HIPAA Compliance and Auditing in the Public Cloud
|
|
- Jody Bailey
- 6 years ago
- Views:
Transcription
1
2 HIPAA Compliance and Auditing in the Public Cloud This paper outlines what HIPAA compliance includes in the cloud era. It aims to help enterprise IT leaders interested in becoming more familiar with the requirements and, especially, how to adhere to them when running on a public cloud infrastructure, such as Amazon or Azure. This article details the different rules for handling compliance when it comes to dealing with Protected Health Information (PHI). As noted in a recent press release by the Health and Human Services government office (HHS), Memorial Healthcare System (MHS) paid the U.S. Department of Health and Human Services $5.5 million to settle potential violations of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. According to the release, MHS failed to enforce user access procedures and review system logs of activity on applications. Organizations must implement audit controls and review audit logs regularly. As this case shows, a lack of access controls and regular review of audit logs helps hackers or malevolent insiders to cover their electronic tracks, making it difficult for covered entities and business associates to not only recover from breaches, but to prevent them before they happen. Robinsue Frohboese, Acting Director, HHS Office for Civil Rights HIPAA compliance requires continuous monitoring and logging of the network and information assets. In this white paper, we outline the specifics required to keep a public cloud environment secure and provide practical recommendations for dealing with auditing. 2
3 Overview: HIPAA & Digital Transformation The American Health Industry s accelerated digital transformation and massive cloud adoption called for more scrutiny of the rules regarding the protection of an individual s privacy, particularly due to the implications the cloud had on data security and potential breaches. Subsequently, the U.S. Government and the Health and Human Services (HHS) reviewed and revised previous HIPAA rules, procedures, and policies. This effort resulted in the 2009 HITECH Act. The HITECH Act imposed stricter penalties for HIPAA violations, requiring relatively small data breaches reported to the HHS, the media, and the affected individuals. The Act also introduced the meaningful use definition and extended the HIPAA s Privacy and Security Rules application to business associates. Along with increased public cloud enterprise adoption, the HIPAA ruling has evolved (and is still evolving), exemplified by the publication of the HIPAA Omnibus Rule in The major implication of this rule was that business associates, including public cloud providers, are now directly liable for HIPAA compliance. Who must comply HIPAA applies to covered entities (health care providers, health plans, and health care clearinghouses) and business associates of covered entities (a person or entity who performs/assists functions or activities involving use or disclosure of PHI on behalf of a covered entity or a covered product). Organizations that run both covered entity activities and non-covered entity ones are designated as hybrid entities; the HIPAA requirements apply only to the former. 3
4 HIPAA Rules Rules most affecting HIPAA/HITECH compliance and governance in the cloud, and generally any PHIrelated activity, include: Privacy Rule: This general rule applies to all forms of individuals protected health information, whether electronic, written, or oral, and both establishes the federal standards to safeguard the privacy of PHI and gives patients a wide array of rights. It also determines who exactly has to comply with it. Security Rule: In contrast to the Privacy Rule, this rule applies only to electronic protected health information (ephi) and affects directly all the covered entities and business associates operating in the cloud and even cloud service providers (CSPs). This rule is made up of three parts: technical, physical, and administrative safeguards, which are further divided into standards and requirements. The standards and requirements may be required (implemented as specified) or addressable (reasonably fulfilled). See HIPAA FAQs on the topic. Enforcement Rule: This rule outlines investigations, penalties for noncompliance, and procedures for hearings. It also establishes the rules governing the compliance responsibilities of covered entities. HITECH then added a tiered increase in the amount of penalties based on culpability. HIPAA Breach Notification Rule: Also modified by the HITECH Act, this requires all the covered entities or business associates to notify individuals when their information is breached, outlining also the necessary form and delivery method of said notification. Depending on the severity of the breach, a notification through the media and to the HHS Secretary is also required. 4
5 When choosing a cloud service provider (AWS, Azure, Google, etc.), it is important to make sure the provider supplies a Business Associate Agreement (BAA) that makes them subject to audits by the Office for Civil Rights (OCR), accountable for a data breach, and fined for noncompliance when it occurs. There s no certification or seal of approval for HIPAA/HITECH compliance. The service provider should demonstrate fulfillment of all HIPAA rules and recommendations, ensuring the integrity and safety of all data resides in their data centers. Apart from encouraging audits run by OCR or accredited independent auditors, it is highly recommended that cloud vendors, including cloud service providers (CSPs), Managed Service Providers (MSPs), as well as third-party technology solutions vendors are also compliant with other certifications such as NIST , ISO 27001, and SAS70 Type II. 5
