Business Continuity Plan Checklist

The world is full of expected events. You never know when your organization will be hit with a disaster. Developing a detailed business continuity plan (BCP) is the best way to prepare your organization to jump into action when disaster strikes.

Every organization is different and will need a customized BCP that details their specific processes and procedures to implement in case of a disaster. What should you include in your business continuity plan? Check out our PDF that outlines the basics you can start with to create and document your BCP.

 

 

Documenting and Testing Your Business Continuity Plan

After you’ve created the basics of your plan, you need to document all the procedures. This process is critical to ensure you restore all functions of your organization if and when a disaster occurs. Don’t just rely on imagined processes to get you through. You need to have detailed procedures written down so that everyone in your organization can refer to your plan when necessary.

How can you know if your business continuity plan will work when you need it most? You need to regularly test your BCP to ensure all employees are trained and all procedures will accomplish their intended goals. Once you test your plan, you can review it for gaps and improve it for future implementation.

How KirkpatrickPrice Can Help

Our Information Security Auditors and Professional Writing Team have developed tools to provide customized help to organizations looking to further their business continuity plans. Whether you have yet to create a BCP or are just wanting an extra layer of assurance that it’s detailed enough, we are here to help. KirkpatrickPrice offers services that help you start from scratch with an understanding of your organization and operations, tools to help you create a detailed plan, and experts to walk you through documentation. We encourage regular testing in various forms, such as table-top exercises. Let’s work on securing your organization in the event a disaster strikes. Contact us, today, to learn how we can partner together.

More Resources

SOC 2 Academy: Testing Your Business Continuity Plan

Auditor Insights: Disaster Recovery and Business Continuity

Cloud Security: Business Continuity and Disaster Recovery Planning

HIPAA vs. HITRUST CSF: Which One Should I Choose?

Stolen medical records, research, prototypes, prescriptions, devices – there are so many ways that healthcare organizations can be compromised. Each of these risks threaten patient care in a different way, but they could each lead to life-or-death consequences. That is why it’s so important that healthcare organizations undergo the right type of information security audit – to ensure that they are protected in every way that they can be. We’ve consulted with many organizations who are confused about what HIPAA is, what the HITRUST CSF™ is, which one they should pursue, if they need to pursue both, etc. Let’s dig into what each assessment involves so that you can begin the decision process.

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) sets a national standard for the protection of PHI and ePHI by mandating risk management best practices and physical, administrative, and technical safeguards. HIPAA was established to provide greater transparency for individuals whose information may be at risk, and the Department of Health and Human Services’ Office for Civil Rights (OCR) enforces compliance with the HIPAA Privacy, Security, and Breach Notification Rules.

HIPAA Security Rule

The goal of the Security Rule is to create security for ePHI by ensuring the confidentiality, integrity, and availability of ePHI, protecting against threats, protecting against unpermitted disclosures, and ensuring workforce compliance. The requirements of the Security Rule are accomplished through administrative, technical, and physical safeguards. Administrative safeguards cover personnel, training, access, and process while technical safeguards cover access, audits, integrity, and transmission. Physical safeguards cover facility access, workstations, and devices.

HIPAA Privacy Rule

The Privacy Rule regulates things like appropriate use and disclosure of PHI, patient access to PHI, and patient rights. The Privacy Rule is crucial for HIPAA because without it, healthcare organizations could disclose and distribute PHI without the consent of the individual. A Privacy Rule assessment evaluates policy and procedure documentation relating to these areas, which include: Notice of Privacy Practices, patient rights, minimum necessary standard, administrative requirements, and uses and disclosures.

HIPAA Breach Notification Rule

The Breach Notification Rule requires covered entities and business associates to provide notification following a breach of unprotected PHI or ePHI. Covered entities have three parties that they need to notify of a breach: patients, HHS, and potentially the media. Business associates always need to notify their covered entity of a breach. In order to properly comply with the Breach Notification Rule, there are several aspects of the breach your organization needs to communicate to the affected parties: what happened, what kind of PHI was disclosed in the breach, what patients should do to mitigate harm, what you’re doing to investigate and mitigate future harm, and how they can contact you.

What is the HITRUST CSF?

The HITRUST CSF is a certifiable framework for regulatory compliance and risk management. It was built on the primary principles of ISO 27001/27002, but has evolved to align with a growing number of standards, regulations, and business requirements, including HIPAA, PCI DSS, NIST 800-53/800-171, GDPR, FTC Red Flags Rule, several state requirements, and more.

