Healthcare

Protect your staff, customers and patients from loss of protected health information

Healthcare service providers have become key targets of identity theft crime due to the depth of personal, demographic, and financial information they collect on patients. Cyber criminals and malicious hackers are mounting targeted attacks to steal electronic unsecured protected health information (PHI) so it can be sold to the highest bidder for use in identity theft schemes. PHI includes identifiable health information, including items such as the patient’s name, address, e-mail address, birth date, Social security number, employee number, claim number and health plan beneficiary number.

Healthcare service providers are required to be increasingly vigilant in protecting data transmitted on both wired and wireless systems, including healthcare plan enrollment systems, e-prescription kiosks, electronic heath record (EHR) devices, health information exchange (HIE) networks, and back office databases. Stolen personal data leads to significant legal liability and costs for those affected, from healthcare service providers to victims of stolen identities. Data breaches of PHI can lead to tremendous hardship for patients, who may then struggle for years to recover from identity theft. One insurer estimated that the August 2009 loss of just 38,000 patient records from the Naval Hospital Pensacola will cost the hospital approximately $6 million. The healthcare service providers found responsible for data breaches suffer a loss of reputation which may drive patients away for their services.

To protect the privacy and integrity of personal records, IT security administrators at healthcare organizations need to keep watch for vulnerabilities that can enable unauthorized users to access private information. They also need to document HIPAA security compliance. Manual security auditing processes are not comprehensive and take too long to implement in order to protect the organization from exposure to viruses, worms, or hackers looking to steal personal information. Automating your security audits and speeding up the remediation process enables you to more effectively secure your networked environment.

Security standards for Healthcare Services

The Health Insurance Portability and Accountability Act (HIPAA) is a federally mandated law that was created to confront the rising number of incidents of stolen PHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens HIPAA requirements, particularly by raising the financial penalties incurred by HIPAA violators. HIPAA mandates that all covered entities establish appropriate administrative, technical, and physical safeguards to protect the privacy and security of sensitive health information. Covered entities include providers, health plans, clearinghouses, and their business associates. To be compliant with HIPAA, health-related institutions must employ procedures that protect the disclosure of an individual's personal health information, ensuring the privacy and security of that information as it is collected, processed and transferred to other health organizations. The Administrative Simplification (AS) provisions of HIPAA address provisions for both the security and privacy of electronic health data, including the security Rule. To achieve HIPAA compliance, covered entities must demonstrate adherence to the security Rule, which mandates protection of all electronic PHI created, received, maintained, or transmitted by any covered entity. Healthcare who fail to protect PHI are subject to serious financial repercussions. The HITECH Act permits state attorney general’s offices to pursue civil charges on behalf of victims, in addition to fines for HIPAA violators of up to $1.5 million per year.

Building a secure network and maintaining a vulnerability management program are necessary prerequisites for ensuring HIPAA compliance. To protect the privacy and integrity of PHI, security administrators at healthcare organizations need to scan systems for vulnerabilities that put systems at risk of unauthorized access. Healthcare organizations also need to document HIPAA security compliance, train employees on privacy measures, appoint someone to oversee privacy initiatives, implement measures to secure storage of and access to patient records, and automate audits. Manual security auditing processes are not comprehensive enough and take far too long to implement. Automating security measures enables faster notification of exposures and quicker remediation so that systems can be secured against unauthorized access to PHI and be HIPAA compliant.

How NopSec Helps

NopSec helps organizations that handle sensitive patient information achieve HIPAA compliance, including medical schools, hospitals and their business associates, private labs, and insurance companies. NopSec has extensive experience partnering with healthcare service providers to help them with the complex regulatory environment of the health sector. NopSec’s solutions for healthcare services meet the Protected Health Information (PHI) safeguards required to achieve HIPAA compliance in accordance with relevant sections of §164.308 to §164.316 of the HIPAA security Rule. Here’s how NopSec prepares you for a HIPAA audit while providing sound vulnerability management practices that ensure that your entire infrastructure is protected from intruders:

• Defining policies and procedures to secure protected health information
• Providing NopSec security experts to perform vulnerability scanning, penetration testing and a detailed audit of your networked environment to enable you to detect deficiencies more quickly and get recommendations for fixes that would prevent attacks.
• Identifying protected health information (PHI) and unprotected health information
• Providing NopSec Remediation Plan and Report with detailed step-by-step instructions for vulnerability remediation to attain HIPAA Compliance
• Providing NopSec HIPAA Professional Services Review to evaluate all security policies and procedures, in addition to providing guidance on developing missing control policies for all areas, including control for modifying access rights
• NopSec security Awareness Training to provide staff with knowledge needed to secure PHI from electronic, physical and behavioral challenges that put data at risk.