SOC & HIPAA Compliance

Transcription

1 2014 All Rights Reserved ecfirst An ecfirst Case Study: SOC & HIPAA Compliance

2 An ecfirst Case Study: Lunarline & HIPAA Compliance TABLE OF CONTENTS EXECUTIVE SUMMARY... 3 SECURITY OPERATIONS CENTER (SOC)... 3 LUNARLINE... 3 What is Lunarline?... 3 Why Lunarline?... 3 Lunarline Security... 4 Features... 4 Privacy Services... 5 Key Capabilities... 5 HIPAA Compliance... 6 HIPAA Security Rule Compliance... 6 HSCR Benefits... 6 HSCR Features... 6 Enterprise Compliance Console for HIPAA... 7 HEALTHCARE SECURITY SERVICES- HSS... 8 What is HSS?... 8 Why HSS?... 8 Compliance Solutions... 8 Physical security INETU What is INeTU? Why INetU? Features Compliance & Audits HIPAA Compliance Dashboard HIPAA Compliance Security Services REFERENCES All Rights Reserved ecfirst 2

3 An ecfirst Case Study: Lunarline & HIPAA Compliance EXECUTIVE SUMMARY Security Operations Center (SOC) A security operations center (SOC) is a centralized unit in an organization that deals with security issues, on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology. Lunarline What is Lunarline? Lunarline builds Security Operations Center (SOC) Solutions. Its services concentrate on ensuring cyber security and privacy challenges. Lunarline has been the driving force behind some of the most successful SOC and NSOC operations in both the government and private sector. Why Lunarline? Lunarline s SOC solutions: Enterprise Governance and Cyber Security Protection Support (Full Incident Lifecycle) 24X7X365 Enterprise Managed Security Services Provider (MSSP) delivering Vulnerability Assessment Service, Incident response, centralized management of antivirus measures and Security Log Management Service Enterprise-wide Network Visibility and Discovery Service Securing networks and critical systems with real-time countermeasures Customer-Specific Real-Time Dashboards, Cyber Specific Threat, and Risk Scoring Dashboards with integration experience over 3000 types of structured and unstructured data types Secure installation, configuration, provision, and maintenance of NSOC Systems and Assets Monitoring, Analysis, Detection, and Defense of Organization Assets and Systems SOC / Monitoring / Log / Operational / Security / Privacy Architecture Development Full Incident Response Lifecycle and Forensics Support to include fly-away teams Integration of existing SOC investments into a Continuous Security Monitoring Capability Support of external Business Partner Monitoring (Trust but Verify Service) Advanced Persistent Threat (APT) and Insider Threat Monitoring, Forensic Sampling, and Focused Operations 2014 All Rights Reserved ecfirst 3

4 An ecfirst Case Study: Lunarline & HIPAA Compliance Independent Verification and Validation (IV&V) and Pen Testing Services Development of custom security and compliance monitoring solutions (Government, Healthcare, Financial, Insurance, and Critical Infrastructure) Privacy Breach Response and Data Loss Prevention (DLP) Services Basic and Advanced Cyber Security Awareness Training (online and handson) to include incident response testing support SOC Program Management and expert technical staff augmentation for surge operations to support installation and configuration of firewalls, intrusion prevention systems, malware detection devices, SSL VPNs, anti-virus, endpoint devices, and security assessment software Lunarline Security Lunarline is a Department of Veterans Affairs (VA)-certified Service-Disabled Veteran-Owned Small Business (SDVOSB) with an award winning and successful track record of providing cyber security solutions and support throughout the Federal Government and selected commercial communities. It is focused solely on cyber security, information assurance (IA), and privacy disciplines. Its cyber security service coverage and delivery is ISO and CMMi certified to ensure consistent quality, pricing, and on-time delivery, but more importantly its service coverage areas are managed by trained and certified domain experts. Features Lunarline develops a custom tailored FedRAMP solution. It has conducted over 500 successful Security Assessments and Authorizations, using the same standards required by FedRAMP. It offer a suite of training, services and products to streamline FedRAMP compliance and automate continuous monitoring. Training: It provides FedRAMP and security compliance training, tailored to customer's unique requirements and technology. It teaches them how to tailor controls, prepare documentation, identify and fix problems, and survive an assessment. Services: It provides a comprehensive suite of services designed to implement a tailored, efficient, lasting compliance program. Products: Its automated continuous monitoring products provide real-time insight into enterprise compliance posture All Rights Reserved ecfirst 4

