More than 700,000 hospitals, emergency medical clinics, dental offices, nursing homes and other health-related entities are required by law to have a specialized IT risk assessment performed to satisfy the requirements of HIPAA – The Health Insurance Portability and Accountability Act.
So, too, are an estimated 2 million other companies that do business with these entities, including IT service providers, shredding companies, documents storage companies, attorneys, accountants, collections agencies, and many others. Many of these companies and organizations are not even aware of this legal requirement!
Utilising our knowledge, tools, and best practices we can ensure you meet compliance by offering the following services:
HIPAA Assessment & Redmediation
On a fixed cost project basis, we will scan your network and measure it against HIPPA best practices and create a Risk Score Matrix.
The Risk Score Matrix will prioritize the work that should be done based upon potential impact to the business and likelihood of occurrence that will address those issues that carry the highest risk, and highest fines.
Managed Compliance Service
Organisations are not static, nor are their networks. New computers, software, mobile devices, equipment and files are continually being added onto the network throughout the year. And even with a relatively stable IT environment, most organisations’ employees come and go, and change positions within the organisation at a regular rate. The HIPAA assessment you perform today has a “shelf-life.” How long that is really depends on a number of factors, including the type of the business, size of the organisation, and speed of change
Best practice is to have a HIPAA assessment performed at some regular interval (but no less than once a year as required by law) to ensure that the organization is not only compliant at the time of the Risk Analysis – or upon completion of the follow-on remediation project – but that it REMAINS compliant at all times.
After your initial assessment and remediation project is complete, we will set up with a schedule of periodic re-assessments, which we call Monthly Risk Profiles, to ensure continued on-going compliance.
Some of the reports that we will generate are:
HIPAA Policies & Procedures. The Policy and Procedures are the best practices that our industry experts have formulated to comply with the technical requirements of the HIPAA Security Rule. The policies spell out what your organisation will do while the procedures detail how you will do it. In the event of an audit, the first thing an auditor will inspect are the Policies and Procedures documentation. This is more than a suggested way of doing business. The Policies and Procedures have been carefully thought out and vetted, referencing specific code sections in the Security Rule and supported by the other reports include with the HIPAA Compliance module.
HIPAA Risk Analysis. HIPAA is a risk-based security framework and the production of a Risk Analysis is one of primary requirements of the HIPAA Security Rule’s Administrative Safeguards. In fact, a Risk Analysis is the foundation for the entire security program. It identifies the locations of electronic Protected Health Information (ePHI,) vulnerabilities to the security of the data, threats that might act on the vulnerabilities, and estimates both the likelihood and the impact of a threat acting on a vulnerability. The Risk Analysis helps HIPAA Covered Entities and Business Associates identify the locations of their protected data, how the data moves within, and in and out of, the organisation. It identifies what protections are in place and where there is a need for more. The Risk Analysis results in a list of items that must be remediated to ensure the security and confidentiality of ePHI. The value of a Risk Analysis cannot be overstated. Every major data breach enforcement of HIPAA, some with penalties over $1 million, have cited the absence of, or an ineffective, Risk Analysis as the underlying cause of the data breach. The Risk Analysis must be run or updated at least annually, more often if anything significant changes that could affect ePHI.
HIPAA Risk Profile. A Risk Analysis should be done no less than once a year. However, we have created an abbreviated version of the Risk Analysis called the HIPAA Risk Profile designed to provide interim reporting in a streamlined and almost completely automated manner. Whether performed monthly or quarterly, the Risk Profile updates the Risk Analysis and documents progress in addressing previously identified risks, and finds new ones that may have otherwise been missed and resulted in a data breach.
HIPAA Management Plan. Based on the findings in the Risk Analysis, the organization must create a Risk Management Plan with tasks required to minimize, avoid, or respond to risks. Beyond gathering information, Network Detective provides a risk scoring matrix that an organization can use to prioritize risks and appropriately allocate money and resources and ensure that issues identified are issues solved. The Risk Management plan defines the strategies and tactics the organization will use to address its risks.
Evidence of HIPAA Compliance. Just performing HIPAA-compliant tasks is not enough. Audits and investigations require evidence that compliant tasks have been carried out and completed. Documentation must be kept for six years. The Evidence of Compliance includes log-in files, patch analysis, user & computer information, and other source material to support your compliance activities. When all is said and done, the proof to proper documentation is accessibility and the detail to satisfy an auditor or investigator included in this report.
External Network Vulnerability Scan. Detailed reports showing security holes and warnings, informational items including CVSS scores as scanned from outside the target network. External vulnerabilities could allow a malicious attacker access to the internal network.
HIPAA Compliance PowerPoint. Use our generated PowerPoint presentation as a basis for conducting a meeting presenting your findings from the Network Detective. General summary information along with the risk and issue score are presented along with specific issue recommendations and next steps.
HIPAA On-Site Survey. The On-site Survey is an extensive list of questions about physical and technical security that cannot be gathered automatically. The survey includes questions ranging from how facility doors are locked, firewall information, how faxes are managed, and whether servers are on-site, in a data centre, or in the Cloud.
Disk Encryption Report. Encryption is such an effective tool used to protect data that if an encrypted device is lost then it does not have to be reported as a data breach. The Disk Encryption Report identifies each drive and volume across the network, whether it is fixed or removable, and if Encryption is active.
File Scan Report. The underlying cause identified for many data breaches is that the organisation did not know that protected data was stored on a device that was lost or stolen. After a breach of 4 million patient records a hospital executive said, “Based on our policies that data should not have been on those systems.” The File Scan Report identifies data files stored on computers, servers, and storage devices. It does not read the files or access them, but just looks at the title and file type. This report is useful to identify local data files that may not be protected. Based on this information the risk of a breach could be avoided if the data was moved to a more secure location, or mitigated by encrypting the device to protect the data and avoid a data breach investigation.
User Identification Worksheet. The User Identification Worksheet takes the list of users gathered by the Data Collector and lets you identify whether they are an employee or vendor. Users who should have been terminated and should have had their access terminated can also be identified. This is an effective tool to determine if unauthorised users have access to protected information. It also is a good indicator of the efforts the organisation goes to so terminated employees and vendors have their access quickly disabled. Another benefit is that you can review the user list to identify generic logins, such as Nurse, Billing Office, etc., which are not allowed by HIPAA since each user is required to be uniquely identified. To save time the system allows you to enter default settings for all users and just change some as needed.
Computer Identification Worksheet. The Computer Identification Worksheet takes the list of computers gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption. To save time the system allows you to enter default settings for all computers and just change some as needed.
Network Share Identification Worksheet. The Network Share Identification Worksheet takes the list of network shares gathered by the Data Collector and lets you identify those that store or access ePHI. This is an effective tool in developing data management strategies including secure storage and encryption. To save time the system allows you to enter default settings for all network shares and just change some as needed.
HIPAA Supporting Worksheets. A set of individual documents are provided to show detailed information and the raw data the backs up the Evidence of Compliance. These includes the various interviews and worksheets, as well as detailed data collections on shares and login analysis.