3 Things You Can Do to Avoid Being the Next Anthem Headline

The recent Anthem data breach is potentially the largest breach to date in the Healthcare space. When your CEO or your largest clients ask you what your plan is to prevent the same from happening to you, what are you going to tell them? Safeguarding Personally Identifiable Information (PII) is essential for avoiding a data breach. Here are three things you should do immediately to avoid a data breach:

  1. Advanced Penetration Testing – Performing an advanced external penetration test is a strategic approach to identify weaknesses in network and application security, as would a hacker. It is important to undergo regular penetration tests to maintain a secure network due to emerging vulnerabilities and find the gaps in your security before someone else does.
  2. Perform a Formal Risk Assessment – How will you know if you’re doing enough until you systematically identify the appropriate risks? An organized, written risk assessment will identify what you need to be doing and what you don’t need to be doing. The old adage is true; first make the plan, then work the plan.
  3. Assessment of all regulatory requirements for HIPAA – Perform a GAP Analysis against the HIPAA standards to see where you need to make remediations to strengthen your information security.

Take the appropriate steps within your organization to make sure a data breach doesn’t happen to you. KirkpatrickPrice is uniquely qualified to help with all of these. Call us today at 800-770-2701 for immediate assistance in preventing a data breach at your organization or contact us today.

Click here to read more about the recent data breach.


3 Reasons to Stop Hesitating and Complete your SSAE 16 Audit

With the compliance landscape rapidly changing, it’s important to stay up to date with current standards to gain trust and respect from your clients. If you’ve been considering getting an SSAE 16 Audit, but keep putting it off, what are you waiting for? Here are 3 Reasons to stop hesitating and start your SSAE 16 Audit today:

1. To gain a competitive advantage

Completing an SSAE 16 allows you to pursue clients that require an SSAE 16 to meet their own regulatory requirements. They simply can’t afford to work with an “at-risk” vendor. It also tells clients that you are serious about the controls and security of your organization. Engaging in an SSAE 16 Audit demonstrates that you have taken initiative by hiring a third party to conduct the audit, in turn, formalizing your audit process.

2. It will mature your environment

By completing an SSAE 16 Audit, you are ahead of the curve in maturing your organization. Management should choose to test your employees and get outside services to help your business processes mature. A review of your controls by an independent auditor can help to notice things you may have missed during your own assessment of risk. Catching these inefficiencies can help your organization stay secure and up-to-date on security and compliance best practices and can protect you from a loss of business or operability.

3. It will save you time and money

By being proactive about the security of your organization, you will save your organization time and money by reducing the burden of questionnaires and site visits from your clients’ auditors. If you don’t already have a current report, you could face multiple clients’ auditors individually and continue to repeat the process, over and over.

Don’t hesitate to begin your SSAE 16 Audit. For more information on whether or not an SSAE 16 is right for your business, contact us today or click here to download our FAQ about SSAE 16/SOC Audits.

Anthem Data Breach: Recent Hack Affects Millions

Joseph R. Swedish, CEO of Anthem Inc., one of the largest healthcare providers in the US, announced Wednesday, that despite efforts to appropriately safeguard their information, they suffered a major cyberattack. This attack is said to have affected as many as 80 million people.

According to Anthem, this attack compromised both patient and employee information, names, birthdays, medical ID’s, Social Security numbers, street addresses, email addresses, and employment and income information. Swedish said in a letter published on a website about their response to the incident, “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating in the investigation.” (www.AnthemFacts.com) They have since taken measures to improve their security environment by fully evaluating their systems.

HIPAA laws mandate that you properly safeguard the Personally Identifiable Information (PII) that you collect, and data breaches such as this can often result in heavy fines. There are specific guidelines in regards to protecting this information as well as reporting a breach once it has been discovered. In too many cases, businesses scramble to pick up the pieces as a result from a breach rather than already having in place a strong defense to protect the PII for which they are responsible. This is a scary time for the cyberworld, and with the discovery of this massive data breach we should be encouraged to continue to improve and strengthen our security measures as the landscape continually evolves.