5 An ecfirst Case Study: Lunarline & HIPAA Compliance Privacy Services Lunarline provides Privacy Professional Services such as a robust range of professional and technical services to assist customer in protecting personally identifiable information (PII) or Personal Data; protected health information (PHI); electronic health records (EHR); protected financial information; sensitive or special categories of data; and intellectual property (IP). Lunarline provides training on Privacy Training and Education It provides Privacy Services like: U.S. Privacy Services (Public and Private Sectors) Global Privacy Services Vendor and Cloud Privacy Assessments Mobile and Online Marketing Privacy Services Data Breach Response Services Key Capabilities Lunarline SOC helps organization to face the challenges of the modern cyber world. As a Managed Security Service Provider (MSSP), Lunarline integrates data from customer organization's IT and security tools into its comprehensive monitoring and correlation solution, housed safely in its secure, accredited facility. On a 24x7x365 basis, its SOC team analyzes this data to shed light on their network's darkest corners and keep a watchful eye on their enterprise security posture. Its MSSP support includes: Enterprise risk management Secure asset management Incident response and cyber forensics Advanced Persistent Threat detection and response Cyber threat intelligence Continuous monitoring Compliance posture reporting Data Loss Prevention Privacy breach response Insider Threat Detection Business partner monitoring 2014 All Rights Reserved ecfirst 5

6 An ecfirst Case Study: Lunarline & HIPAA Compliance Lunarline's approach consolidates and analyzes data from across the organization's network, capturing critical intelligence and providing real-time insight into enterprise risk. With custom dashboards and push button reporting - backed by Lunarline's expert cyber analysts - its SOC provides customers and their team with the situational awareness necessary to navigate an increasingly dangerous cyber world. Lunarline's MSSP support includes an Intrusion Detection System (IDS) and a Security Incident Event Manager (SIEM), both based on industry leading technology. HIPAA Compliance HIPAA Security Rule Compliance Lunarline provides the software called HIPAA Security Rule Compliance Reporter (HSCR) that deploys state of the art enterprise risk management technology to allow customer to meet the HIPAA Security Rule requirements for hospitals and their business associates. The software supports SCAP vulnerability scan data uploads and direct input or uploads of syslog data from perimeter security devices. Policy inputs include HIPAA specific questions and enhanced reporting. The HSCR console enables the monitoring of the HIPAA security rule compliance status of each business associate. The console allows for hospital access to real-time display of the HIPAA security rule compliance status of all active business associates as described in NIST HSCR Benefits Compliance limits liability Annual subscription based program Protects data Auditable reports Uses approved NIST methods Automates time consuming processes Automates extraction of syslog data HSCR Features Roadmap to full HIPAA compliance Continuously updated using Federal standards Software as a Service (SaaS) Secure Input (SSL) 2014 All Rights Reserved ecfirst 6

7 An ecfirst Case Study: Lunarline & HIPAA Compliance Encrypted Storage of input data Encrypted PDF Reports Supports SCAP vulnerability scan import Supports IPS/AV upload Enterprise Compliance Console for HIPAA This is the enterprise management compliance package. It includes a console that allows hospitals or distributed health care enterprises to access and to view the HIPAA security rule compliance status of all of their business associates. The console allows the hospital to review and display the HIPAA security rule compliance status of each or all active business associates that have been configured and authorized access All Rights Reserved ecfirst 7

8 An ecfirst Case Study: HSS & HIPAA Compliance Healthcare Security Services- HSS What is HSS? HSS Inc., one of America s leading outsourcing companies. They provide personalized, technical, and professional service programs to enhance the value of their customers business. HSS offers highly regarded programs in: Healthcare Security Aviation and Government Services Security Security Systems Integration Medical Equipment Management More Health Care Services Why HSS? HSS provides Cost-efficiency Proven security processes and best practices Full range of security programs and services Long-term commitment to your success Rigorous screening and hiring methods Extensive regulatory compliance expertise Skilled, trained healthcare security officers: experienced, reliable, responsible World class customer service Technology-driven rapid response operational support Compliance Solutions HSS Healthcare Security Compliance Solutions HSS is a leader in helping customers meet the many challenges of healthcare security compliance. The Joint Commission (TJC) HSS is a nationally recognized leader in applying TJC compliance strategies to customer security programs. HSS takes responsibility for planning all TJC Environment of Care requirements related to security. The Annual Effectiveness Review that HSS prepare for customers every year is considered a best practice by numerous TJC surveyors All Rights Reserved ecfirst 8

