What is the HIPAA Security rule?

The HIPAA Security rule applies to covered entities, business associates, subcontractors – anyone or any system with access to confidential patient data. Every organization in the healthcare delivery ecosystem must adhere to this rule because of the potential sharing of Electronic Protected Health Information (ePHI). This rule contains the standards organizations must follow to protect electronically created, accessed, processed, or stored PHI (ePHI). These standards apply to ePHI when it is at rest and in transit. It clarifies the physical, administrative, and technical safeguards that organizations must implement. The HIPAA security rule focuses on managing access and interprets it as having the means necessary to read, write, modify, or share ePHI or any personal identifiers that may reveal the patient’s identity.

Organizations are required to document their adherence to these standards and safeguards in their HIPAA Policies and procedures. They also need to ensure that staff members are trained annually on these policies and procedures and maintain documentation to prove this. 

  i) What is the difference between addressable and required safeguards ? 

Under HIPAA, safeguards are either ‘Required’ or ‘Addressable.’ ‘Required’ safeguards must be implemented, while ‘Addressable’ safeguards have some level of flexibility. If a covered entity is unable to implement an addressable safeguard, they can implement an appropriate alternative or not introduce the safeguard altogether. This decision depends on the organization’s risk analysis, risk mitigation strategy, and the other security measures they have implemented. The organization is required to carefully document all the factors leading up to the decision along with the results of the risk assessment on which the decision was based.

Addressable safeguards should not be interpreted as optional. Due to the dynamic nature of technology, complexity and cyber attacks, addressable safeguards may become required. We recommend implementing most of the controls. Physical safeguards, in some cases, can be addressable if ePHI is stored on the cloud. However, most controls are critical for maintaining security.

  ii) What are Administrative Safeguards under the HIPAA Security rule?  

Administrative Safeguards are the cornerstone of HIPAA Compliance. They are the policies and procedures that connect the Privacy Rule and the Security rule. A critical administrative safeguard is the appointment of a Security Officer and a Privacy Officer to ensure the security measures are in place to protect ePHI and staff members follow them. 

Organizations are required to conduct a risk assessment before planning their policies and procedures and on a regular basis once they are implemented. This assessment is usually reviewed in a HIPAA audit to ensure it is ongoing and comprehensive. It is important to plan this annually and assess the organization’s level of risk and HIPAA compliance.

Administrative Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Risk Assessment
Required
Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the PHI being created, used, and stored
Risk Management Policy
Required
Implement security measures to reduce risks and vulnerabilities to a reasonable and appropriate level
Sanctions Policy
Required
Create and implement a ‘Sanctions Policy’ to outline sanctions against workforce members who fail to comply with organizational security policies and procedures
Information System Activity Review
Required
Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports
Assigned Security Responsibility
Required
Assign the responsibility of maintaining security to a security official who will be accountable for the development and implementation of policies and procedures
Authorization / Supervision
Addressable
Implement procedures to authorize and supervise staff members who access PHI
Workforce Clearance Procedure
Addressable
Implement procedures to verify if an employee’s access to PHI is appropriate
Termination Procedures
Addressable
Implement procedures for terminating access to PHI when an employee leaves the organization
Isolating Health care Clearinghouse Function
Required
If a health care clearinghouse is part of a larger organization, the clearinghouse must implement policies and procedures that protect their ePHI from unauthorized access by the larger organization
Access Authorization
Addressable
Implement policies and procedures for granting access to ePHI, for example, through access to a designated workstation
Access Establishment and Modification
Addressable
Based on access authorization policies, create and implement procedures to establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process
Security Reminders
Addressable
Set up periodic security updates
Protection from Malicious Software
Addressable
Implement procedures for detecting and reporting malicious software
Log-in Monitoring
Addressable
Implement procedures to monitor log-in attempts and report discrepancies
Password Management
Addressable
Implement procedures for creating, changing, and safeguarding passwords
Response and Reporting
Required
Identify and respond to suspected or known security incidents; mitigate any known harmful effects of security incidents to the extent possible; and document security incidents and their outcomes
Data Backup Plan
Required
Establish and implement procedures to create and maintain retrievable exact copies of ePHI
Disaster Recovery Plan
Required
Establish (and implement as required) procedures to restore any loss of data
Emergency Mode Operation Plan
Required
Establish procedures to ensure business continuity and protect ePHI while operating in emergency mode
Testing Contingency Plans
Addressable
Implement procedures to test and update contingency plans periodically
Criticality Analysis of Applications and Data
Addressable
Assess the relative criticality of specific applications and data which support other contingency plan components
Business Associate Contracts and Other Arrangements
Required
Ensure that BAAs and all other arrangements with vendors are signed and updated
Security Awareness Training for employees
Required
All organizations covered under HIPAA are required to train their employees and ensure they are aware of the policies and procedures governing access to ePHI. They must also be taught to identify malicious software attacks and malware. Training must be conducted annually, and all records must be maintained.

  iii) What are Technical Safeguards under the HIPAA Security rule? 

Technical Safeguards are related to the technology used to protect ePHI and provide access to the data. These should be reviewed by the IT Department of an organization covered under HIPAA (Covered entities, business associates, and subcontractors).

Technical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Unique User Identification
Required
Assign a unique name and/or number for identifying and tracking user identity
Emergency Access Procedure
Required
Establish procedures to obtain ePHI during an emergency
Automatic Logoff
Addressable
Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity
Encryption and Decryption
Addressable
Implement a method to encrypt and decrypt ePHI
Audit Controls
Required
Implement hardware, software, and/or procedural mechanisms to record and examine the activity in information systems that contain or use ePHI
Mechanism to Authenticate Electronic PHI
Addressable
Implement electronic mechanisms to corroborate that ePHI has not been altered or destroyed in an unauthorized manner
Person or Entity Authentication
Required
Implement procedures to authenticate the personnel who are authorized to work with ePHI
Integrity Controls – Transmission Security
Addressable
Implement security measures to ensure that electronically transmitted PHI is not improperly modified without detection until it is disposed of

  iv) What are Physical Safeguards under the HIPAA Security rule? 

ePHI can be stored in a data center in a remote location, in the cloud, or on on-prem servers within the organization’s premises. Physical Safeguards focus on direct physical access to ePHI irrespective of where it is stored. They outline guidelines to secure workstations and mobile devices against unauthorized access. 