When the CSF was first popularized, it was primarily focused on healthcare organizations. The changes reflect HITRUST’s effort to leverage international standards and expand adoption into new industries, such as financial services, travel and hospitality, media and entertainment, telecommunications, and startups.

Choosing what type of HITRUST CSF assessment to do can be a daunting task, especially when an organization is doing this audit for the first time. HITRUST CSF assessment options include:

SOC 2 Type II with HITRUST CSF Mapping

A SOC 2 Type II with HITRUST CSF mapping is an assessment that came from a collaboration between the AICPA and HITRUST. This assessment culminates in a SOC 2 report that includes a table that maps the selected Trust Services Criteria to HITRUST CSF controls.

SOC 2 Type II with HITRUST CSF Criteria

A SOC 2 Type II audit can be performed using the HITRUST controls and criteria instead of the Trust Services Criteria. In this case, the organization still receives a SOC 2 report, not HITRUST CSF certification. This type of reporting option is chosen when a service organization wants its service auditor to express an opinion on whether the controls at the service organization are suitably designed and operating effectively to meet the HITRUST CSF requirements.

SOC 2 Type II and HITRUST CSF Certification

When a SOC 2 Type II report and HITRUST CSF certification is required, organizations have the ability to combine these two audits into one effort – getting the full benefit of both audits while reducing the time and effort it takes to complete them separately. At the end of the audit process, the organization receive both a SOC 2 Type II audit report and HITRUST CSF validated report.

HITRUST CSF Self-Assessment

A HITRUST CSF self-assessment is a great way to begin your HITRUST compliance efforts, and is what KirkpatrickPrice recommends to clients who are just starting out. This option is your own evaluation and attestation of your organization’s compliance, completed in 90 days and culminating in a report.

HITRUST CSF Validated Assessment

A HITRUST CSF validated assessment is performed by an approved CSF Assessor, like KirkpatrickPrice. Validated assessments include a HITRUST CSF self-assessment in which you answer questions and attest to your compliance, followed by a CSF Assessor validating your controls against what you have said is in place, and HITRUST granting certification.

Should You Choose a HIPAA or HITRUST CSF Assessment?

Need help consulting which audit is appropriate or required for your organization? KirkpatrickPrice is here to help. We are passionate about enabling healthcare organization to provide better patient care through information security efforts. Let’s talk today about HIPAA, HITRUST, and other elements of security programs in healthcare.

More Resources

HIPAA Compliance Checklist

Preparing for a HITRUST CSF Assessment

Why is Information Security So Important in Healthcare?

How to Write a Privacy Policy (With 3 Sample References)

The Importance of Privacy Policies in Today’s Data-Centric Landscape

It’s no secret that data is now the most valuable asset worldwide. With nearly all organizations relying on some form of data to fuel their business, consumers and policy makers have started highlighting the need to more transparent about how they collect, use, store, and transmit data, starting with their privacy policies. Because consumers have become more interested in how their data is being collected, used, stored, and transmitted, it is essential that businesses recognize the importance of creating a robust privacy policy. So, how can they write a privacy policy? Are there any privacy policy samples to reference?

Emerging Data Privacy Laws

Across the globe, law makers are enforcing data privacy laws. In the United States, many state-level privacy laws have been enacted. While CCPA is the most talked about of those recently enforced, other states have made progress with enforcing their own laws and the federal government is evaluating whether it pass a federal data privacy law. Aside from CCPA, regulations like HIPAA and GBLA require that organizations be transparent about the kind of data they’re collecting and how they’re protecting it. In Canada, PIPEDA was recently enforced, and perhaps the most infamous data privacy law of our time, GDPR, was the force that led to the data privacy law evolution.

How to Write a Privacy Policy

Because so many countries are creating and enforcing their own data privacy laws, knowing what your privacy policy needs to include can be confusing. If you’re questioning how to write a privacy policy, try using these four basic steps to get started.

  1. Identify which regulations you must comply with and any privacy commitments you make separate from regulatory requirements.
  2. Map the data you’re collecting – know that you receive it, where it is, who interacts with it, how it’s used, who you share it with, etc.
  3. Create an outline – Determine which sections you must include and which you can leave out.
  4. Use clear, easy-to-read language. Users should be able to clearly understand your processes for collecting, using, and protecting their data.