9 An ecfirst Case Study: HSS & HIPAA Compliance Health Insurance Portability and Accountability Act (HIPAA) HSS help customer ensure protection of your patients health information as stipulated by HIPAA, the Privacy Act of 1974, and their facility s patient privacy requirements. Security Operations Center (SOC) The HSS Security Operations Center (SOC), which exclusively supports HSS security, serves as the centralized monitoring and dispatch center for healthcare facilities nationwide. The key benefits of centralizing responsibility for all of customer facility s security-related telephone calls, alarm monitoring, emergency communications, and radio dispatching with HSS include: Accelerate officer response time. Expedite information sharing. Facilitate staff and visitor contact with security. Reduce dispatch costs. Significant Savings HSS has been able to cut costs 66% or more by moving customers dedicated security dispatch to HSS security and maintain or improve the quality and timeliness of response. Advanced Communications Technology HSS continually upgrade their technology to ensure they operate at the highest level of reliability and availability. HSS s Nextel communications system has three independent forms of communication cell phones, radios, and text messaging. If one, or even two, of these fail, the SOC can continue to provide critical communication to customer s security officers and responders. HSS has a Level 5 Emergency Access priority, which is the level just below the President, military, Congress, and first responders. This enhances their ability to communicate in an emergency or disaster. HSS use an uninterruptible power supply and generator back-up power for all SOC radio, phone system, and electrical circuits so they are able to maintain communication during emergencies, disasters, or power failures. All phone calls and radio transmissions are digitally recorded, which provides the documentation customer need for definitive complaint resolution and effective dispatcher training. Redundant servers ensure that calls are safely retained for future retrieval as needed All Rights Reserved ecfirst 9

10 An ecfirst Case Study: HSS & HIPAA Compliance Physical security Physical security is the heart of healthcare security. There simply is no substitute for the professional expertise and human touch of security officers at customer facility. But, given cuts in Medicare and Medicaid funding, hospitals need to ensure they are operating efficiently and cost-effectively. Supplementing physical security with carefully selected and properly applied electronic security is playing an increasingly important role in safeguarding the nation s healthcare facilities for several reasons: Technology brings new efficiencies to security programs that can lower cost. HSS Security Incident Management Software (SIMS) facilitates greater understanding of security incidents and provides faster, customized customer reporting. Officers use their mobile handheld devices to file incident reports, access information such as facility orders and BOLOs more quickly, and test security equipment and automatically log results. Video surveillance and analytics monitoring of parking lots and grounds supplements external patrols and extends the security presence beyond facility doors. Integrated Physical and Electronic Security HSS Systems Integration can do it all from expert design and engineering to installation, monitoring, maintenance, and repair. They ll set up systems so that they are easy to use and make sure customer s staffs are comfortable using them. With HSS as their physical security services provider, they ll ensure that technology effectively supports their security personnel All Rights Reserved ecfirst 10

11 An ecfirst Case Study: INeTU & HIPAA Compliance INeTU What is INeTU? The INetU is a hosting solutions and services company. It follows Customer Centric Approach at providing hosting services, it also includes assistance in designing, implementing, proactively monitoring and supporting the customer s environment as well as assisting with security, compliance, disaster recovery and performance plans. The INetU data centers are designed and managed with security and compliance in mind and that tie directly to customer s goal as a healthcare organization. They undergo independent audits; retain SOC3 and TRUSTe certification while practicing end-to-end security and compliance controls for their facilities, networks, servers and software. The INetU Healthcare Solution Includes: Security Operations Center (SOC) HIPAA Compliance Security Services HIPAA Compliance Dashboard Healthcare application support expertise Why INetU? INetU has over 17 years of experience hosting HIPAA compliant healthcare applications and have invested considerably to help their clients comply with all facets of the healthcare industry when it comes to application hosting. With INetU cloud environment, healthcare organizations can more quickly ensure HIPAA compliance without having to outlay huge capital investments in technology and manpower. Trained experts at INetU can act as trusted advisors to customer operations. Features Security Operations Center (SOC) INetU supply the expertise as well as the compliance capabilities. INetU has formed a SOC made up of a team of experts in security to engineer, implement and maintain the security services around the clock. Sensitive data and complex hosting often go hand in hand. Hence INetU is involved in security and compliance hosting and a team of experts (CISSPs, CISAs) to engineer, implement and maintain their security services around the clock, ready to respond at a moment s notice All Rights Reserved ecfirst 11

12 An ecfirst Case Study: INeTU & HIPAA Compliance Security As A Service Set it and forget it is not the right approach, but sadly it is the norm for security among Cloud hosters. The INetU SOC team keeps an eye on security so customers only have to worry about the security of their code and nothing else when they sign up for the INetU Security Suite. The SOC is the brains behind the tools that are keeping their sites secure. Experienced security experts review the SIEM logs and let them know if there is anything to be concerned about, they keep an eye on any anomalies detected by their IPS/IDS and Application Traffic Firewall. When they implement File Integrity Monitoring, these experts are the ones who respond to any concerning alerts. INetU Security Suite Managed By The security operations center (SOC) The INetU Managed Security Suite gives the protection that customer needs while helping them meet compliance and regulatory requirements such as PCI and HIPAA. INetU s Security Suite works across all types of environments including Dedicated Servers, Private Clouds, our Public Cloud, and even Hybrid Clouds. Customers have just one suite of products and one portal to manage them through no matter how complex their environment is. The Security Suite is designed to be used together to provide multiple layers of defense against attackers. This is a concept known as "Defense in Depth" - even if an attacker manages to get through one layer; there are still several more layers of defense to keep their data and applications safe. Application Traffic Firewall INetU Security Operations Center is watching for any signs of unusual activity on your protected site. In addition, Imperva's Application Defense Center (ADC) is constantly researching new attacks and vulnerabilities on the Internet and working to improve the WAF's ability to protect customers from them. INetU s Application Traffic Firewall solution meets the requirements set forth in PCI DSS Section 6.6 and is a component of the implied requirement of Security Best Practices under HIPAA (a). Dual Factor Authentication. Dual Factor Authentication takes one step further and requires customer to enter a code from a physical device in their possession in order to access their systems and Client Center at INetU. INetU s dual factor authentication service is available as either a USB key or an app for customer s smartphone so that all users can take advantage of this important security enhancement All Rights Reserved ecfirst 12