Technical safeguards emphasize encryption as per NIST standards to protect ePHI at rest and in transit once it crosses the organization’s internal firewalled servers. This ensures that any data breach renders the data unreadable, undecipherable and unusable. While this is a required safeguard, organizations can select the most appropriate mechanism.

Physical Safeguards – HIPAA Security rule
Safeguard
Required / Addressable
Action
Contingency Operations
Addressable
Establish procedures that permit facility access to restore lost data in an emergency. These procedures should be in accordance with the disaster recovery plan and emergency mode operations plan
Facility Security Plan
Addressable
Implement policies and procedures to safeguard the facility and the equipment therein from unauthorized physical access, tampering, and theft
Access Control and Validation Procedures
Addressable
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision
Maintenance Records
Addressable
Implement policies and procedures to document repairs and modifications to the physical components of a facility that are related to security like the hardware, walls, doors, and locks
Workstation Use
Required
Implement policies and procedures to specify the functions to be performed, the manner in which those functions are to be performed, and the physical attributes of the surroundings of a specific workstation or class of workstation that can access ePHI
Workstation Security
Required
Implement physical safeguards for all workstations that access electronic PHI to restrict access to unauthorized users
Disposal of Device and Media Controls
Required
Implement policies and procedures to address the final disposition of ePHI and/or the hardware or electronic media on which it is stored
Media Re-use
Required
Implement procedures for removing ePHI from electronic media before the media are made available for reuse.
Accountability of Device and Media Controls
Addressable
Maintain a record of the movements of hardware, electronic media, and any person responsible for them
Data Backup and Storage
Addressable
Create a retrievable, exact copy of ePHI before moving equipment in which it is stored

If you are looking for support to understand how to implement the HIPAA Security Rule and would like to connect with a HIPAA Expert, please get in touch us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

Rules of HIPAA Compliance

Protected Health Information (PHI)

What are the rules of HIPAA Compliance?

Rules of HIPAA ComplianceThe Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards for all organizations that work with Protected Health Information (PHI) of US Residents. It applies to all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, subcontractors, etc. The scope and applicability of the Act have been amended since 1996 to include additional rules.

The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. To ensure that businesses are informed of best practices, the OCR regularly publishes recommendations on new issues affecting healthcare. It also investigates common HIPAA violations on a regular basis.

The Rules of HIPAA Compliance are:

  1. HIPAA Privacy rule
  2. HIPAA Security rule
  3. HIPAA Enforcement rule
  4. HIPAA Breach Notification rule
  5. HIPAA Omnibus rule

HIPAA Privacy Rule: This rule mandates appropriate safeguards to protect the privacy of PHI and ensures that patient data cannot be used or disclosed without patient authorization. It gives patients and their nominated representatives rights over their PHI, including the right to obtain a copy of their health records or  examine them – and the ability to request corrections if required.

HIPAA Security Rule: This rule outlines the standards that covered entities, business associates, and subcontractors must follow to protect PHI that is electronically created, accessed, processed, or stored. These standards are also intended for ePHI when it is at rest and in transit. The HIPAA Security Rule includes physical, administrative, and technical safeguards that organizations are required to implement.

HIPAA Breach Notifications Rule: This rule outlines the protocol that organizations must follow in case of a data breach containing ePHI or PHI. As per this rule, they are required to notify patients when there is a breach of their PHI. They also need to notify the HHS and issue a notice to the media if it affects more than 500 patients. Breach notifications must be made within 60 days and without unreasonable delay, following the discovery of a breach. For breaches involving less than 500 patients, they must conduct an investigation and report them through the OCR web portal. The OCR requires these reports on an annual basis.

 The HIPAA Enforcement Rule: This rule comes into effect after a breach of PHI or ePHI. Under this rule, the OCR investigates the breach and has procedures for hearings. Penalties may also be imposed on organizations responsible for the breach. Fines are imposed for each violation based on a tiered system. The total value of the fine is related to the number of records exposed in a breach. It also considers the risk due to the exposure of that data and the level of neglect that the organization permitted. Criminal charges may also be laid on organizations that knowingly deviate from HIPAA rules. Additionally, patients who are victims of a breach can also file civil lawsuits under this rule.

 HIPAA Omnibus Rule: The HIPAA Omnibus rule focuses on areas that previous HIPAA updates had overlooked. The most important addition made by this rule was the expansion of HIPAA compliance regulations to include business associates, and subcontractors. This rule also focuses on streamlining Business Associate Agreements (BAAs). A BAA is a contract that must be signed and implemented between covered entities, business associates and subcontractors before PHI or ePHI is shared or transferred.

 There are two additional HIPAA rules which focus specifically on electronic data.

a) HIPAA Transactions and Code Set rule: This rule ensures a uniform way to exchange PHI between entities in the healthcare delivery ecosystem based on electronic data interchange (EDI) standards. It is used for all healthcare-related digital transactions.

b) HIPAA Unique Identifiers rule: This rule focuses on Identifier Standards for Employers and Providers. It requires employers and healthcare providers to have standard national numbers to identify them instead of their business names and other identifiers.

If you are looking for support to understand how HIPAA compliance rules apply to your organization and would like to connect with a HIPAA Expert, don’t hesitate to get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

What is Protected Health Information (PHI)?

Who is Covered under HIPAA?

What is Protected Health Information (PHI)?

HIPAA stands for the Health Insurance Portability and Accountability Act of 1996. It is a set of mandatory standards to manage the use and disclosure of healthcare data, known as Protected Health Information or PHI. Complying with HIPAA is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization that directly or indirectly works with PHI. HIPAA has been amended to include additional rules that expand its scope and applicability.

The Office for Civil Rights (OCR) enforces HIPAA, while the Department of Health and Human Services (HHS) regulates HIPAA compliance. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

Protected Health Information (PHI)

Any identifiable health-related data used, stored, maintained, or shared by an entity is considered PHI. It covers every aspect of a patient’s information. The HHS has identified 18 HIPAA identifiers. They are:

HIPAA rules (Link to the next blog-What are the rules of HIPAA Compliance) are focused on protecting PHI - HIPAA Security rule, HIPAA Privacy rule, HIPAA Breach Notification rule, HIPAA Omnibus rule and HIPAA Enforcement rule. There are specific safeguards and guidelines under each rule to ensure that Protected Health Information is handled with utmost care. Organizations that are covered under HIPAA (hyperlink to who is covered under HIPAA) can avoid penalties, fines, and jail time for violating these HIPAA rules by ‘De-identifying PHI’. De-identification implies disassociating a patient from their health information. Once it is de-identified, the data set is no longer covered under HIPAA. The organization continues to be covered under HIPAA, but this security measure significantly reduces its risk. The HHS recommends 2 methods to de-identify health data . If you are looking for support to implement or evaluate your level of HIPAA Compliance, or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial. Related Links: HIPAA

HIPAA rules are focused on protecting PHI – HIPAA Security rule, HIPAA Privacy rule, HIPAA Breach Notification rule, HIPAA Omnibus rule and HIPAA Enforcement rule. There are specific safeguards and guidelines under each rule to ensure that Protected Health Information is handled with utmost care.

