Services Main

Casino IT Assessments

External Network

Security Assessments

Financial Services

Healthcare Security

Assessments

Testing and Certification

Program

Website Security

Assessment

Healthcare Information Security
Assessment Services

Ensure HIPAA Security Rule Compliance and Minimize Risk of HITECH Act Data Breach Notification

HEALTHCARE INFORMATION SECURITY ASSESSMENT SERVICES

Which Redspin Information Security Assessment services address healthcare / health IT risks?

HIPAA Security Assessment — Provides HIPAA Security Rule gap analysis and recommends compliance strategies.
External Network Security Assessment — Perform a penetration test to determine if someone can access your health IT systems via the Internet.
Web Application Security Assessment — Ensure Internet accessible hosted ePHI is secure.
Social Engineering Security Assessment — Test if your employees can be easily manipulated into disclosing access information or ePHI.

How can Redspin ensure HIPAA compliance and reduce HITECH Act risk in a cost-effective manner?
Redspin’s HIPAA Security Assessment utilizes a top-down, risk-based approach to identify key gaps between your environment and the HIPAA Security Rule Standard and provide detailed recommendations that roadmap cost-effective mitigation measures and remedy solutions. As your objective information security partner we present detailed and actionable recommendations allowing customers to reduce risk, maintain compliance and increase the value of their business unit and IT portfolios. Our findings often include process improvements, minor configuration changes or architectural updates that reduce the workload of your already over-taxed IT staff.

What are the objectives of Redspin's HIPAA Security Assessment?

Perform a gap analysis to the standards defined in the Security Rule of the Administrative Provisions in Title II of HIPAA.
Provide a “fresh set of information security eyes” to review infrastructure and policies and procedures.
Deliver benchmarks to help compare your Information Security Program to your peers.

What questions do these services answer?

Are we in compliance with the HIPAA Security Rule?
Do we have a high risk of a data breach of Electronic Protected Health Information (ePHI)?
Can a hacker access our internal data / systems from the Internet?
Where should we focus our resources to protect ourselves from a data breach?
Is the equipment we've purchased being used effectively?

What does the HIPAA Security Rule and the HITECH Act mean for my information security program? With the passage of HITECH, the pace of HIPAA Security Rule (Rule) compliance requirements and security risk is accelerating by:
	Expanding the class of entity covered under the Rule,
	Accelerating the adoption of electronic health records (EHRs) through incentives (and penalties), and
	Raising the impact of an incident through breach notification requirements.
Formalizing your security management program is a requirement to address these market factors; understanding your risk profile through a security assessment is a fundamental element in all security programs.


	Best Practices in Healthcare Information Security and Compliance Trends in Healthcare IT

Contact a Security Consultant Today!

* = Required Information

*First Name:

*Last Name:

* Company

*Email:

*Phone


	Testimonials "We respect the importance of PHI security in our organization. We hired Redspin because they understand the needs of a busy organization with limited resources. Redspin by far offered a technically strong, risk based assessment approach. And having a second set of eyes on our network by a team with great credentials helps me to sleep better at night and makes it easier to meet HIPAA compliance." –Health Fitness Corporation (Dimitrios Dimoulakis, IT Manager)


	Internal Network Security Assessments External Network Security Assessments Wireless Security Assessments PCI Services

What Assessment Scope Addresses the HIPAA Security Rule?

The diagram below maps the specific HIPAA Security Rule Standards to functional
assessment categories.

Healtcare HIPAA Network Security Diagram

What are some specific examples of the types of questions you try to answer in a HIPAA Information Security Assessment?
Below is a sampling of tasks involved in a HIPAA Information Security Assessment. While this is only a partial list, it provides some insight into the scope of a comprehensive assessment.

HIPAA INFORMATION SECURITY ASSESSMENT QUESTIONS

Business Associate Oversight
Service Provider Due Diligence

	Have all business associates been identified and documented who have access to ePHI?
	If a healthcare clearinghouse is part of a larger organization, has the clearinghouse implemented policies and procedures to protect its electronic protected health information from unauthorized access by the larger organization?

Business Continuity
Continuity Plan

	Has the criticality of ePHI applications and their supporting infrastructure been defined and documented?
	Have procedures to create, maintain, and restore exact copies of ePHI been established?

Data Security
Handling and Storage

Is all sensitive information stored on portable media, such as laptops, adequately protected?

Transit

How is backup media stored and protected while being transferred to the backup off-site location?

Disposal

Do you destroy ePHI securely?

Information Security Program
Risk Management

	Have the security measures identified during the Risk Assessment been sufficiently implemented to reduce risks to a reasonable and appropriate level?
	Have periodic technical and nontechnical evaluations, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of ePHI taken place?

Incident Detection and Response

	Have policies and procedures been put in place to identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes?
	Is there a formal process in place to address system misuse, abuse, and fraudulent activity?

Network Analysis
Architecture

Are all systems in their appropriate security domain?

Access Control

Are all firewalls configured the way you think they are configured?

Device Management

Are network devices following best practice hardening procedures?

Event Management

Are all critical network devices logging necessary security events?

Personnel Security
Workforce Policies and Procedures

	Are procedures in place to authorize and manage access for employees that must work with ePHI?
	Has a security awareness and training program for all members of the workforce (including management) been implemented, including periodic security updates?

Physical Security
Data Center

Is access to and from the data center logged?

Environmental

Are there universal power supply (UPS) devices covering all the necessary equipment?

Facilities

Are adequate safeguards in place to physically protect workstations that can access ePHI?

System Analysis
Access Control

Can users inadvertently download and spread a virus on the internal network?

Account Policies

Are unique names and/or numbers assigned for identifying and tracking user identity on all electronic information systems that process ePHI?

Event Management

Is the necessary logging enabled for critical systems and saved to a central repository?

System Hardening

How many of your critical servers are using default passwords?

Patch Management

What will happen if a user downloads a malicious Adobe Acrobat file?

Healthcare Information SecurityAssessment Services

HEALTHCARE INFORMATION SECURITY ASSESSMENT SERVICES

Healthcare Information Security
Assessment Services