We understand that in today’s world, cyber security is simply not an option; it is a mandate. Security helps to preserve citizen trust by mitigating the risk of unauthorized use or loss of sensitive information. Today’s increasingly interconnected Information Technology (IT) infrastructure is under the continual increasing threat of unauthorized access. As more and more sensitive citizen data is collected, stored, used, and shared each day, a strong security risk management approach is necessary to comply with the Federal, Internal Revenue Service (IRS), and other key regulatory statutes such as the Health Insurance Portability and Accountability Act (HIPAA). The increasing sophistication of cyber-attacks and publicized data breaches in the state sector further underscore the importance of a strong security posture and risk management approach.
In addition, increased enforcement and penalties resulting from the HITECH Act have caused many organizations to revisit their readiness to address the HIPAA Privacy and Security Rules as well as those changes proposed by the HITECH Act.
The following describes WeSecure’shigh level approach for undertaking anHIPAA assessment and security implementation project.
If you have answered “Yes” to any of these questions, it may be time to consider a HIPAA Assessment.
Low Level Approach
Like any healthcare organization in the industry, any healthcare organization would utilize information technology across all its operations to manage the patient, finance, personnel, vendor and customer data across multiple departments and locations. For such organization’s we provide leading services to conduct an enterprise wide HIPAA privacy and security assessment and audit to:
Phase One – Business Processes Prioritization and Application Inventory
This phase emphasizes on identifying the business processes and supporting applications that involve the collection, use, and storage of PHI in connection with thecorresponding client – lines of business (LOBs) and prioritize the business processes for the subsequent assessment and planning activities using the risk criteria approved by client management.
Phase Two – HIPAA Privacy and Security Assessment
For the selected high-risk business processes and supporting applications/systems, this phase focuses on assisting the client with the identification of potential control gaps that may exist in their business and IT, and operating environment by comparing organization’s existing business processes and privacy and security controls against the HIPAA Privacy and Security Rule requirements.
Phase Three – Remediation Plan Development
This phase concentrates on assistingthe organization with the development of remediation options and assembling remediation plans to address identified control gaps, including quantifying the timeline requirements for each remediation project, and designing a remediation roadmap considering individual project schedules and synergies with other projects.
Phase One: Business Processes Prioritization and Application Inventory
The purpose of this phase is to identify the business processes and applications that collect, use, or store PHI. These business processes and supporting applications currently exist within the organization’s lines of business. Key activities during this phase will include:
Key deliverables from Phase One will include an Excel spreadsheet capturing the current PHI business processes and application inventory.
Phase Two: HIPAA Privacy and Security Assessment
The purpose of this phase is to identify control gaps for the selected business processes and applications/systems by comparing organizations existing business processes and privacy and security controls against the HIPAA Privacy and Security Rule requirements. Key activities during this phase will include:
Key deliverables from Phase Two will include a detailed technical report capturing the current control practices and HIPAA privacy and security control gaps.
Phase Three: Remediation Plan Development
The purpose of this step is to develop remediation plans for privacy and security control gaps based on the results from the HIPAA Privacy and Security Rule Assessment. Key activities will include:
Key deliverables from Phase Three will include the Executive Summary report, HIPAA privacy and security remediation summary aligned against the HITRUST CSF, and a phased HIPAA privacy and security remediation roadmap.
From “HIPAA One” to the recent HITECH Act, EyeD has assisted clients to assist with their HIPAA privacy and security efforts. We had served major payer and provider organizations across multiple areas in their HIPAAassessment and other security audit programs.