What you need to know about HIPAA Compliance
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH) are national standards put into place to: 1) protect the privacy of personally identifiable heath information, 2) secure personally identifiable health information stored and/or transmitted electronically, and 3) promote the meaningful use of health information technology. As of September 23, 2013, compliance with these standards will be mandatory for all applicable healthcare entities AND their third-party vendors. Failure to comply with these standards can result in both civil and criminal penalties.
Do you know if you and your third-party vendors are HIPAA compliant? Do you need some help finding out?
Thankfully, RJS Smart Security provides healthcare organizations and their business associates with a comprehensive evaluation of their protected health information and data environment with a HIPAA assessment. RJS follows the emerging Penetration Test Execution Standard (PTES) as the model for these assessments.
HIPAA Compliance with RJS Smart Security
Our HIPAA assessment focuses on HIPAA regulations for companies who may or may not be facing an audit. During this engagement, we look at the following:
Compliance is not the same as security. Compliance defines the bare minimum needed to protect specific data types or industries. This engagement identifies lean ways to meet HIPAA requirements so that your business still has resources for security.
Strategy is perhaps the most critical security task, as well as the least used. A strategy engagement identifies what HIPAA compliance pieces you already have, what you need and how to get there. Several risk assessment methodologies are available to guide us in crafting a security plan that ideally fits your health care business.
Policies and Procedures review the body of written controls that are currently in use and assess how well they are being followed. Policies often age as technology improves and procedures are followed poorly as they lose applicability.
And, depending on the scope of your engagement, we also examine:
Network Vulnerability involves scanning your network to identify the operating systems and applications in use. Older applications are a common vector in successful attacks, but these flaws can only be addressed if you know they exist.
Web Vulnerability focuses on the many common problems found in web applications, such as SQL injections looking to steal or alter data, scripting to exploit users or weak configurations.
Data Analysis identifies the documents and databases an organization is storing and the risks resulting from possible data leakage. This analysis helps you determine ways to centralize storage and eliminate the unnecessary.
A Success Story
Healthcare Services Provider*
A medical services company had grown by acquisition and upon examination of their network infrastructure, an increasing number of legacy applications were cause for mounting concern. With fewer people on staff who knew how they functioned, it was increasingly difficult to maintain their security and comply with the regulations of HIPAA and HITECH.
To help simplify the process of application management while working within a tight budget, the company hired RJS to review one legacy application each quarter. In the short term, this approach helps the firm meet their Business Associate requirements. In the long term, the newly-built applications can be maintained at a lower cost.
* The company name has been kept anonymous due to the sensitivity of the work performed.
A client shows that Macs are not as safe as you think
A common misconception among Mac users is that their Apple products are immune from malware and security issues often seen in Microsoft products. A decade ago, this was pretty much true. Mac OS had a streamlined approach to security that was difficult to crack, but more importantly, Apple users were massively dwarfed by Microsoft and weren’t worth the time to target. Hackers wanted the easy score, not something they actually had to work at. Unfortunately, many Mac users still believe they’re impervious to threats, but they are ignoring two major changes in the computer landscape.
1) After years of abuse, and rightfully so, Microsoft has now surpassed Apple in terms of protection. Since the Windows Vista introduction in 2007, their OS has employed ”address space layout randomisation (ASLR) which is implemented so as to obscure most of what an attacker needs to conduct, for example, shell code injection attacks.” Despite acquiring ASLR in 2007, Mac OS has yet to implement this same degree of protection.
2) Apple has seen fabulous growth in the personal computer market. In 2003, Apple had just 2.06% of the desktop computer market. Just five years later, that number was at 14% and has now diversified further with the advent of the hugely popular iPhone and iPad. Not surprisingly, Mac OS malware has grown in excess of 200% in the last three years!
Unfortunately, many companies are ignorant to this environmental shift and still assume their Macs are as secure as ever. Take for instance an advertising agency we recently consulted with. This agency employs over 50 individuals and boasts several Fortune 500 accounts. Like many ad firms, Macs are their computer of choice.
Recently, one of their biggest clients had a security breach that originated from the agency office. The agency and client shared a portal where they frequently transferred images, files and documents. Besieged by a nasty piece of malware, the portal was rendered unusable.
What the agency didn’t realize is their Mac computers were hosting Windows-based malware. While the malware had zero effect on their Mac computers, it ran amok on the client’s Microsoft desktops after it was unknowingly transferred through the portal. This issue is prevalent in many Mac environments. According to Sophos, “A 100,000 strong snapshot of the millions of Mac computers which have recently downloaded Sophos’s free Mac anti-virus software, revealed that 20% of Mac computers were carrying one or more instances of Windows malware.”
Needless to say, if the agency realized that their fleet of Mac computers weren’t secure and at the very least invested in Sophos’ free Mac anti-virus software, this entire scenario would have never happened. If you are a Mac user or your company runs a Mac-based operation, please do us all a favor and download the aforementioned free anti-virus software. And if you really want to make sure all your bases are covered, give us a buzz and we’ll set you up with a free security review as well.
Sophos Apple Resources:
Download Sophos’ free Mac anti-virus software.
1 in 5 Macs has malware on it. Does yours?
Are Macs safer than PCs?
Sophos + Assessments = Success!
While we prefer to keep our success stories anonymous for security reasons, we still like to share with you these positive experiences as you may identify with these problems and ultimately, their solutions.
We recently completed a project with a Minnesota-based healthcare company who needed consulting advice and an upgraded product. They specifically asked for our security expertise on two projects: 1) their anti-virus solution was not effective and difficult to manage and 2) they needed to make sure they were HIPAA compliant.
To combat the first issue, we implemented Sophos Anti-Virus because of its excellent overall protection. We especially like this product because it provides ease-of-management for network administrators of all skill levels, as well as intuitive control for devices and data.
For the second issue, we conducted an internal resource audit as well as vulnerability assessments for their network and web portal. In these assessments, numerous patch management issues were discovered. The customer was able to effectively eliminate the security holes and address future compliance policies with our simple step-by-step remediation report.
Each customer we work with is unique, but if you’re in the healthcare industry and have worries regarding HIPAA, we have a firm grasp of the often confusing rules. We’re happy to offer you a free one-hour security review that will assist you in learning whether you are HIPAA-compliant or could use a little help.