Organizations that are covered under HIPAA  can avoid penalties, fines, and jail time for violating these HIPAA rules by ‘De-identifying PHI’. De-identification implies disassociating a patient from their health information. Once it is de-identified, the data set is no longer covered under HIPAA. The organization continues to be covered under HIPAA, but this security measure significantly reduces its risk. The HHS recommends 2 methods to de-identify health data.

If you are looking for support to implement or evaluate your level of HIPAA Compliance, or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please get in touch with us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

Who is covered under HIPAA?

7 Benefits of HIPAA Compliance

How to Select a Security Vendor

Infographic on Security Vendor SelectionAccording to the 2022 Verizon Data Breach Investigations Report, 62% of network breaches occurred through an organization’s partner. Statistics like this challenge the notion that having security vendors and sharing data is a secure way to achieve organic growth.

Organizations today are also facing the new reality of a hybrid work environment with decentralized offices, flexible remote work practices, greater health precautions in the workplace, and dynamic security threats. As you navigate the altering landscape of work during a pandemic, minimize costs to respond to new conditions and plan to future-proof your organization, you need a checklist to evaluate vendors and ascertain if they are the right fit for your organization.

Finding the right security vendor to protect your organization’s data can prove challenging. Given the sheer number of vendors and solutions makes it tough to find the one that will meet your needs and budget.

We have outlined how to select a security vendor based on the factors listed below:

1. Data Sharing Process
2. Background
3. Certifications and Credentials

4. Security posture

5. Customer References
6. Pen Testing Report
7. Policies and Procedures
8. Post engagement support


1. Data Sharing Process

To conduct a successful vendor selection process, you must begin by analyzing the protocol of the working relationship you plan to create with the vendor. To do this, you need to understand the information / data that will be shared between your organization and the vendor. Frequently, organizations tend to narrow down a list of possible security providers to the top 3-5 and pass it along without going into these crucial details – a recipe for failure.

Review the following questions vis-à-vis the internal processes in your organization.

  1. How much access will they have? This might be in a tiered internal system, with level one access becoming the least critical and level four access being the most critical.

  2. Which systems will they be able to access?

  3. What information will be shared between the organization and the security vendor? Will Personally Identifiable Information (PII), health care data, intellectual property, and so on be disclosed?
Different organizations have varying levels of risk. This necessitates an on-site assessment and penetration test (among other things) for some organizations, while for others it can be performed from the desk. Knowing ahead of time how much access the security vendor will have and what type of data will be shared is critical. With all this information in mind, you should know how thoroughly your security vendor should handle your organization’s data.

2. Background

Assess critical aspects of a vendor’s credentials and background. Review the following questions vis-à-vis the portfolios of the vendors you are considering.

a. Are they trustworthy?

While few security vendors are ready to share information about their clients, they should be able to issue letters of recommendation. A simple phone call or email to a previous or present client can clear up any confusion about a vendor’s credentials, abilities, and capacity. A little research can go a long way toward finding a good fit for your business.

b. Do they understand your industry?

Although many security components are universal, several organizations have specific technical requirements and rules. Ensure that your security vendors are familiar with your organization’s software and technology and any industry-specific legal requirements. It is ideal to have a vendor who has worked in a similar setup.

c. Is the company stable and financially sound and has insurance?

According to a recent poll, 25% of SMBs declared bankruptcy after a data breach, and 10% went out of business. In worst-case scenarios, the vendor’s insurance could potentially cover your business loss for negligence and errors during the engagement.

d. What is their contingency plan if something goes wrong?

Since breaches have become the third certainty in life, after death and taxes, it’s critical to choose a security vendor with a reputation for adequately preparing their clients for the terrifying reality of a breach and a track record of getting them through it.

3. Certifications and Credentials

Certifications confirm that a vendor has good security hygiene. Many security vendors claim to be experts while having very few industry-standard credentials or qualifications. Before working with a vendor, look for certifications such as CompTIA, GSEC, CISSP, or CCSP, and ensure that everybody who has access to your network and data has been thoroughly trained and verified.

ISO 27001, or its American counterpart NIST, is one of the most widely used standards for describing information security management. They govern both the technical infrastructure requirements and the manner in which a business operates. These standards make it mandatory for all procedures to be documented and adhere to data security protocols. Adhering to these standards ensures that your client data is secure, communication is private, and your employees have been adequately vetted and trained.

The PCI DSS is a payment card industry standard. It is one of the highest security certifications a supplier may acquire for payment information data protection. Other security certificates are more industry-specific, although they also indicate a high level of maturity in the security program. HIPAA compliance is necessary in the United States if you deal with Protected Health Information (PHI). GDPR mandates the data privacy rules that are essential in Europe.

In addition, a recent SOC 2 examination report of a vendor validates their technology, processes and people by a third-party auditing firm.

4. Security Posture

Revisiting the 2022 Verizon Data Breach Investigations Report – it was found that 62% of network breaches occurred through an organization’s partner.

To avoid such a scenario, before onboarding a security vendor, you must thoroughly examine their security posture. For most organizations, this is an expensive and time-consuming process. However, you can define acceptable risk levels and create language to verify that your entire third-party network satisfies the security standards and protocols that your organization adheres to.

Establish a culture of cross-collaboration across departments to make this work. Everyone from the CEO, CIO, and CFO to the head of the legal department should be involved in assessing your organization’s risk appetite – what is acceptable and what is not. Then, define risk parameters. For example, the imposition of additional contractual controls depending on a specific vendor’s rating. Lower-rated items may require more extensive controls to satisfy your acceptable risk threshold.

5. Customer References

Require each security vendor to provide a list of three references. Then, make sure to call or email those references and respectfully ask questions like:

      • Were their personnel knowledgeable?
      • How would you rank their product or service quality?
      • Did you get the level of service you were promised?
      • What steps did they take if something went wrong?
      • Did you have to revisit any shortcomings in the security protocols?
      • Would you recommend the vendor to other businesses? Why?


