Tips for Securing Healthcare Data

It’s one thing to suffer one data breach – there is room to recover. Will Anthem survive a second breach? Don’t let this happen to you. With the Anthem breach still on the forefront of everyone’s minds, as well as the upcoming supervision from the OCR and the new phase of HIPAA audits, we have put together some tips to help get you thinking about what you can do now to better secure your healthcare data.

  1. Control PHI Workflow – Do you know where your healthcare data is? Do you have proper permissions in place to control access to your data? Is it encrypted? Healthcare data should always be encrypted when being stored or transmitted to protect sensitive data from falling into the wrong hands or being compromised. Your organization needs to know where your data lives, where it travels, and how it travels – at all times.
  2. Strong Passwords – This seems like a no-brainer, however, it’s easy to get caught in the convenience of a weak password, or the same password for multiple uses. The longer the password, the better. Strong passwords should be at least 8 characters long, with variations on capitalization, numbers, and punctuation. Two-factor identification is an even stronger way to ensure that only the people who are allowed access, have access.
  3. Vendor Management – HIPAA laws mandate that you have done your due diligence to ensure that not only are you HIPAA compliant, but your vendors who also have access to your PHI are compliant. A signed Business Associates Agreement isn’t acceptable. You can no longer outsource this risk, you must manage it. This means vendor management must be a priority when considering the safety and security of the PHI for which you are responsible. Do you know who your vendors are? Do you have documentation showing you’ve reviewed that they are compliant with industry regulations? These are questions we must know the answers to.
  4. Policies and Procedures – Are you aware of the policies and procedures that are in place to protect healthcare information and comply with HIPAA laws? Employees should be required to demonstrate that they acknowledge, understand, and follow all policies and procedures. They are there to help you, and understanding the importance of why a certain policy and procedure is in place could make the difference in saving your organization from a data breach.
  5. Security Awareness Training – The security tone from the top is the most important step, in any organization, to ensure that the organizational atmosphere is on the same page in being “aware” of PHI security. It’s important to educate all employees, in every facet of your organization, on HIPAA compliance, and the importance of HIPAA compliance.
  6. Annual External and Internal Penetration – Network and application security is critical to your organization. Performing annual penetration tests can be a strategic way to identify weaknesses and vulnerabilities in your organization’s security before someone else does.

Are you confident that you are doing everything you can to ensure the security of your PHI and your compliance with HIPAA laws? Email me at s.morris@kirkpatrickprice.com with any questions about strengthening the compliance controls at your organization, or if you’re in need of a third-party validation of your compliance.

Survey’s Out, Most Common PCI Gaps Revealed

It’s becoming more and more obvious every day, the need for enhanced security. As the security landscape changes, the threats to our sensitive data become more serious, and as a result the controls we put in place have gotten stronger. We see a new data breach in the headlines on an increasingly regular basis, as lots of criminals often target cardholder data, specifically. The PCI Data Security Standard (PCI DSS) was developed to encourage and enhance cardholder data security and keep this sensitive data uncompromised. PCI DSS applies to all organizations or merchants that accept, transmit, or store any cardholder data.

Full compliance with the new requirements of the revised standard, PCI DSS v3.0, became effective January 1st of this year. The new version of the standard has a strong focus on greater risk areas in the threat environment, greater understanding of the purpose of each requirement and how to apply these requirements, increased clarity of requirements, and alignment with changes in industry best practices.

As a PCI Qualified Security Assessor, we find that it is challenging to obtain and maintain a compliant PCI environment. We surveyed our QSA team and the most common PCI gaps reported by far were:

  • Poorly managed firewalls
  • Inadequate policies and procedures
  • Lack of documented system configuration standards
  • No penetration testing and/or vulnerability scanning
  • A formal, annual Risk Assessment is not performed
  • Inadequate encryption key management
  • Undocumented application development standards
  • No formal Security Awareness Training program
  • Audit and security event logs are not enabled or monitored
  • File integrity monitoring is not performed
  • Background checks are not performed
  • Data flow of sensitive data is not documented
  • Incident response plans are not developed
  • Insecure remote access without two-factor authentication
  • Open wireless networks

Compliance does not guarantee security, but a secure environment is a compliant environment. After you’ve checked for these most common gaps, perform a Gap Analysis to determine the steps you need to take in order to reach your information security and compliance goals based on the current state of your organization’s security controls.

