrick shares his insights on trends from Phase 1 and 2 HIPAA audits and where we’re headed in 2018.

In Phase 1, we learned that 65% of findings were from the Security Rule. 42.7% of issues from the Security Rule were from Administrative Safeguards, 40.54% were from Technical Safeguards, and 16.76% were from Physical Safeguards. 81% of findings were from healthcare providers, and 66% of findings were from Level 4 entities.

In this presentation, we discuss a few different settlement and enforcement examples. Obviously, the Equifax breach gives us a lot to talk about, but, we also take a look at Anchorage Community Mental Health Services. They were fined $150,000 for failure to follow Security Rule policies and procedures and failure to identify and address risk. Next, we discuss the $4.3 million Civil Money Penalty on Cignet for violations of the Privacy Rule, failure to provide patients with medical records, and failure to cooperate with the Federal Government. Catholic Health Care Services of the Archdiocese of Philadelphia (CHCS) was fined $650,000 for failure to perform a thorough Risk Analysis and failure to implement appropriate security measures.

For covered entities, Phase 2 audits focused on Notice of Privacy Practices Content Requirements, Provision of Privacy Notices – Electronic Notice, Right to Access, Timeliness of Breach Notification, and Content of Breach Notification. For business associates, Phase 2 audits focused on Risk Analysis, Risk Management, and Breach Reporting to the Covered Entity. We recommend going over the detailed audit protocol information provided by the U.S. Department of Health and Human Services.

About LockPath

LockPath is a leader in integrated risk management solutions. Their suite of applications empower companies to manage risk, demonstrate compliance, monitor information security, and achieve audit-ready status. Companies ranging from 10-person offices to Fortune 10 enterprises in over 15 industries address the Gartner IRM use cases with LockPath solutions. In 2017, they are expanding their application portfolio to provide more efficient and effective programs. Learn more at lockpath.com.

A risk assessment is a critical component of any organization’s infrastructure as they help to create an awareness of risk. In today’s threat landscape, specifically relating to cybersecurity, it’s more important than ever to know where your assets live, fully understand the controls in place to protect those assets, and to test the efficiency of those controls. When trying to understand why it is important to complete a risk assessment, you first must understand how a risk assessment can save your business. Let’s take a look at what a risk assessment is, benefits of a risk assessment, and the steps you should take to complete a risk assessment.

What is a Risk Assessment?

According to NIST SP 800-53, a highly-regarded industry standard, a risk assessment is fundamental to any organizational risk management program and is a methodology used to identify, assess, and prioritize organizational risk. Most information security frameworks require a formally documented, annual risk assessment. Without a risk assessment, organization can be left unaware of where their critical assets live and what the risks to those assets are.

What are Benefits of a Risk Assessment?

First and foremost, it is important to complete a risk assessment because it is mandated by most information security frameworks. By regularly performing a formal risk assessment, you can get a clear picture of where your assets lie and what potential threats might exist.

From there, you can assess the likelihood and impact of those threats from actually happening and give yourself an opportunity to evaluate your current security controls to determine if what you’re doing will be an effective defense mechanism against a malicious attack. Another way a risk assessment can save your business is by being proactive rather than reactive. If you have the opportunity to anticipate a potential security incident and address the potential adverse impacts, chances are you will be successful and save your business from any operational and reputational loss.

  • Get a clear picture of where your assets lie.
  • Identifying potential threats.
  • Understanding the likelihood and impact of those threats.
  • Implement proactive processes to address and mitigate the impact.

How to Perform a Risk Assessment

The purpose of a risk assessment is to identify risks, analyze vulnerabilities, and assess risk likelihood. The risk assessment process must be a continuous process for any organization. So where do you begin? The five steps to a risk assessment are as follows:

  1. Conduct Risk Assessment Survey
  2. Identify Risks
  3. Assess Risk Importance and Risk Likelihood
  4. Create a Risk Management Action Plan
  5. Implement a Risk Management Plan.

For more details on how to complete a formally documented risk assessment, and to learn more about how a risk assessment can save your business, download our free Risk Assessment Guide.

More Resources

Risk Assessment Checklist: 5 Steps You Need to Know

SOC 2 Academy: Who Should Make Updates to Your Risk Assessment?

What is a Risk Assessment? Learn the 5 Steps to a Risk Assessment

Independent Audit Verifies Emergicon’s Internal Controls and Processes

Dallas, TX – Emergicon, an EMS billing service provider, today announced that it has completed its SOC  1 Type II Audit. This attestation verifies that Emergicon has the proper internal controls and processes in place to deliver high quality services to its clients.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Emergicon’s controls that may affect its clients’ financial statements. In accordance with SSAE 18 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Emergicon’s description of controls as well as the detailed testing of its controls over a minimum six-month period.

