HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES

Transcription

1 HEALTHCARE SECURITY AND PRIVACY CATALOG OF SERVICES OCTOBER North Fairfax Drive, Suite 308 Arlington, Virginia USA

2 OUR CLIENTS INCLUDE

3 Contents Healthcare Security Services... 4 Managed Cyber Security Operations Center Services... 5 Comprehensive Security Risk Assessment... 6 HIPAA Security Rule Consulting... 7 HIPAA Security Rule Training Services... 8 Data Breach Security Support... 9 HIPAA Compliance As Part of Enterprise IT Security International Healthcare Security Services Healthcare Privacy Services Business Associate Agreements (BAA) Preparation and Support HIPAA Privacy Training Privacy Policies and Procedures Development and Revision HIPAA Privacy Rule Consulting Services Data Breach Privacy Services Healthcare Privacy As Part of Enterprise Privacy... 18

4 Healthcare Security Services 4

5 Managed Cyber Security Operations Center Services 24x7x365 Cyber Security Operations Center Real-Time Monitoring & Around-the-Clock Cybersecurity Services Our Cyber Security Operations Center Managed Services Offerings Include: Real-time vulnerability detection Continuous Monitoring Services Continuous Diagnostics and Mitigation (CDM) Services Real-time vulnerability detection Ensure 24/7/365 healthcare IT compliance Immediate Breach response and remediation support. Data Loss Prevention (DLP) products and services. Lunarline s Kettering, Ohio Cyber Security Operations Center (SOC) 5

6 Comprehensive Security Risk Assessment The need for an in-depth security risk assessment exists across many industries and numerous disciplines. Organizations that handle or maintain data must take steps to ensure the data is kept confidential and secure. Protecting against malicious hackers, environmental threats, human error, and other contingencies is now an everyday part of business. Lunarline s industryleading IT security assessment team can provide the support needed to keep your organization s data safe. Lunarline has proven industry experience conducting security assessments against the following frameworks: Health Insurance Portability and Accountability Act (HIPAA) Security Rule NIST Risk Management Framework (RMF) with mapping to NIST SP HIPAA ISO/IEC Information Security Management Standards Payment Card Industry Data Security Standard (PCI-DSS) Federal Risk Management and Authorization Program (FedRAMP) for Cloud Service Providers In addition to these specific frameworks, Lunarline offers a host of related services that augment our assessment services. These include: Data Breach Security Support Continuous Network Monitoring Managed Security Operations Center Contingency Planning Penetration Testing Comprehensive Security Training Physical Security 6

7 HIPAA Security Rule Consulting Lunarline provides industry-leading HIPAA security consulting services. The core aspects of these services are centered on HIPAA s Security Rule. Lunarline s healthcare experts can assist in the following areas: Gap Analysis based upon the Security Rule s Administrative, Physical, and Technical Safeguards. Determining what systems or networks are subject to the Security Rule. Conducting comprehensive technical and manual scans of the appropriate systems and networks to identify areas of weakness. Creation or revision of the policies and procedures required by the Security Rule, including, but not limited to: o Security Management Plan o Contingency and Disaster Recovery Plan o Workforce Security Plan o Facility Access Plan o Logical Access Plan o Audit Plan o Data Retention and Disposal Plan Support the regular and periodic testing of Contingency planning and disaster recovery procedures. Provide a Risk Assessment of the state of system compliance per the mandate of HIPAA. Provide recommendations for the remediation of any areas of non-compliance. Network, workstation, and device hardening. Business Associate Agreement creation or revision. Consult organizations from covered entities to downstream business associates. 7

8 HIPAA Security Rule Training Services In addition to a broad selection of IT security courseware, Lunarline provides HIPAA training across the following topics: Introduction to HIPAA and HITECH, and how they relate. Post-Omnibus Rule Best Practices. Understanding HIPAA s Security Rule Administrative Safeguards. Understanding HIPAA s Security Rule Physical Safeguards. Understanding HIPAA s Security Rule Technical Safeguards. Understanding HIPAA s Risk Assessment requirements. Security awareness and training per the Security Rule. Breach mitigation and response handling. These training services can be provided via several media, and can be tailored to very specific audiences. Our training delivery can occur via: Computer-based training modules. Instructor-led training. In person personnel training, specific to each client s needs. Creation of document-based training, specific to each client s needs. Training audiences include: IT staff Legal department Compliance department General workforce / office personnel C-level executives 8

9 Data Breach Security Support Data breaches are an unfortunate aspect of doing business. In this day and age, the concern is not if my data is breached, but when my data is breached. The realities of cybercrime and unintentional user error make breach response vital. Lunarline can provide the key services necessary to reduce the potential of breaches, and to remediate them with the efficiency required to maintain your business reputation. The services include: HIPAA Security Rule audits to identify the weaknesses that could lead to a data breach. Addressing those weaknesses to increase data security. Establishment or revision of the Breach Response Plan. Breach response readiness and post-breach procedures. Breach Notification Rule guidance. Breach response testing. 7 9

10 HIPAA Compliance As Part of Enterprise IT Security Lunarline appreciates that many organizations seek HIPAA compliance as one of many other IT security frameworks. This means that HIPAA compliance is only one of several compliance areas with which they must comply. Lunarline is very comfortable approaching HIPAA compliance as being part of a larger compliance whole, and can integrate the following capabilities into our HIPAA auditing and assessment services. Combining compliance efforts across several frameworks leads to increased efficiency, less exhaustion of resources, and less depletion of budget. NIST Risk Management Framework (RMF) consulting with mapping to NIST SP HIPAA Security Rule Implementation and ISO/IEC Information Security Management Standards Ethical hacking Penetration testing Mobile device security and handling the internet of everything (IOT) IT security training across several disciplines, such as those indicated above Network Architecture Audits Remote Access Security Data Encryption and Data Loss Prevention Consulting Services 10