Topics to Cover in a Privacy Policy

Want to know how to write a privacy policy? Privacy policies will usually differ based on your industry, location, and applicable legal regulations. Nevertheless, there are common topics to cover in a privacy policy, including:

  • A scope of the policy
  • An introduction or description of your company
  • A list of the types of data you collect
  • A description of how you collect that data
  • A description of how you use that data (Do you share it with third parties? Do you use it for targeted marketing? Do you use it for product or service development? Do you use it to fix bugs or address data security concerns?)
  • A description of the length you will hold the data
  • A list and description of consumer rights, such as the right to opt-out and the right to deletion, and how to exercise those rights
  • Impact that consumer rights and choices will have on their ability to use services and products
  • Children’s privacy rights (Typically this addresses 13 and under)
  • A description of how updates to the privacy policy are made and how users will be notified if a change occurs
  • Ways to contact your organization

3 Privacy Policy Samples: Pros and Cons

While there are basic components that privacy policies need to address, it can still be confusing when it comes time to write the document. Let’s take a look at three privacy policy samples and evaluate what they do well and areas they can improve on.

Twitter

As one of the world’s largest and most-used social media sites, Twitter’s privacy policy is a great example of a comprehensive, yet understandable privacy policy. Using color coding, links, and highlighting, it is clearly laid out and easy to navigate. However, a major pitfall to this privacy policy is the length. Notice the scroll bar? This doesn’t make it so easy on the user to dig through and easily understand how Twitter is collecting, using, and protecting data.

Survey Monkey

Ensuring that consumers willingly give consent and opt-in to their data being collected is becoming more and more common – and required! Survey Monkey understands that, and it’s clearly demonstrated in their privacy policy. Like Twitter, they use color coding, links, and highlighting to help users navigate the policy. In addition to this, it’s brief – making the document more readable for users.

The Guardian

In many instances, organizations will be required to comply with multiple data privacy laws, like CCPA and GDPR. Sometimes, this means that businesses will need to create two separate policies; however, there are also times when it is appropriate to combine them, which is exactly what The Guardian has done.

Whether you’re just starting out developing your privacy policy, or you’re looking to revamp the one you currently have in place, KirkpatrickPrice is here to help. Still questioning how to write a privacy policy? Don’t just download some basic template online – utilize one of our experts to make sure you’re on the right track. Contact us today to get the process started.

More Privacy Policy Resources

Privacy Policies Built for GDPR Compliance

Privacy Policies Built for CCPA Compliance

Most Common Privacy Gaps

Coronavirus Hits Healthcare’s Cyber Readiness

Healthcare organizations all around the world are fighting the coronavirus pandemic, but they are fighting more than just the virus. While the healthcare industry is focused on public health and patient care, hackers are taking this opportunity to target them with all types of cyber attacks. Has the lack of cyber readiness finally caught up to the healthcare industry? Is it taking a global pandemic for healthcare organizations to face the facts: they need to improve their security hygiene once and for all?

HHS Network Targeted

The U.S. Department of Health and Human Services (HHS) was targeted in what looks like an attempt to overload its website with millions of hits. They detected a significant increase in activity on HHS cyber infrastructure, appearing to be an attempted Distributed Denial of Service (DDoS) attack. Fortunately, this attack was unsuccessful and no federal networks were impacted. HHS Secretary, Alex Azar, said, “We have extremely strong barriers, we had no penetration into our networks, no degradation of the functioning of our networks, we had no limitation on the ability or capacity of our people to telework, we’ve taken very strong defensive actions.”

Fake Coronavirus Map from Johns Hopkins

As hackers leverage our fear, they find new ways to deliver malware. In one of the latest attacks, an interactive map that reports on coronavirus infections and deaths, produced by Johns Hopkins, is being using maliciously. Brian Krebs reported, “Late last month, a member of several Russian language cybercrime forums began selling a digital Coronavirus infection kit that uses the Hopkins interactive map as part of a Java-based malware deployment scheme.” The user believes they are using the legitimate map, but they’re actually spreading password-stealing malware.

Ransomware on Illinois Public Health Network

On March 10, a ransomware attack on the Champaign-Urbana Public Health District in Illinois took down their website. The timing of this attack couldn’t be worse, as the organization needs to communicate critical and ongoing coronavirus updates. No critical systems, PHI, or ePHI were compromised during the attack and the website has since been restored – but an investigation did confirm that it was caused by Netwalker (MailTo) ransomware.