13 An ecfirst Case Study: INeTU & HIPAA Compliance INetU s dual factor authentication meets the requirements set forth in PCI DSS Section 8.3 and is a component of the requirements of HIPAA (d). Log Monitoring & Review With INetU, log monitoring and review collects detailed log information from the servers and devices in customer environment. These logs can be essential for detecting attempted security breaches, misused accounts, and even non-security related problems. INetU s SIEM solution meets the requirements set forth in PCI DSS section 10.6 and is a component of the requirements of HIPAA. File Integrity Monitoring File Integrity Monitoring (FIM) ensures that customer know if critical system or application files are replaced or modified. It's an extra layer of defense to ensure that they know quickly if their system has been compromised. INetU s FIM solution meets the requirements set forth in PCI DSS section Firewalls & VPNs Every solution at INetU is protected by a firewall with SSL VPN capability to allow remote users to administer servers seamlessly while protecting their environment by locking down remote access to authorized individuals. INetU s firewall solution meets the requirements set forth in PCI DSS sections 1.1.3, 1.14, and It's also a component of the implied requirement of Security Best Practices under HIPAA (a). Intrusion Detection System (IDS) / Intrusion Prevention System (IPS) An Intrusion Detection System watches the traffic coming in and out of customer environment for signs of an attack, notifying both customer and INetU the moment it sees anything out of the ordinary. An Intrusion Prevention System takes that one step further and stops the potential attack in its tracks. INetU s IDS/IPS solution meets the requirements set forth in PCI DSS Section Vulnerability Scanning INetU provide two types of vulnerability scanning - internal and external. External vulnerability scanning attempts to find weaknesses from the public internet. Internal vulnerability scanning looks for potential weaknesses from inside customer firewall to ensure that everything is secure even if an attacker manages to find a way into their environment All Rights Reserved ecfirst 13

14 An ecfirst Case Study: INeTU & HIPAA Compliance INetU s vulnerability scanning solution meets the requirements set forth in PCI DSS Sections , , and Compliance & Audits INetU s SOC is experienced in working with auditors to make sure they get the information they need to be comfortable that customer project is hosted in a secure and reliable environment. They have their SOC3 in Security, SSAE 16 Type II, PCI DSS Level 1 Certification and more across four global data centers. HIPAA Compliance Dashboard The INetU HIPAA Compliance Solution includes the HIPAA Compliance Dashboard. The dashboard provides high level and detailed views of the required HIPAA activities and procedures. Customers and their assigned INetU SOC can work together to assess their HIPAA compliance status for each item in the dashboard, understand any areas of non-compliance and address them as needed. HIPAA Compliance Security Services INetU provides these basic capabilities and more all of which should be considered as part of customer compliant environment to ensure a secure HIPAA compliant cloud infrastructure: Network Firewall Web Application Firewall (WAF) Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) Device Hardening Virus Protection File Integrity Monitoring (FIM) Security Information and Event Monitoring (SIEM) Offsite Database Backup Database Backup Encryption External Vulnerability Scanning Internal Vulnerability Scanning Dual Factor System Authentication Multi-Factor Facility Authentication 2014 All Rights Reserved ecfirst 14

15 An ecfirst Case Study: INeTU & HIPAA Compliance Bottom-line Checklist Features/Capabilities Lunarline inetu HSS FedRAMP Yes No No HIPAA Compliance Yes Yes Yes Privacy Service Yes Yes Yes 2014 All Rights Reserved ecfirst 15

16 An ecfirst Case Study: INeTU & HIPAA Compliance REFERENCES er%20v1%200.pdf All Rights Reserved ecfirst 16

17 An ecfirst Case Study: INeTU & HIPAA Compliance Corporate Office 295 NE Venture Drive Waukee, IA Toll Free: x17 Phone: x17 Fax: All Rights Reserved ecfirst 17