One Article Review
| Source |  AlienVault Blog |
|---|---|
| Identifiant | 942960 |
| Date de publication | 2018-12-11 14:00:00 (vue: 2018-12-12 22:02:40) |
| Titre | A HIPAA Compliance Checklist |
| Texte |
Five steps to ensuring the protection of patient data and ongoing risk management.
Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time, security professionals are faced with an evolving threat landscape of increasingly sophisticated threat actors and methods of attack.
For example, 2018 threat intelligence research by AlienVault Labs reports a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from health care providers and other similar entities who must protect and keep assets, systems, and networks continuously operating.
One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware.
To help address these security challenges and ensure adherence to compliance mandates, security and IT professionals should consider how people, processes, and technology can be used together to create a holistic IT security compliance program that simplifies preparation, auditing and reporting, as well as ongoing security risk management and breach monitoring and response. Here’s a five-step HIPAA compliance checklist to get started.
Certification and Ongoing HIPAA Compliance
HIPAA sets the standard for protecting sensitive patient data. Any entity that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted to promote the “meaningful use of health information technology” and address the privacy and security concerns associated with the electronic transmission of health information. Although there is no standard or implementation specification that requires a covered entity to “certify” compliance, the evaluation standard § 164.308(a)(8) requires covered entities to perform ongoing technical and non-technical evaluations that establish the extent to which their security policies and procedures meet the security requirements. Evaluations can be performed and documented internally or by an external organization that provides evaluation or “certification” services. However, HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules.
Step 1: Start with a comprehensive risk assessment and gap analysis
Your compliance strategy should start with a solid foundation, which is why the first step in your journey to HIPAA compliance should be a readiness assessment that includes a comprehensive risk and compliance analysis of your electronic health record (EHR) environment. This assessment is often best done by a third party with expertise in healthcare security and compliance, as HIPAA regulations can be confusing and cumbersome. Using a third party with |
| Envoyé | Oui |
| Condensat | 160 164 164 400 414 able access accurate across actions activities actors addresses adherence admin advanced aggregate align all always amounts analysis; analyze annual anomalies anomalous applications are array assess assessment assessments asset assets associates assured attempting audit audits automate automated availability avoid based behavioral better beyond binaries both box breach breaches business but c&c can capabilities care cases central cfr changes check checklist choosing classify clearinghouses cloud combines combining command communication communications communities complete compliance component compromises conduct confidentiality consider considered considering consultants contain content context contextual continuous continuously control control; controls correlation could covered create credentials criteria critical dashboard data date detect detected detection directly discovery distracting document documenting down dozens ehr electronic electronically emerging employing enable endpoint enduring ensure ensuring entities entities: environment environments essential evaluate evaluations event events events; example: examples examples: executed experience expert external failed feat file filters fim fingertips firewall following forensics from gain giving global goes groups guidance have having health healthcare help helpful here hhs hipaa house how however identifiable identified identify implement impossible incident incidents include including incorporating individually info information insight installations integrity intelligence internally intrusion investigations involves isolating it’s just key known last latest level limited located location locations log logon lot made maintaining make malicious malware manage management management: managing manually massive may migrating minute missing mitigation mix monitor monitoring more most multi national need network not notification notifications offers one ongoing only opposed optimally organization organizations other out part particular patient people performing phi plan plans platform platforms point premises privacy procedures procedures; processes product program protected protecting protection protective protocols provide providers providing quick quickly react real recommendations regulation regulations report reporting required requires research respond response result review right risk risks round rule rule: rules scans schedule scrambling search secure security security; see server set sets show siem simplify single small solution solutions sources specific standard standards status stay step stolen subparts successful such sure system systems tactics take takes target tasks team teams technical techniques technology then these those threat threats three time to: tools top topology transactions types unified unsecured upgrades use used user using various vendors visibility vulnerabilities vulnerability well where whether who will without worse would year yet you’re you’ve your |
| Tags | Vulnerability Threat |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.