Your Cyber Readiness

Healthcare organizations are particularly vulnerable to cyber attacks on any given day, but especially during this time of unpredictability. Now that you’ve seen scenarios like the HHS defending its network versus Champaign-Urbana Public Health District’s network going down, it’s time to consider how your organization would respond. If you’re interested in testing your incident response plan, participating in pen testing, or consulting on your cyber readiness, we’re ready to help!

More Healthcare Resources

Dangers of XXS Attacks in Healthcare

Why is Information Security So Important in Healthcare?

Achieving SOC 2 and HIPAA Compliance with the Online Audit Manager

Classifying Data: Why It’s Important and How To Do It

Why is Classifying Data Necessary?

Knowing how to classify data is critical given today’s advancing cyber threats. With well over 5,000 data breaches occurring in 2019 alone, including more than 8 billion pieces of data compromised, classifying your data is essential if you want to know how to secure it and prevent security incidents at your organization.

How to Classify Data

Determining how to classify your data will depend on your industry and the type of data your organization collects, uses, stores, processes, and transmits. For healthcare organizations, this could be PHI such as patient names, dates of birth, Social Security numbers, medical data and histories, or prescription information. For financial services organizations, this could be CHD, PINs, credit scores, payment history, or loan information. Regardless of the type of data, though there are a few key considerations to make when classifying data, including:

  1. What data does your organization collect from customers and vendors?
  2. What data does your organization create?
  3. What is the level of sensitivity of the data?
  4. Who needs access to the data?

4 Ways to Classify Data

Depending on the sensitivity of the data an organization holds, there needs to be different levels of classification, which determines a number of things, including who has access to that data and how long the data needs to be retained. Typically, there are four classifications for data: public, internal-only, confidential, and restricted. Let’s look at examples for each of those.

  • Public data: This type of data is freely accessible to the public (i.e. all employees/company personnel). It can be freely used, reused, and redistributed without repercussions. An example might be first and last names, job descriptions, or press releases.
  • Internal-only data: This type of data is strictly accessible to internal company personnel or internal employees who are granted access. This might include internal-only memos or other communications, business plans, etc.
  • Confidential data: Access to confidential data requires specific authorization and/or clearance. Types of confidential data might include Social Security numbers, cardholder data, M&A documents, and more. Usually, confidential data is protected by laws like HIPAA and the PCI DSS.
  • Restricted data: Restricted data includes data that, if compromised or accessed without authorization, which could lead to criminal charges and massive legal fines or cause irreparable damage to the company. Examples of restricted data might include proprietary information or research and data protected by state and federal regulations.

Common Requirements for Classifying Data

Many frameworks and legal regulations have specific requirements that encourage organizations to classify data. While this isn’t an exhaustive list of the requirements and laws, these are quite common. It should be noted that these requirements vary depending on the types of data your organization collects, uses, stores, processes, or transmits.

  • SOC 2: The SOC 2 Trust Services Criteria requires that service organizations who include the confidentiality category in their audit demonstrate that they identify and maintain confidential information to meet the entity’s objectives related to confidentiality.
  • HIPAA: PHI is considered high-risk data. As such, HIPAA Security Rule requires that all covered entities and business associates implement administrative safeguards that ensure the confidentiality, integrity, and availability of PHI. In addition, the HIPAA Privacy Rule limits the uses and disclosures of PHI, forcing covered entities and business associates alike to establish procedures for classifying the data they collect, use, store, or transmit.
  • PCI: In order to comply with PCI DSS Requirement 9.6.1, entities must “classify data so that sensitivity of the data can be determined.”
  • GDPR: Organizations that handle the personal data of EU data subjects must classify the types of data they collect in order to comply with the law. Additionally, GDPR categorizes certain data – race, ethnic origin, political opinions, biometric data, and health data – as “special” and therefore it is subject to additional protection. This not only means that organizations need to know what types of data they hold, but they also need to be able to label that data such as public, proprietary, or confidential.

What processes does your organization have in place for classifying data? Do you need help determining which types of data you collect, use, store, process, or transmit? If compliance is on your radar this year, make sure you’ve done your due diligence to classify data. Interested in learning more about how we can help you establish data classification procedures? Let’s find some time to talk.

More Resources

Best Practices for Data Retention

How to Build an IT Asset Management Plan

How Much is Your Data Worth to Hackers?