Auditing healthcare organizations, the Department of Health and Human Services found many providers struggling to follow HIPAA rules and manage risk. Yet HIPAA violations are expensive. HIPAA Gap assessments paired with penetration testing can help avert a costly crisis for healthcare providers.
As recently as September 2017, DHS Office of Civil Rights (OCR) audits found:
This is untenable. While the HIPAA Journal suggests, "a few years ago, the risk of discovery of a HIPAA violation was relatively low," that's no longer the case. Patients know more, it's easier to file complaints, and the OCR is actively investigating.
Simultaneously, the risk to PHI is increasing. Cyberattacks are common in healthcare. According to Healthcare IT News and HIMSS Analytics study, some 75% of "responding healthcare entities either were or could potentially have been targeted with a ransomware attack" in 2017.
Healthcare providers, hospitals, physician offices, and more are often targeted. Cyber criminals can't resist the wealth of information in healthcare records (such as Social Security numbers, insurance information, relationship data, and payment processing details).
A March 2019 review of the past six months of headlines at Healthsecurityit.com makes the point crystal clear:
In Q3 2018, healthcare was the top target for ransomware attacks, with ransom demands jumping to as much as $2.8 million, according to insurer Beazley.
Healthcare entities need to have their networks and systems locked down to facilitate HIPAA compliance and protect electronic PHI. The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires a documented risk analysis to evaluate both risks and vulnerabilities and the security measures taken to protect ePHI integrity.
One approach is a vulnerability scan, a high-level, semi-automated test typically run quarterly or semi-annually as a cybersecurity checkup. Another is a HIPAA gap analysis, which is used to discover security problems. This high-level, narrow examination checks "whether certain controls or safeguards required by the Security Rule are implemented," according to OCR.
But a HIPAA risk assessment or HIPAA-Protocol Audit are not enough. That's why RedTeam Security Consulting has partnered with the Boulay Group in our newest service offering, a combination penetration test, and HIPAA gap assessment. Boulay's certified technical professionals can advise on information security and technological risk. We build on the foundations their work offers. More thorough HIPAA penetration testing sees cybersecurity experts working to exploit healthcare vulnerabilities and gain network access. After all, maintaining compliance and ensuring healthcare data security depends on:
Using the same automated and manual approaches motivated hackers might use to compromise personnel, physical premises, and networks and IT assets, penetration testers dig deeper.
To convey the difference in medical terms, getting an annual checkup from your family doctor or general practitioner is smart, but sometimes you need a specialist's opinion. When you want to get to the bottom of a particular health concern or issue, you go to the expert in that field. Pen testers are your cybersecurity experts, while the gap analysts are the GPs.
Remaining compliant and avoiding the cost of regulatory fines is the main motivator for healthcare providers. Yet by pairing HIPAA gap analysis with penetration testing, your organization can better develop an integrated defense strategy to drive strategic, operational and enterprise value while readying for cybersecurity threats today and in the future.
In partnership with Boulay, RedTeam Security Consulting now pairs HIPAA Gap Assessment with penetration testing. This service assists healthcare organizations in fully meeting regulatory mandates and reducing information security risk. Your penetration testing report will cover all flaws found and their corresponding description, risk rating, impact, likelihood, evidence, and remediation steps. Our experts also remain available to you to make sure the path to better protection is clear.
Get a customized pricing quote now in minutes using our self-service pricing tool.
Read our latest blog about Electronic Health Record Security and how to protect your business. Read More