Christopher Turner, MHA, President and CEO of Emergicon said, “At Emergicon, we know that outside auditing is integral to assuring our clients confidence in our processes and controls.  Emergicon has enjoyed working with KirkpatrickPrice for several years now and each audit period adds additional layers of internal controls. We appreciate the efforts of the auditors at KirkpatrickPrice and their continued partnership with Emergicon.”

“Many of Emergicon’s clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Emergicon has implemented best practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls and the tests we perform provide assurance regarding the managed solutions provided by Emergicon.”

SOC 1 Type II is a reporting on the controls at a service organization that was established by the American Institute of Certified Public Accountants (AICPA). This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. The standard demonstrates that an organization has adequate controls and processes in place. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

About Emergicon

Emergicon, LLC, based in Dallas, Texas, was formed in 2006 to fill a need in the ambulance medical billing services industry by providing a better solution for processing ambulance claims. In addition to using state-of-the-art ambulance billing software by ESO Solutions, Emergicon prides itself on providing clients with a team of experts dedicated to compliance, collections and customer service.

Emergicon founder and CEO Christopher Turner and his leadership team bring more than 50 years of executive expertise in the healthcare industry to offer effective processes that consistently result in prompt reimbursement for EMS providers.

Emergicon has a large, growing, dedicated team of professionals that receives continuous training to maintain and improve quality, accuracy and best-in-class customer service. We employ qualified support staff to offer dependable, skilled, responsive customer service while maintaining affordability for our clients.

About KirkpatrickPrice

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.

Effective February 1, 2018, there are new PCI DSS requirements that could have a significant impact on your PCI compliance. If you haven’t started working to meet these new requirements, you should make plans to speak with your auditor about how to start implementing these changes.

The nine new PCI DSS requirements will be considered best practice until February 1st. These requirements are:

New PCI DSS Requirements for Everyone

Requirement 6.4.6 – Change management implementation and documentation

  • Upon completion of a significant change, all relevant PCI DSS requirements must be implemented on all new or changed systems and networks, and documentation updated as applicable.
  • The determination of what constitutes a significant change is highly dependent on the configuration of a given environment. If an upgrade or modification could allow access to cardholder data or affect the security of the cardholder data environment, then it could be considered significant. (Found in 11.2.3 guidance)

Requirement 8.3.1 – Multi-factor authentication

  • Incorporate multi-factor authentication for all non-console access into the CDE for personnel with administrative access.
  • Multi-factor authentication will be required even when coming from a trusted network. This will be required for all non-console administrative access.

New PCI DSS Requirements for Service Providers Only

Requirement 3.5.1 – Maintain documentation of cryptographic architecture

  • Maintain a documented description of the cryptographic architecture that includes:
    • Details of all algorithms, protocols, and keys used for the protection of cardholder data, including key strength and expiry date
    • Description of the key usage for each key
    • Inventory of any HSMs and other SCDs used for key management

Requirement 10.8 – Implement a process for responding to failures of any critical security controls

  • Implement a process for the timely detection and reporting of failures of critical security control systems, including but not limited to failure of:
    • Firewalls
    • IDS/IPS
    • FIM
    • Anti-virus
    • Physical access controls
    • Logical access controls
    • Audit logging mechanisms
    • Segmentation controls (if used)

Requirement 10.8.1 – Implement a process for responding to failures of any critical security controls

  • Respond to failures of any critical security controls in a timely manner. Processes for responding to failures in security controls must include:
    • Restoring security functions
    • Identifying and documenting the duration (date and time start to end) of the security failure
    • Identifying and documenting cause(s) of failure, including root cause, and documenting remediation required to address root cause
    • Identifying and addressing any security issues that arose during the failure
    • Performing a risk assessment to determine whether further actions are required as a result of the security failure
    • Implementing controls to prevent cause of failure from reoccurring
    • Resuming monitoring of security controls

Requirement 11.3.4.1 – Test segmentation control every six months

  • If segmentation is used, confirm PCI DSS scope by performing penetration testing on segmentation controls at least every six months and after any changes to segmentation controls/methods.

Requirement 12.11 – Management review of policies and procedures every six months

  • Perform reviews at least quarterly to confirm personnel are following security policies and operational procedures. Reviews must cover the following processes:
    • Daily log reviews
    • Firewall rule-set reviews
    • Applying configuration standards to new systems
    • Responding to security alerts
    • Change management processes

Requirement 12.11.1 – Document six-month management review

  • Maintain documentation of quarterly review process to include:
    • Documenting results of the reviews
    • Review and sign off of results by personnel assigned responsibility for the PCI DSS compliance program

If you have any questions with how these changes will affect your compliance or need additional help with implementation, contact us today.