6. Pen Testing Report

Many security certifications necessitate a penetration test to uncover potential flaws. Security-conscious businesses frequently run them internally to prevent leaks and breaches. A formal report on the test results contains sensitive information that they would be reluctant to reveal. However, you might discuss test results during chats and negotiations with a potential security partner. Inquire about the last time the security vendor conducted a test, who conducted it, and what suggestions were provided. You may not be given complete details, but the fact that the test was taken illustrates the company’s commitment to security standards. It is permissible to enquire whether the vulnerabilities have been addressed and additional safeguards have been taken.

7. Policies And Procedures

If an organization values security, it will implement policies and procedures to meet that critical objective. A solid information security policy should address software and hardware maintenance, Internet usage and email communications, access controls such as password management, and customer data processing. Organizations must inquire about the security vendors’ policies, procedures, and their implementation.

Hiring And Training Procedures : People are the weakest link in any security system, no matter how sophisticated the cyberattack. According to a Tessian Report, 43% of US and UK employees made mistakes that weakened the level of cybersecurity.

Inquire about how the security vendor hires and trains new staff. What are the credentials and certifications of their personnel? Do they conduct background checks? How frequently do people undergo retraining? Do employees have to sign NDAs? Were there any previous data leaks? All of these inquiries are appropriate before entrusting someone with your assignment.

8. Post Engagement Support

Hackers are opportunistic; ransomware, malware, and phishing efforts have increased during the Covid-19 pandemic, but they can strike anytime. IT and security vendors should ideally have resources available to respond to a cyber incident 24 hours a day, seven days a week, and develop a communication channel with you.

There are several things to consider while choosing the ideal business partner. We encourage you to use this checklist to evaluate the list of vendors that you shortlist and make a sound business decision.

databrackets as your security vendor

With over a decade of industry experience and technical excellence, a dedicated team at databrackets can protect your organization from threats and adapt to each industry’s unique requirements, including law firms, healthcare, financial services, law enforcement agencies, SaaS providers, Managed Service Providers and other commercial organizations.The only way to defend everything you’ve worked so hard to create is to be cautious about security lapses. Contact us to know more about how our services will help your company. We would be happy to connect with you.

Who is covered under HIPAA?

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is applicable to all entities in the Healthcare Industry. It outlines the rules and regulations with regard to the use and disclosure of protected health information (PHI) by organizations in the industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCRenforces it. While healthcare providers who directly work with patients are aware of the regulation, it is crucial to understand the entire landscape of the healthcare service delivery ecosystem to which the Act applies. The insights below clarify the answer to another commonly asked question ‘Who needs to be HIPAA compliant?’.

There are three types of organizations that need to be HIPAA compliant:

  1. Covered Entities
  2. Business Associates (third-party service providers who work with covered entities)
  3. Subcontractors (Business Associates of Business Associates)

Who is covered under HIPAA?

Covered Entities
Business Associates
Subcontractors
Description
A Covered Entity consists of 3 types of organizations that directly work with patients and administer healthcare. They are: A Healthcare Provider, A Health Plan & A Healthcare Clearing House.
A “business associate” is a person or entity that performs specific functions or renders services to a covered entity, which involve the use or disclosure of protected health information. A covered entity can be a business associate of another covered entity.
Business Associates hire subcontractors to process, create, or store PHI. They usually don’t have a business associate agreement or a direct relationship with covered entities. However, because they handle patient data, they need to be HIPAA compliant.
Examples
A Healthcare Provider includes Doctors, Clinics, Psychologists, Dentists, Chiropractors, Nursing Homes, Pharmacies… if they transmit any information electronically
Services rendered by business associates are: legal; actuarial; accounting; web-hosting; managed IT and security services; financial, consulting; management; accreditation; data aggregation, data transmission;  administrative; accreditation agencies, medical equipment service companies.
A hosted service provider like Amazon Web Services is a classic example of a subcontractor. With the increase in cloud-based services, there is an increased dependence on subcontractors by covered entities and business associates. 
A Health Plan includes Health Insurance Companies, HMOs, Company Health Plans, Government programs that pay for healthcare like Medicaid, Medicare, Healthcare programs for veterans / military
Some examples of business associate functions and activities include: • data analysis, processing or administration • claims processing or administration • utilization review • quality assurance • billing • benefit management • practice management • repricing
A Healthcare Clearing House includes entities that process nonstandard health information that they receive from another entity into a standard (e.g. a standard electronic format / data content) or vice versa
HIPAA Compliance
Mandatory
Mandatory
Mandatory
Business Associate Agreement
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Covered Entity and a Business Associate / Subcontractor
Required between a Business Associate and Contractor
Penalties, Fines & Jail Time
Applicable & Direct
Applicable & Direct
Applicable & Direct
 
All HIPAA rules are applicable to the healthcare service delivery ecosystem, which consists of organizations that fall into one of these three categories. Even if they are not directly engaged in delivering healthcare services, their employees and vendors need to undergo HIPAA Compliance Training every year to ensure they are aware of the organization’s security protocols and understand their accountability under HIPAA. They are required to have HIPAA-compliant policies and procedures and a Business Associate Agreement (BAA) with the entity that hires them or the entities they hire. They also need to prove that they are complying with HIPAA rules by undergoing an annual attestation.

Organizations under all three categories are required to register with the Department of Health and Human Services (HHS). The Office for Civil Rights (OCR) is authorized to enforce all HIPAA rules, including compliance with new best practices shared by them on a regular basis.

If you are wondering whether your organization is covered under HIPAA or if you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

7 Benefits of HIPAA Compliance

What is HIPAA?

7 Benefits of HIPAA Compliance

HIPAA Benefits Blog Banner

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) outlines the rules and regulations with regard to the use and disclosure of Protected Health Information (PHI) by all businesses in the Healthcare industry. The Department of Health and Human Services (HHS) regulates HIPAA Compliance while the Office for Civil Rights (OCR) enforces it.

HIPAA Compliance is very beneficial for patients since it ensures their personal and identifiable information is protected from known and potential channels used for cyber-attacks. However, there are several benefits for HIPAA-compliant organizations as well. Some of the numerous advantages for Healthcare Providers, Business Associates, and Subcontractors are listed below.