If you need help assessing your current security environment or need help developing your Incident Response Plan, call us today at 800-770-2701 for a free consultation.

5 Steps to Mastering a Risk Assessment

Performing a Risk Assessment is a critical component of any Information Security Program. It’s mandated by several frameworks (SSAE 16, SOC 2, PCI DSS, ISO 27001, HIPAA, FISMA). In order to comply with those frameworks, your organization has to complete a risk assessment, and then assess and address the risks by implementing security controls. The Risk Assessment process is a constantly moving and evolving process for an organization. So, where do you begin?

1. Conduct Risk Assessment Survey

A Risk Assessment is a systematic process of evaluating the potential operational, reputational, and compliance risks that pertain to your organization. So why should you care about performing a Risk Assessment? As a business owner or stakeholder, it is your priority to protect the assets that are required to deliver your service or product. It can protect your revenue and business operations, insure future growth and responsibilities, and help you avoid costly lawsuits and fines.

2. Identify Risks

Risk = Vulnerability X Threat In order to identify your risks, you must first identify your assets, and the threats and vulnerabilities that can affect these assets. What wakes you up in the middle of the night? Are you worrying about the security of your Hardware, Software, Human Resources, Data, or Processes? After you have identified your assets, you have to identify the threats to those assets. Threats can be man-made or natural events that take advantage of an asset’s flaws, and that can result in a loss of integrity, availability, or confidentiality such as floods, earthquakes, accidental or intentional acts. What are your assets’ vulnerabilities? A vulnerability is a known or unknown flaw or weakness in the asset that would result in loss of integrity, availability, or confidentiality, such as a lack of security awareness training or software support for a critical application.

3. Assess Risk Importance & Risk Likelihood

Now that you are aware of what your risks are, you can begin to assess the importance and likelihood that this even is going to happen. What is the likelihood of this specific event having a negative effect on the asset? If it’s not likely, should we even worry about it? The likelihood of a risk can be expressed subjectively or quantitatively (High, Medium, Low, or 1, 2, 3, 4, 5). Determining the Risk Importance is determining what the impact on business is if an event has a negative effect on the asset.

4. Create a Risk Management Action Plan

Based on your complete analysis of which assets are important to your business and the threats and vulnerabilities that are likely to negatively affect those assets, you must develop control recommendations to either mitigate, transfer, accept, or avoid the risk. Creating your Risk Management Action Plan can look like a number of things. Your control recommendations could be to get a spare part, cross train employees, or create new policies and procedures.

5. Implement a Risk Management Plan

After you’ve developed a plan to manage your risks and determine what you’re going to do and how you’re going to do it, it’s time to implement these controls. This won’t necessarily be an overnight process, but you should now have successfully developed an effective way to identify and manage your risks. The final step of mastering a Risk Assessment is knowing that in order to constantly monitor and manage your risks, you must return back to Step 1.

For help with conducting your Risk Assessment, contact us today or get started by filling out the form below to download our free Risk Assessment Spreadsheet.

It’s Data Privacy Day!

Did you know it’s National Data Privacy Day? That’s right, Data Privacy is so important these days it gets its own national holiday. Here at KirkpatrickPrice, we highly value the privacy of our clients’ data and encourage them to educate their own employees about practicing security awareness in the workplace, as well as at home. Already in 2015 we are seeing security breaches daily in the headlines. What better day than Data Privacy Day to address the question,

“Are we doing everything we can to avoid a security breach at our organization?”

Today we are encouraging everyone to ask themselves that question. That’s why KirkpatrickPrice is excited to celebrate with you in this year’s Data Privacy Day by offering exclusive access to our Online Security Awareness Training Solution. Check out our current Security Awareness Training rates below, and call today to setup your demo training account. Let’s make 2015 our strongest year yet!

Security Awareness Training Info

Security Awareness Training Rates

Ready to get started? Sign up today!

Questions? Contact us today.