6 Compliance in the Public Cloud HIPAA is all about privacy, security, data segregation, encryption and key management, roles assignation, policies, risk analysis and management, and access monitoring. With all this potential liability, why are enterprises willing to outsource their IT infrastructure to third-party public cloud vendors? Because, as mentioned, liability has been extended to include business associates. In February 2013, the HIPAA Final Rule modified the business associate definition:... any data storage company that has access to protected health information (whether digital or hard copy) qualifies as a business associate, even if the entity does not view the information or only does so on a random or infrequent basis... This means that in comparison to the traditional scope of liability, your enterprise can move part of the liability to your cloud infrastructure and managed services vendors. However, this also means that HHS has forced shared effort and responsibility in running a HIPAA-sensitive and compliant information platform. AWS, for instance, introduced their Shared Responsibility Model (Figure 1) to mitigate liability. After signing a Business Associate Agreement (BAA), covered entities are responsible for customer data, platforms, applications, and Identity Access Management, along with all the technology not directly maintained by CSPs (operating systems, firewalls, encryption at-rest and on-the-fly). A good example of sharing the responsibility is AWS Identity and Access management (IAM). While Amazon provides this key security capability, enterprise IT needs to then follow the principle of least privilege (PoLP), limiting root access to specific users and using IAM groups to define policies and specify permissions for multiple users. 6
7 Cloud users, as covered entities, and their business associates, are responsible for patients (users ) PHI protection and encryption even on a managed cloud, while CSPs are responsible for running their infrastructure in accordance with HIPAA, indicating exactly which of their services are fully compliant. Shared Responsibility Model Customer Data Customer Responsible for Security IN the Cloud Platform, Applications, Identity & Access Management Client-Side Data Encryption & Data Integrity Authentication Server-Side Encryption File System and / or Data Compute Storage Database Networking AWS Responsible for Security OF the Cloud AWS Global Infastructure Regions Edge Locations Availability Zones Figure #1: AWS shared responsibility model 7
8 Auditing the Cloud Many CSPs provide internal audit tools to customers so they may cope more easily with the Phase 2 of HIPAA Audit Program that, since 2016, extends to the HHS Office for Civil Rights prerogatives adding the possibility of running audits without previous formal complaints. However, the above-mentioned Shared Responsibility Model leaves organizations in charge of auditing and governing their applications and data running on the cloud. Considering that HIPAA/HITECH and federal laws ruling the handling of protected health information data is continuously evolving, covered entities and business associates would be wise to adopt thirdparty solutions. Identifying and adopting the right solution partner, one that integrates management tools and specific assessment methodologies, is necessary nowadays to run a HIPAA-compliant organization in the cloud. For effective management of cloud infrastructure and data, security and governance are best grouped together. Security configuration, compliance, and monitoring should be automated and easily verifiable. With the help of a cloud management platform, this kind of monitoring and governance can be unified, offering comprehensive and prioritized insights for maintaining security posture. When it comes to IaaS especially, the adoption and use of up-to-date tools, integrated with the CSPs APIs and services, is crucial. Below are key monitoring and auditing tasks of the HIPAA-compliant enterprise IT team: Analyze and reduce attack vectors and surface Assess the perimeter of the internal private networks Manage access control, including role definition, user group permissions, and actions Segregate data and applications behind multiple physical and logical defensive layers Monitor external and internal threats (attacks and misconfigurations) 8
9 In case of auditing or incident response, producing a historic and detailed log of all the infrastructure resources, data access, configurations, and user permissions is critical. Keeping this data in order allows your cloud operation team to freeze the infrastructure status in a given time, enabling you to analyze an event without needing to stop ongoing activities such as users access. Modern NOCs should unify and integrate modern, cloud-compatible tools, providing automatic security configuration, activity monitoring, automated alerting, actionable insights, and remediation options. The whole framework should be able to aggregate and digest loads of data, and offer an easy-to-use interface and controls that can integrate into the day-to-day IT and security team processes. It should also ease and accelerate identification and remediation efforts. Use Case: Auditing Your AWS Deployment When it comes to auditing, you will need to know which tools to use, as well as the benefits of each. But before choosing tools, it is important to note that not all AWS products are HIPAA-compliant. Closely checking the Amazon HIPAA compliance section is highly recommended. The sample topology below, provided by AWS, represents a three-tier application deployed in one VPC in two availability zones. The relative private and public (DMZ) subnets are used respectively for applications, databases, and proxies. AWS provides you with the building blocks to define and secure your deployment network. These include: VPC, security groups, Network Access Control Lists (NACLs), and routing tables. All these Amazon security building blocks can be monitored and audited using APIs, as well as with AWS native logging and monitoring tools. Highlighted on the right side of Figure 2 are the tools AWS provides to manage security and auditing the deployment. 9
