Information technology is a critical component of your business operations. A breach of security could cause significant damage to your organization and your customers and patients.
Furthermore, both the Health Insurance Portability and Accountability Act (HIPAA) and the Health Information Technology for Economical and Clinical Health (HITECH) Act require health care organizations to comply with federal standards when handling and transmitting patient data.
An effective information security program depends on both technology and operational practices. Technologies such as servers, networking components and applications require secure implementation to reduce vulnerabilities and protect sensitive information, as well as meet HIPAA and HITECH mandates for security.
There are two primary components of HIPAA to understand in regard to your information security obligations. These components are commonly referred to as the Privacy Rule and the Security Rule.
These rules apply to "covered entities" (as defined by 45 C.F.R. § 160.103), which include:
These rules also extend to independent contractors, known as "business associates," who have access to individually identifiable health information or perform certain functions and activities.
The Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) in both paper and electronic formats. The U.S. Department of Health & Human Services (HHS) states that the Privacy Rule requires:
The Security Rule specifies what administrative, physical and technical safeguards must be in place to assure the confidentiality, integrity and availability of Electronic Protected Health Information (EPHI or e-PHI).
Specifically, covered entities must (as defined in 45 C.F.R. § 164.306(a)):
The HITECH Act extends HIPAA's privacy and security requirements to business associates and augments notification requirements when PHI is breached or disclosed.
To demonstrate compliance with HIPAA and HITECH, 403 Labs works with your team to:
Our assessment covers the following areas:
At the conclusion of the assessment, we will provide a final report that outlines the HIPAA/HITECH requirements and your compliance with the specific requirements applicable to your organization.
As technologists and security enthusiasts, part of the "fun" we have at work is tossing around attack scenarios and challenging each other with situational risk. This time it started out with:
"If I steal credit card track data, I can make HUGE purchases (and perhaps return for cash).
"If I steal PIN data, I can get cash directly.
"If I steal health-related data in bulk from a doctor's office, the most profitable thing I can do with it is..."
While my inbox had dozens of responses, some of my favorites included:
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.