For more information about PCI Compliance or for help in performing a Gap Analysis or Self-Assessment, contact us today.

3 Things You Can Do to Avoid Being the Next Anthem Headline

The recent Anthem data breach is potentially the largest breach to date in the Healthcare space. When your CEO or your largest clients ask you what your plan is to prevent the same from happening to you, what are you going to tell them? Safeguarding Personally Identifiable Information (PII) is essential for avoiding a data breach. Here are three things you should do immediately to avoid a data breach:

  1. Advanced Penetration Testing – Performing an advanced external penetration test is a strategic approach to identify weaknesses in network and application security, as would a hacker. It is important to undergo regular penetration tests to maintain a secure network due to emerging vulnerabilities and find the gaps in your security before someone else does.
  2. Perform a Formal Risk Assessment – How will you know if you’re doing enough until you systematically identify the appropriate risks? An organized, written risk assessment will identify what you need to be doing and what you don’t need to be doing. The old adage is true; first make the plan, then work the plan.
  3. Assessment of all regulatory requirements for HIPAA – Perform a GAP Analysis against the HIPAA standards to see where you need to make remediations to strengthen your information security.

Take the appropriate steps within your organization to make sure a data breach doesn’t happen to you. KirkpatrickPrice is uniquely qualified to help with all of these. Call us today at 800-770-2701 for immediate assistance in preventing a data breach at your organization or contact us today.

Click here to read more about the recent data breach.

 

3 Reasons to Stop Hesitating and Complete your SSAE 16 Audit

With the compliance landscape rapidly changing, it’s important to stay up to date with current standards to gain trust and respect from your clients. If you’ve been considering getting an SSAE 16 Audit, but keep putting it off, what are you waiting for? Here are 3 Reasons to stop hesitating and start your SSAE 16 Audit today:

1. To gain a competitive advantage

Completing an SSAE 16 allows you to pursue clients that require an SSAE 16 to meet their own regulatory requirements. They simply can’t afford to work with an “at-risk” vendor. It also tells clients that you are serious about the controls and security of your organization. Engaging in an SSAE 16 Audit demonstrates that you have taken initiative by hiring a third party to conduct the audit, in turn, formalizing your audit process.

2. It will mature your environment

By completing an SSAE 16 Audit, you are ahead of the curve in maturing your organization. Management should choose to test your employees and get outside services to help your business processes mature. A review of your controls by an independent auditor can help to notice things you may have missed during your own assessment of risk. Catching these inefficiencies can help your organization stay secure and up-to-date on security and compliance best practices and can protect you from a loss of business or operability.

3. It will save you time and money

By being proactive about the security of your organization, you will save your organization time and money by reducing the burden of questionnaires and site visits from your clients’ auditors. If you don’t already have a current report, you could face multiple clients’ auditors individually and continue to repeat the process, over and over.

Don’t hesitate to begin your SSAE 16 Audit. For more information on whether or not an SSAE 16 is right for your business, contact us today or click here to download our FAQ about SSAE 16/SOC Audits.

Anthem Data Breach: Recent Hack Affects Millions

Joseph R. Swedish, CEO of Anthem Inc., one of the largest healthcare providers in the US, announced Wednesday, that despite efforts to appropriately safeguard their information, they suffered a major cyberattack. This attack is said to have affected as many as 80 million people.

According to Anthem, this attack compromised both patient and employee information, names, birthdays, medical ID’s, Social Security numbers, street addresses, email addresses, and employment and income information. Swedish said in a letter published on a website about their response to the incident, “Once the attack was discovered, Anthem immediately made every effort to close the security vulnerability, contacted the FBI, and began fully cooperating in the investigation.” (www.AnthemFacts.com) They have since taken measures to improve their security environment by fully evaluating their systems.

HIPAA laws mandate that you properly safeguard the Personally Identifiable Information (PII) that you collect, and data breaches such as this can often result in heavy fines. There are specific guidelines in regards to protecting this information as well as reporting a breach once it has been discovered. In too many cases, businesses scramble to pick up the pieces as a result from a breach rather than already having in place a strong defense to protect the PII for which they are responsible. This is a scary time for the cyberworld, and with the discovery of this massive data breach we should be encouraged to continue to improve and strengthen our security measures as the landscape continually evolves.

If you need help assessing your current security environment or need help developing your Incident Response Plan, call us today at 800-770-2701 for a free consultation.