1. Protect Health Records

HIPAA acts as a benchmark checklist for businesses that work directly or indirectly with Protected Health Information (PHI). It helps them plan a cumulative approach to security and data privacy. The Act equips the Healthcare industry and its allied businesses with the information they need to protect PHI from known, predictable, and potential channels and sources of cyber-attacks. The emphasis on annual staff training and preparation for an unannounced HIPAA audit ensures that businesses stay alert at all times.

2. Prevent HIPAA Violations, Penalties & Fines

Adherence to HIPAA rules helps Healthcare Providers, Business Associates and Subcontractors to prevent HIPAA violations. Since a HIPAA violation leads to fines and jail time, being HIPAA compliant ensures they can protect their organization, personnel, and brand reputation.

3. Enforce a High Security Standard for Vendors

HIPAA compliance is mandatory across the Healthcare delivery ecosystem. This includes mandatory protection of PHI according to HIPAA rules by Business Associates, Subcontractors, and any vendor, even if they have access to only a few elements of PHI like diagnostic images associated with a patient ID. While this may not seem like identifiable information to us, it is a gold mine for hackers, who find ways to locate the personal information associated with the patient ID from other sources.

4. Protect your Brand Reputation & Ensure a Patient-First Approach

Being HIPAA compliant is mandatory not only for Healthcare providers but also for their Business Associates and Subcontractors. This ensures that a patient-first approach is adopted across the Healthcare delivery ecosystem. Since HIPAA is mandatory, an organization’s brand reputation is damaged if they are penalized by the HHS. In order to retain the trust of patients, B2B customers and their brand reputation, it is critical for organizations to evaluate their level of HIPAA compliance regularly.

5. Develop a Security and Compliance Process

Adherence to HIPAA requires regular maintenance of security protocols, with particular emphasis on the security rule and the physical and technical safeguards outlined under it. This is achieved by developing an IT compliance process to review if all the safeguards are in place. Developing this process is beneficial as it allows organizations to detect deviations faster and take corrective actions to prevent a cyber-attack.

6. Ensure Compliance across the Organization

HIPAA mandates specific actions from the IT department and all stakeholders since its rules, amendments,  and regular updates from the OCR ensure that compliance is a shared responsibility. The Act is mandatory for all businesses in the Healthcare Industry. As a result, businesses that are HIPAA compliant are protected from known sources / channels of data breaches. This ensures that ignorance of security protocols does not accidentally result in a vulnerability / loophole in the system.

7. Implement Security Best Practices to Prevent Cyber Attacks

The OCR has a subscription service to share security best practices with organizations and regular updates about the security measures that need to be updated. This helps organizations to stay informed and implement them.

If you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

What is HIPAA?

Rules of HIPAA Compliance

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a set of mandatory standards to manage the use and disclosure of Protected Health Information (PHI). It is mandatory for all Healthcare Providers, Business Associates (Vendors of Healthcare Providers), Healthcare SaaS companies, and any Organization directly or indirectly working with PHI.

The Department of Health and Human Services (HHS) regulates HIPAA compliance while the Office for Civil Rights (OCR) enforces it. The OCR regularly publishes recommendations on new issues affecting healthcare and investigates common HIPAA violations on a regular basis.

While the Act was passed in 1996, there have been several amendments to keep up with technological advancement:

  • The Security Rule Amendment of 2003
  • Technical Safeguards
  • Physical Safeguards
  • Administrative Safeguards
  • The Privacy Rules Amendment of 2003
  • The HITECH Act and Breach Notification Rule of 2009
  • The Final Omnibus Rule of 2013

The Final Omnibus rule of 2013 streamlined HIPAA compliance rules to include any business that stores, manages, records, or transfers Protected Health Information (PHI). These businesses are called ‘Business Associates’ under HIPAA. This broad term includes all vendors and subcontractors who directly or indirectly work with Healthcare Providers.

Currently, HIPAA consists of 5 main rules:

  • HIPAA Privacy Rules
  • HIPAA Security Rules
  • HIPAA Enforcement Rules
  • HIPAA Breach Notification Rules
  • HIPAA Omnibus Rule

There are additional rules that relate to transactions and code sets, in addition to unique identifiers. HIPAA compliance focuses on specific data privacy rules to protect sensitive patient data. Its aim is to create a culture in the healthcare industry to ensure protected health information’s privacy, integrity, and security. Annual HIPAA training of all personnel who come in contact with patient data is one of many aspects of the Act that ensures all stakeholders are involved and they understand their role in protecting PHI.

We recommend that IT professionals, CTOs, and CISOs carefully examine the details of the Administrative, Technical, and Physical Safeguards outlined under the Security Rule to ensure their IT systems are HIPAA compliant.

If you have any questions about HIPAA compliance and would like to connect with a HIPAA Expert, please contact us for a free consultation. If you are looking for a convenient Do-It-Yourself HIPAA Attestation Kit, you can sign up for a free trial.

Related Links:

HIPAA

What is the difference between SOC 2 and ISO 27001 certification?

SOC 2 vs ISO 27001 comparison-databrackets-banner

The SOC 2 and ISO 27001 certifications are voluntary compliance & security standards designed to prove your commitment to protecting customer data and help your organization get an overview of your current security posture.  However, they cover different dimensions of securing information. Both frameworks have about 75%-80% overlap in the security requirements, and both help design an effective Information Security program through a mixture of policies, processes, and best practices. 

Let’s look at some of the critical differences between SOC 2 and ISO 27001 to understand them better.

 

TitleSOC 2ISO 27001
ScopeSystemsISMS
ApplicabilitySaaS companiesGlobal companies
CertificationThe American Institute of Certified PublicANSI- ASQ National
Attestation LevelsType 1 and Type 2No levels
Certification Validity/ RenewalOnce a yearOnce in 3 years
Controls and Criteria64 criteria split across 5 TSCs114 controls across 14 categories
Audit ReportDetailed DescriptionHigh level or customized certification depending on the need of the company
Timeline3 to 12 months12 to 18 months
Qualification of the AuditorLicensed CPAISO Certified lead auditor

 

SOC 2 vs. ISO 27001: Scope

SOC 2 is an examination report that provides an assurance on the design and implementation of security controls to protect customer data. While ISO 27001 certification is a standard set of security controls required for an effective InfoSec Program.

SOC 2 vs. ISO 27001: Applicability

Both SOC 2 and ISO 27001 are widely accepted certifications. SOC 2 applies to SaaS companies that store customer data and is limited to North American organizations. However, ISO 27001 applies to organizations of any size or industry. It is an internationally recognized security standard and is accepted by client organizations.