11 International Healthcare Security Services It is increasingly common for healthcare data and electronic Protected Health Information (ephi) to be sent overseas for handling, managing, or storing. Services such as medical transcription, healthcare data entry and processing, medical billing and coding, and other clinical support can be accomplished in foreign countries at reduced costs. However, the cost savings may be offset by greater data security risk, considering that as ephi moves further from your facility, the ability to control and protect it is substantially reduced. So how does a covered entity or a business associate ensure its ephi remains secure when it s sent off-shore to a country that s not bound by U.S. law? Lunarline can craft tailored strategies to ensure your foreign vendors or subcontractors are using appropriate safeguards to protect the confidentiality and security of the ephi that crosses their networks. These strategies include: Assessing the strength of security controls employed by the foreign entity and its state of HIPAA Security Rule compliance Evaluating encryption methods used by the foreign entity Assessing the data privacy methods implemented, as applicable, such as: o NIST Appendix J Privacy Controls o HIPAA s Privacy Rule o EU Data Privacy Directive Reviewing the foreign entity s data security and privacy policies and procedures Draft and review Associate Agreements (BAAs) Ensuring security and privacy awareness training is conducted on a regular basis for all foreign personnel 11

12 Healthcare Privacy Services 12

13 Business Associate Agreements (BAA) Preparation and Support Business Associate Agreements are a fundamental aspect of HIPAA compliance, and with the introduction of HIPAA s Omnibus Rule, are more important than ever. Lunarline s team of HIPAA experts can: Draft HIPAA-compliant BAAs. Audit existing BAAs and provide related Gap Analyses. Revise and update existing BAAs. 13

14 HIPAA Privacy Training Lunarline s privacy training covers the key aspects of HIPAA s Privacy Rule. Training topics include: Overview of the Privacy Rule. Required Disclosure of PHI. Permitted Disclosure of PHI. Authorized Disclosure of PHI. Breach Notification Rule. Minimum Necessary Standard. Administrative Requirements of the Privacy Rule. Lunarline can also create highly-tailored privacy training for your organization, or revise and update your existing privacy training library. The training services can be provided via several media. Our training delivery can occur via: Customized and/or role-based training (including to Executives and the C-Suite). Training deployment provided at location of choice (including Lunarline facilities). Training can be web based or instructor led courses. Training material to include graphics and animation. 14

15 Privacy Policies and Procedures Development and Revision An organization demonstrates compliance with HIPAA s Privacy Rule by its policies and procedures. As such, having a robust, complete, and current library of Privacy Policies is required. Lunarline s healthcare department provides in-depth Privacy Rule support, including: Development or revision of policies and procedures regarding the use and disclosure of PHI. o Required Uses and Disclosures. o Permitted Uses and Disclosures. o Authorized Uses and Disclosures. o Limiting Uses and Disclosures to the Minimum Necessary. Development or revision of policies complying with the Breach Notification Rule. Development or revision of policies and procedures complying with the Privacy Rule s Administrative requirements. 15

16 HIPAA Privacy Rule Consulting Services Understanding and complying with the Privacy Rule is a complex endeavor. It requires knowledge of, among other things, the Final HIPAA Omnibus Rule, the HITECH Act, HIPAA s Security Rule, and the flow of PHI through the organization. Lunarline provides comprehensive Privacy Rule consulting services, including: Privacy Rule Assessment and Gap Analysis. Audit of implemented procedures governing the use and disclosure of PHI. Remediation support for compliance gaps derived from audits. Development and revision of notice and consent processes. Development and revision of various privacy policies and procedures required by the Privacy Rule. o Minimum Necessary. o Access and Uses. o Disclosures and Requests for Disclosures. 16

17 Data Breach Privacy Services Data breaches are becoming more prevalent. Organizations today must dedicate resources to preventing and responding to them as one breach can devastate a business. Lunarline provides data breach support, including: System, policy, and procedure hardening to reduce the likelihood of a data breach. Creating formal breach notification plans that address the actions necessary for compliance with various HIPAA regulations, such as the Breach Notification Rule. Training staff on their roles and responsibilities to both preempt and remediate data breaches. Data loss prevention tool planning and implementation. 17

18 Healthcare Privacy As Part of Enterprise Privacy Maintaining the privacy of PHI is only one aspect in the larger data privacy picture. It s common for organizations to have data privacy responsibilities beyond those mandated by the Privacy Rule, and Lunarline is highly capable of integrating Privacy Rule compliance with other data privacy frameworks and data privacy programs. Accordingly, Lunarline can support Privacy Rule compliance in conjunction with the following: NIST Rev. 4: Appendix J Privacy Controls. ISO/IEC Information Security Management Standards Generally Accepted Privacy Principles (GAPP). Fair Information Practice Principles (FIPPs). Safe Harbor Rules. Organization for Economic Cooperation and Development (OECD) Guidelines. Asia Pacific Economic Cooperation (APEC) Privacy Framework. 18

19 HEALTHCARE SECURITY AND PRIVACY PRACTICE WEBSITES