More Resources

Most Common PCI Gaps

Combining SOC 2 and PCI Audits

Stay Secure with These Intrusion and Detection Techniques

Independent Audit Verifies Stoneleigh Recovery Associates’ Internal Controls and Processes

Lombard, IL – KirkpatrickPrice announced today that Stoneleigh Recovery Associates, LLC, a nationwide debt collection service, has received their SOC 1 Type II and SOC 2 Type II attestation reports. The completion of these engagements provides evidence that Stoneleigh Recovery Associates has a strong commitment to deliver high quality services to its clients by demonstrating they have the necessary internal controls and processes in place.

KirkpatrickPrice, a licensed CPA and PCI QSA firm, performed the audit and appropriate testing of Stoneleigh Recovery Associates’ controls that may affect its clients’ financial statements. In accordance with SSAE 18 (Statements on Standards for Attestation Engagements), the SOC 1 Type II audit report includes Stoneleigh Recovery Associates’ description of controls as well as the detailed testing of its controls over a minimum six-month period. This report is in compliance with the SSAE 18 auditing standards and focuses on the controls of a service organization that are relevant to an audit of a user entity’s financial statements. Federal regulations such as Sarbanes-Oxley, Gramm-Leach-Bliley and the Health Insurance Portability and Accountability Act (HIPAA) require corporations to audit the internal controls of their suppliers, including those that provide technology services.

“Many of Stoneleigh Recovery Associates’ clients rely on them to protect consumer information,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “As a result, Stoneleigh Recovery Associates has implemented best-practice controls demanded by their customers to address information security and compliance risks. Our third-party opinion validates these controls, and the tests we perform provide assurance regarding the managed solutions provided by Stoneleigh Recovery Associates.”

SOC 2 engagements are based on the AICPA’s Trust Services Principles. SOC 2 service auditor reports focus on a Service Organization’s non-financial reporting controls as they relate to security, availability, processing integrity, confidentiality, and privacy of a system. KirkpatrickPrice’s service auditor report verifies the suitability of the design and operating effectiveness of Stoneleigh Recovery Associates’ controls to meet the criteria for these principles.

“The SOC 2 audit is based on the Trust Services Principles and Criteria. Stoneleigh Recovery Services has selected the security and availability principles for the basis of their audit,” said Joseph Kirkpatrick, Managing Partner with KirkpatrickPrice. “Stoneleigh Recovery Services delivers trust based services to their clients, and by communicating the results of this audit, their clients can be assured of their reliance on Stoneleigh Recovery Associates’ controls.”

“Maintaining a strong compliance management system is one of the core principles of our business and success as a debt collection company,” said Kelly Knepper-Stephens, General Counsel & Chief Compliance Officer with Stoneleigh Recovery Associates. “Receiving validation that our controls meet the high standards for both the SOC 1 Type II and SOC 2 Type II independent audits provides a level of confidence that our Board of Directors and customers have come to depend upon.”

About Stoneleigh Recovery Associates

Founded in 2007, Stoneleigh Recovery Associates provides nationwide debt collection services on behalf of our clients in multiple vertical market segments. Our debt profiles include: auto finance, bankcard, commercial, healthcare, retail and student loan.

We are fully compliant with all federal laws and state licensing standards. SRA strictly adheres to FDCPA regulations and strives to perform at the highest level of integrity and confidentiality standards.

SRA’s modern recovery techniques and audited industry best practices are enhanced by our state-of-the-art call center. Together, with our strong work ethic and fully transparent process, SRA provides our clients maximum recovery. We have been active for over a decade with continuing growth and a long list of clients who insist on SRA.

For more information, visit www.stoneleighrecoveryassociates.com, or connect with us on Facebook, Twitter and LinkedIn (@StoneleighRecov).

About KirkpatrickPrice, LLC

KirkpatrickPrice is a licensed CPA firm, PCI QSA, and a HITRUST CSF Assessor, registered with the PCAOB, providing assurance services to over 600 clients in more than 48 states, Canada, Asia, and Europe. The firm has over 12 years of experience in information security and compliance assurance by performing assessments, audits, and tests that strengthen information security and internal controls. KirkpatrickPrice most commonly provides advice on SOC 1, SOC 2, HIPAA, HITRUST CSF, PCI DSS, ISO 27001, FISMA, and CFPB frameworks. For more information, visit www.kirkpatrickprice.com, follow KirkpatrickPrice on Twitter (@KPAudit), or connect with KirkpatrickPrice on LinkedIn.