SOC 2 vs. ISO 27001: Certification

SOC 2 is attested by a licensed Certified Public Accountant (CPA), while ISO 27001 is certified by, an ISO certification body like databrackets, authorized by iasonline.org.

SOC 2 certification is ideally achieved in stages. Organizations with security experts, like databrackets, can help you complete a readiness prep for SOC 2 before you approach a CPA firm.

SOC 2 vs. ISO 27001: Attestation Types

SOC 2 has Type I and Type II attestation reports, while for ISO 27001 there is one attestation report.

SOC 2 vs. ISO 27001: Certification Validity/Renewal

SOC 2 compliance needs to be renewed yearly, while the ISO 27001 certification is valid for three years; following these, annual surveillance audits are also required.

SOC 2 vs. ISO 27001: Controls and Criteria

The controls for SOC 2 are based on criteria which a company can interpret while ISO 27001 controls are more prescriptive and  comprehensive.

SOC 2 certification is based on 64 controls split across five Trust Services Criteria (TSC). ISO 27001 certification is a risk-based approach that involves applying  from 114 Annex A controls across 14 categories that is applicable for your organization.

SOC 2 vs. ISO 27001: Audit Report

SOC 2 provides a detailed Audit Report to share with your customers, and ISO 27001 is a high-level certification that when needed can be broken down into a more comprehensive report.

SOC 2 vs. ISO 27001: Audit Scope

While ISO 27001 evaluates the design effectiveness of the ISMS approach, SOC 2 compliance evaluates the design (Type 1) and operational effectiveness (Type 2) of the organization’s internal controls.

SOC 2 vs. ISO 27001: Timeline

SOC 2 Type I is a point-in-time report, and Type II takes anywhere between 3 and 12 months to complete.  ISO 27001 can take a few months to complete based on maturity, size of the organization, number of employees, critical data, and other data points. 

SOC 2 vs. ISO 27001: Cost

SOC 2 examination cost will depend on the type of report and could cost anywhere from USD 10,000 to USD 50,000. 

ISO 27001  implementation/ compliance could cost USD 1000 to USD 20000 for Small to Medium size Businesses (SMBs), and the certification cost estimate is USD 15000 to USD 25000. 

 

Choosing the right option

Obtaining SOC 2 or ISO 27001 or both certifications can benefit your organization. But to choose one over the other, you must understand the organization’s objectives and the information security requirements of both your customers and the stakeholders.

SOC 2 vs ISO 27001 comparison-databrackets

Choose SOC 2 if you already have an ISMS established and have mostly North American clients. Opt for ISO 27001 if you want to develop an ISMS and have an international clientele.

Large enterprise tend to opt for both SOC 2 and ISO 27001 to enhance their information security posture.

SMBs, unlike large corporations, lack the resources to implement cybersecurity practices, work on a minimalist budget and opt for either of the two depending on their requirements.

Learn how databrackets can help your SOC 2 and ISO 27001 compliance requirements

Achieve your SOC 2 compliance attestation or ISO 27001 certification with our team of security experts who can streamline your audit process and help you succeed at both.

Get a head start with our SOC 2 Compliance Guide and/ or ISO 27001 Guide

Access our online recorded webinars here

Connect with us today to know more

Is HITRUST Worth The Investment?

Blog banner image databrackets is HITRUST worth it?

What is HITRUST?

HITRUST, or Health Information Trust Alliance, is a non-profit organization that uses the ‘HITRUST approach’ to help the healthcare industry control data protection standards and effectively manage data, information risk, and compliance. It’s similar to HIPAA, but instead of being written and enforced by the federal government, HITRUST is regulated by a group of healthcare professionals.

HITRUST is a way for the healthcare sector to self-regulate security practices while also fixing some of HIPAA’s shortcomings and providing a PCI (Payment Card Industry)-like enforcement system for businesses to adopt. HITRUST is a recommended framework trusted by many larger healthcare companies, health networks, and hospitals to manage risk along with other frameworks.

 

Why is HITRUST important?

In the United States, HITRUST is the healthcare industry’s security framework getting adopted primarily in hospitals It sets an industry-wide standard for handling Business Associate compliance. For a variety of reasons, HITRUST is slowly getting adopted in the healthcare industry along with other certifications:

HITRUST is updated daily to keep healthcare organizations up to date on new regulations and security threats. It is the most frequently updated security framework, with periodic updates and annual audit revisions. This ensures that those who follow the HITRUST CSF(Common Security Framework) work tirelessly to ensure their safety.

Some large payers need HITRUST. On February 8, 2016, five major healthcare payers assured their business associates that they would comply with the HITRUST CSF within two years. As a result, companies must consider “what HITRUST entails” and “what changes are needed to be made to achieve and maintain certification.”

HITRUST Certification has the strictest requirements with high-risk data that can demonstrate that an entity is a leader in compliance because they have the certification to back it up.

Is HITRUST worth it?

HITRUST Certification won’t be easy.

Many business associates will find it challenging to obtain HITRUST CSF certification because the vast majority may be unprepared and caught off guard. This is due to the fact that many organizations, especially smaller vendors, lack the resources to complete HITRUST CSF Certification. Organizations must not only meet the CSF criteria, but a third party must also audit them before being approved, and they must be recertified every other year.

Several businesses are taken aback by the HITRUST certification. Why?

  • Firstly, the cost of assessment and assessor services are high. Budgets are often tight, and data protection may be a substantial investment as the cost might be too steep for small and medium enterprises, and HITRUST might be perceived as more expensive. For enterprises, HITRUST Certification could be seen as an investment rather than an expense
  • Many customers are hesitant to invest in HITRUST because they fear failing
  • A company choosing to get HITRUST certified, must first adopt the HITRUST CSF (Common Security Framework) which is updated regularly with multiple versions. You need to stay on top of the update, use the right protocol and technologies to be able to use it effectively. This may be a daunting task for many companies
  • Assessment may include up to 400 control criteria and take upto 8 weeks depending on the scope and complexity of the company. This may be severely time consuming

The HITRUST Certification Fee

 

If you’re looking for a ballpark figure, the best guess will be $50,000 to $200,000, not including ongoing recertification costs. However, the range is so wide that it is ineffective for your business.

It depends on the assessment’s reach and the organization’s size, the state of its information system, and the steps taken to plan for a HITRUST assessment.

