Healthcare compliance

Health Insurance Portability and Accountability Act (HIPPA) Assessments

HIPAA was updated with the Health Information Technology for Economic and Clinical Health (HITECH) Act which provided rules for better defining protected healthcare data, affected parties, breach disclosure, penalties, and enforcement of penalties against Covered Entities and Business Associates. In 2013, the HIPPA “Omnibus Rule” was passed, solidifying numerous changes, including a review and modification of security measures to ensure the continued provision of “reasonable and appropriate” protection of Electronic Protected Health Information (e-PHI).

A large and growing number of covered entities such as healthcare providers and payers continue to use cloud services to process, store, and transmit e-PHI. The law and regulations extend the requirement to protect PHI to cloud service providers as “Business Associates” under certain business associate agreements (BAA).

As an option for your healthcare customers that need compliance reporting specific to HIPAA beyond the HIPAA/HITRUST mappings that can be provided in an enhanced SOC 2 report, Fortidm can provide a HIPAA attestation delivered as an AT 601 Compliance Attestation report. The AT 601 Compliance Attestation Report is a report that includes an opinion over management’s assertion that it complied with HIPAA requirements. The report draws an opinion about the controls in place and includes a list of the in scope HIPAA Security Rule. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164. Further details of the Security Rule include:

• Administrative Procedures – security management process, assigned security responsibility, workforce security, information access management, security awareness and training, security incident procedures, contingency plan, evaluation, business associate contract and other arrangements.
• Physical Safeguards – facility access controls, workstation use, workstation security, device and media controls over hardware and software.
• Technical Safeguards – access control, unique user identification, emergency access procedures, automatic logoff, encryption and decryption, audit controls, integrity, mechanism to authenticate electronic protected health information, person or entity authentication, and transmission security.

Health Information Trust Alliance (HITRUST)

The HITRUST Common Security Framework (CSF) in their words is “a certifiable framework that provides organizations with comprehensive, flexible and efficient approach to regulatory compliance and risk management. Developed in collaboration with healthcare and information security professionals, the HITRUST CSF rationalizes healthcare-relevant regulations and standards into a single overarching security framework.” HITRUST CSF maps to other standards and regulations such as HIPAA, NIST, ISO, PCI, COBIT, and others. This includes a mapping to the SOC 2 reporting criteria. A SOC 2 for HITRUST is a complementary reporting option that service providers can use to demonstrate compliance to their healthcare customers.

GRC advisory and compliance services

To achieve an effective and integrated information security program requires a sustainable strategy, agile technology tools, and the support of subject matter professionals well versed in governance, risk, and compliance (GRC) programs.

The traditional triad of confidentiality, integrity, and availability (CIA) is still core to information security. However, business models and risks continue to evolve at a rapid pace that even the most nimble enterprises struggle to allocate the right level resources at the right time to varied information security risks. Sixty percent of the time, organizations are compromised within minutes, yet companies sometimes take weeks or months to discover a breach, according to the Verizon Data Breach Investigations Report. Such discrepancies aren’t an acceptable norm when the compromise impacts customers. Disparate processes and structures for managing risk and compliance can victimize organizations to failure.

Our GRC services help clients break down their silos and barriers. We streamline information security processes, eliminate manual efforts by leveraging the capabilities of automation, and provide monitoring capabilities to achieve enterprise assurance. Clients gain technical support to manage the GRC process, saving management time, reducing the risk of errors, and strengthening governance practices.

We also understand that effective GRC programs need to align with our clients culture and appetite to change. With this in mind, we offer an agile approach to GRC services by breaking down our services in the following competencies:

IT Governance

• On call and interim Chief Information Security Officer (CISO) services.
• Policy documentation and management.
• Technical standards and operational procedure documentation.
• Security training and awareness.
• Strategic planning and management.
• IT Governance Structure.
• Roles and responsibilities review.

IT Risk

• Risk assessments.
• Vendor risk management.
• Business continuity and disaster recovery.
• IT Asset management.

IT Compliance

• Compliance management including project managing internal and external audits.
• Internal assessments including audit readiness assessments and internal audt projects.
• Control consolidation and mapping to common standards (i.e., ISO 27001, NIST, COSO, COBIT, PCI, SOC, SOX and more).