 

What exactly is included in this price?

Costs directly related to:

– The HITRUST MyCSF® gateway and services are made available

– Companies can take a readiness assessment and rating it

– Conducting a difference analysis, administering and rating a validated evaluation

Indirect costs incurred as a result of:

– Employee time spent on participation

– Security data recording and updating

– Initial setup

– Developing corrective action plans and remediation initiatives

– Assistance in locating and submitting necessary documents

Why is HITRUST Certification more expensive than other security certifications?

One must factor in the detail-oriented approach, thoroughness, and dependability.

A thorough examination

Depending on the company’s risk profile, a single HITRUST assessment may include up to 400 control criteria. This is in addition to the three forms of protection required by HIPAA regulations, the 12 PCI DSS compliance standards, COBIT’s five domains, 37 processes, and the 80-100 controls included in a SOC 2 audit.

The HITRUST CSF blends these and other regulatory standards into a single, overarching risk management and enforcement program, which is one of the most tangible benefits of the framework. It combines information management, financial services, technology, and healthcare standards. As a result, businesses will streamline their enforcement processes, resolve security concerns in all sectors, and reduce the time and expense associated with maintaining compliance with multiple standards.

Detail-oriented approach

Each control in your organization’s assessment must be reported, assessed, checked, and verified by an accredited external assessor before being evaluated by HITRUST. In addition, each control must be assessed using the HITRUST Maturity Model, which has five levels.

The HITRUST CSF certification process covers much more ground than any other security evaluation. In most cases, 2,000-2,500 separate data points are examined. Throughout this phase, an average of 1.5 hours per control is spent, with the number of controls assessed varying depending on the organization’s size, risk profile, and scope.

Dependability

The HITRUST CSF system was created to give enforcement programs more structure and continuity. Recent enhancements have also increased scoring accuracy over time and between internal and external assessors.

HITRUST has strict standards for the assessor firms and experts involved in its commitment to solid assurance. Firms must apply for and receive approval from HITRUST to conduct assessments and services related to the CSF Assurance Program and work hard to retain that status.

Certified CSF Practitioners (CCSFP) are HITRUST Approved External Assessors responsible for assessing and validating security controls. They must complete a training course, pass an exam, and retain certification through regular refresher courses. HITRUST helps organizations ensure the evaluation and certification process is accurate through service.

Can you have a data breach after a HITRUST Certification?

Anthem, a HITRUST-certified company, was hacked, which resulted in a breach impacting nearly 80 million individuals.

While HITRUST released a statement in its defense that “the healthcare payer did not have a breach in any system or area of the organization that was within the scope of its HITRUST CSF Certification,” some security experts did question the significance “what did it mean to be HITRUST certified?” given the scale and sheer magnitude in the numbers.

HITRUST Alternatives

The HITRUST CSF is a certifiable and widely accepted security framework with a list of prescriptive controls to demonstrate HIPAA compliance. However, as alternatives to HITRUST, several SMEs comply with other security governance frameworks like the National Institute of Standards and Technology [NIST], HIPAA, SOC Reports – SOC 1, 2, and 3 Form 1 and 2 and ISO 27001 Certification.

NIST is a set of voluntary guidelines, and processes that companies use to reduce the risk of a cybersecurity threat. It aims to improve security and resiliency by implementing 108 security controls to achieve NIST compliance.

Many HIPAA requirements may not be understood in accordance with their intended objectives. HITRUST aims to provide an integrated and holistic approach to demonstrate compliance with HIPAA security requirements.

HIPAA is a federal law with national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

Based on the certification goals and requirements of our clients, we offer alternative frameworks NIST, ISO 27001 or SOC 2 certifications. Different certifications involve different costs and levels of efforts, so it is imperative to consider your size, requirement and budget before you seek certification. IF you company falls under a broad range of industries or comes under a regulated industry, SOC 2 may be the best option. If your company processes electronic health information, HITRUST may be the better option.

Talk to us to understand your certification category and know more information

About databrackets

databrackets certified privacy and security professionals could help your organization comply with a range of Certifications and Compliances that include HIPAA/HITECH, PCI Data Security, CCPA, OSHA, GDPR, Penetration Testing,  FDA CFR Part 11, ISO 27000, Cloud Security Management, NIST Framework, Cybersecurity Framework, SOC Certification, Third-party Assessment, NYDPS Cybersecurity  Series, ISO 17020, and  ISO 27001.

databrackets assists organizations in developing and implementing practices to secure sensitive data and comply with regulatory requirements. By leveraging databracket’s SaaS assessment platform, awareness training, policies, and procedures, and consulting expertise, you can meet the growing demand for data security and evolving compliance requirements more efficiently.

American Association for Laboratory Accreditation (A2LA) has accredited databrackets for technical competence in and compliance with the Inspection Body Accreditation Program.

databrackets has been accredited by the American Association for Laboratory Accreditation (A2LA) as a Cybersecurity Inspection Body for ISO/IEC 17020:2012 vide its Certificate Number: 5998.01.

The Cybersecurity Inspection Body Program accreditation provides added trust and assurance in the quality of assessments performed by databrackets. A2LA’s third-party accreditation offers an independent review of databrackets’ compliance to both ISO/IEC 17020 (Requirements for the operation of various types of bodies performing inspections) as well as competence in technical program requirements for the desired scope of accreditation (I.e. SOC II, HIPAA/HITECH, PCI, etc.).

databrackets received accreditation by the International Accreditation Service (IAS] to provide ISO/IEC 27001 Certification for Information Security Management Systems (ISMS) and joins an exclusive group of certification bodies.

To learn more about the services, read here.

Comparing NIST, ISO 27001, SOC 2, and Other Security Standards and Frameworks

Blog banner databrackets comparing security frameworks

Over the last decade, an increasing number of organizations have been demanding security and compliance based certifications before awarding contracts to SaaS and other service providers. This has lead to an increase in the demand for certifications like SOC 2, NIST, ISO 27001 etc. These certifications help to standardize the cybersecurity measures taken to protect data and safeguard the brand reputation of the organization. They have also led to critical benchmarks in various industries and need to be understood before your organization selects the right one.

We, at databrackets, with the help of our partners and consultants, have compared popular security standards and frameworks (mandatory and voluntary). Our analysis focuses on practical aspects you need to consider before implementing the controls under each framework.

To begin our comparison, we looked at Google Trends for the interest in these security frameworks over the last decade.

 

Security Standards Comparison Banner


As seen in the report, HIPAA/HITECH security standards have the highest interest level in the US market, followed by NIST, SOC 2, and ISO 27001.

 

Comparing Security Frameworks

 

The comparison parameters in the charts below focus on the information you need to get an overview of the security standards and their relevance to your organization.

Key Features
ISO 27001
SOC 2
NIST Standards
PCI-DSS
HIPAA / HITECH
Other Standards/ Frameworks (including FedRamp, CSA, HITRUST, Shared Assessments, etc.)
Notes
Certification
Yes
Yes
Not Applicable. You can get attested for compliance by a third-party.
Yes
There is no agency authorized to certify HIPAA compliance.
Yes
You need to engage the certifying bodies/ approved vendors.
Approach
Risk-based
Controls-based
Controls-based
Controls-based
Controls-based
Maps to individual frameworks of each standard body
Principle
Information Security Management Systems
Trust Services Criteria & Ethics
Control Families
PCIDSS standard
HIPAA rules including Technical, Administrative and Physical Safeguards
Depends on the individual frameworks of each standard
Technology platform specific controls are not covered by the standards /certification bodies
Certification Method
Authorized Certification Bodies
Authorized CPA Firm (Readiness Assessment can be done by a vendor)
Self (Audit and Attestation can be done by a third-party)
Authorized firm who have PCI-QSA Certified
Self (Audit and Attestation can be done by a third-party)
Third-party vendors
Third-parties require accreditation to issue certification
Best Suited For
Service Organization
Service/Product Organization
Different industries require different levels/standards of compliance
Service Organization
Healthcare, SaaS, and any organization handling Protected Health Information of US Citizens inclduing vendors handling PHI
Service/Product Organization
Some sort of security and data privacy certification is becoming a part of most industries
Popular in …
International
Companies operating in North America
US Federal/ Commercial / Manufacturing
International
USA
Companies operating in North America
Customer Acceptance (Customer Requirements)
Preferred (Mandatory in some cases)
Preferred (Mandatory in some cases)
Not Mandated
Preferred (Mandatory in some cases)
Mandatory
Depends on the Industry and marketplace where business is conducted
Duration
Point-in-time
6-month period(Type 2)
Point-in-time
3-6 Months
Point-in-time
Point-in-time
Surveillance audit is in place for most of the certifications
Certification Frequency
Every 3 years with annual surveillance audits
Annual
Not Applicable
Annual
Annual
Mostly Annual
Cost
$$
$$$
$$
$$$
$$
$$$ (HITRUST certifications cost 50k -200k)
Engaging an experienced vendor helps to ensure documentation and audit support. This saves cost in the long run.

Below is a quick summary of each security standard and framework:

NIST Security Guidelines

NIST Security Standards are based on best practices from several security resources, organizations, and publications. They were designed as a framework for federal agencies and programs requiring security measures. Several non-federal agencies have also implemented these guidelines to showcase that they comply with authoritative security best practices.

NIST Special Publication 800–53 is the most popular among the NIST security series. It provides the steps in the Risk Management Framework for security control selection for federal information systems. This is in accordance with the security requirements in Federal Information Processing Standard (FIPS) 200. The NIST Cybersecurity Framework (NIST CSF) has also attracted a lot of interest and attention from a variety of industries.

NIST has released the final version of Special Publication (SP) 800–219, Automated Secure Configuration Guidance from the macOS Security Compliance Project (mSCP). Security Professionals can leverage the macOS Security Compliance Project (mSCP) to secure and assess macOS desktop and laptop system security in an automated manner.

ISO 27001

ISO 27001, is a more risk-based standard for organizations of all shapes and sizes. Although there are more than a dozen standards in the ISO/IEC 27000 family, ISO/IEC 27001 is well known for defining the requirements for an information security management system (ISMS). ISO 27001 enables and empowers organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details, or information entrusted to third parties. The latest update to ISO 27001 is scheduled to be released in late 2022.

SOC 2

reports assess the security controls of a Service Organization in accordance with AICPA’s Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy.

SOC 2 compliance is often included as the eligibility criteria for SaaS and other service providers as they bid for B2B contracts. Type 1 and Type 2 reports meet the needs of a broad range of B2B customers who want assurance about the security of their customer data.

HITRUST

HITRUST stands for the Health Information Trust Alliance. A HITRUST certification by the HITRUST Alliance enables vendors and covered entities to demonstrate compliance with HIPAA requirements based on a standardized framework.

HIPAA

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law that requires the creation of national standards to protect sensitive patient health information from being disclosed without the patient’s consent or knowledge.

The Department of Health and Human Services (HHS) Office of Civil Rights (OCR) allocated a proposed rule for changes to the act in December of 2020 and a Final Rule is expected in 2022 with the following changes:

Increased Patient Access — the HIPAA Right of Access into the HIPAA Privacy Rule allows individuals to be more in control of their health and well-being decisions, which includes but not limited to:.

  • Allow patients to inspect the medical record PHI in person and/or take notes or photos
  • Reduce the time needed to provide access to PHI from 30 to 15 days
  • Allow patients to request a transfer of their PHI to personal health applications.
  • To post estimated fee schedules for PHI access and disclosures

PCI-DSS

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards governed by the Payment Card Industry Security Standards Council (PCI SSC). This framework has been designed to secure credit and debit card transactions against data theft. PCI-DSS is a requirement for any organization that processes credit or debit card transactions. PCI certification is also considered the best way to safeguard sensitive data and information.

Cloud Security Alliance

The Consensus Assessments Initiative Questionnaire (CAIQ) v3.1. offers an industry-accepted way to document what security controls exist in IaaS, PaaS, and SaaS services, providing security control transparency. It provides a set of objective questions to a cloud provider to ascertain their compliance with the Cloud Controls Matrix (CCM).

FedRamp

The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program in the US that provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services. FedRAMP enables agencies to rapidly adapt old, insecure legacy IT to mission-enabling, secure, and cost-effective cloud-based IT.

Shared Assessments

Shared Assessments provide the best practices, solutions, and tools for third-party risk management to create an environment of assurance for outsourcers and their vendors.

How databrackets can help you comply with security regulations

databrackets specializes in assisting organizations to secure sensitive data and comply with regulatory requirements. By leveraging databrackets’ SaaS assessment platformawareness training, policies, procedures, and consulting expertise, our customers and partners are meeting the growing demands for data security and evolving compliance requirements more efficiently. Contact us here to learn more.