10 Amazon cross availability zones and VPC auditing proxie s DMZ Subnet proxie s DMZ Subnet Private Subnet Private Subnet M S Private Subnet Private Subnet AVAILABILITY ZONE 1 AVAILABILITY ZONE 2 VPC Security VPC Auditing Routing Tables Network ACLs Security Groups VPC Flow Logs Cloudtrail Cloudwatch AWS Config Trusted Advisor Figure #2: Amazon cross availability zones and VPC auditing 10
11 A few tools that are really handy when it comes to auditing: AWS VPC Flow Logs: Run a perimeter assessment of the internal private networks using VPC Flow Logs in order to get information on the network traffic going through our VPC network, storing them in Amazon CloudWatch Logs for further tracking and alerting. AWS CloudTrail: Keep a comprehensive log of API calls made within the AWS Management Console, using the AWS SDKs, the AWS CLI, or other AWS services. AWS Config: Get an instantaneous and detailed situation of the configuration of AWS resources, as well as alerts on changes using AWS Config, to ease auditing and breach analysis. AWS CloudWatch: Finally, you can use CloudWatch Alarms to define a wide range of metrics or log files you want to track in order to fire alerts or automatically react to resources changes. Once these components are properly enabled and configured, data flows separately from each source. This is raw data; it is the foundation of your compliance regime, but it is not automatically in a usable format. The data requires translation and analysis for you to fully meet your compliance mandate. Why It Matters: In order to monitor your deployment security effectively, you will have to process and analyze the log and events into meaningful, actionable insights. This is where third party solutions can help. An aggregated, centralized view of data sources, with prioritized recommendations for improving your compliance posture, are critical for maintaining HIPAA compliance. Though this use case focuses on AWS alone, if you operate in multi-cloud environment, it is important to look for solutions that provide you with a single, aggregated view. 11
12 Proactive Compliance for Healthy Cloud Infrastructure As we are seeing more sophisticated and harmful cyber threats, privacy breaches, and data leaks, staying informed and proactive about HIPAA and HITECH rules becomes more and more important. In the last two years, we ve witnessed an increase in ransomware attacks, in which cyber pirates infiltrate the networks of covered entities with malware, threatening to divulge critical information. According to the HHS Office for Civil Rights Breach Portal, intentional or accidental data leakage cases are becoming more common, as well as unauthorized accesses and simple thefts. Most organizations of any size cannot afford this kind of situation. Understanding compliance requirements is critical. Organizations and especially IT leaders should recognize their shifting responsibilities and make sure to maintain complete control over their cloud environments. For that, they need to have auditing and management tools aimed to improve data-handling methods and perimetral security, to be better armed to take proactive remediation actions. This will enable them to protect their organization s digital assets. 12
13 About CloudCheckr CloudCheckr s sophisticated cloud management platform offers control and clarity for leading organizations to manage and optimize their public cloud investments. The CloudCheckr platform offers a single pane of glass across infrastructure to ensure total security and compliance, while optimizing cost and expenses. With continuous monitoring, 400 best practice checks, and built-in automation, CloudCheckr enables IT, Security, and Finance teams to manage their AWS environments with confidence. Government organizations and Global 2000 enterprises trust CloudCheckr to unify their native AWS data and deliver the most robust cloud management platform in today s marketplace. CloudCheckr provides reports and dashboards that contain the most important events and insights based on public cloud security best practices, as well as specific compliance standards, such as HIPAA. This facilitates a comprehensive look across your environment, offering prioritized insights and recommendations to improve your security and compliance posture. CloudCheckr helps organizations to ensure compliance for highly regulated industries, with alerts, monitoring, and audits to meet NIST, HIPAA, PCI, and other security standards. With deeper intelligence across cloud infrastructure and a unified cloud management solution, organizations can prevent risks and mitigate threats before they occur. 13
14 Learn more: Contact Us (585)
Compliance with CloudCheckr
DATASHEET Compliance with CloudCheckr Introduction Security in the cloud is about more than just monitoring and alerts. To be truly secure in this ephemeral landscape, organizations must take an active
More informationHIPAA Security and Privacy Policies & Procedures
Component of HIPAA Security Policy and Procedures Templates (Updated for HITECH) Total Cost: $495 Our HIPAA Security policy and procedures template suite have 71 policies and will save you at least 400
More informationAll Aboard the HIPAA Omnibus An Auditor s Perspective
All Aboard the HIPAA Omnibus An Auditor s Perspective Rick Dakin CEO & Chief Security Strategist February 20, 2013 1 Agenda Healthcare Security Regulations A Look Back What is the final Omnibus Rule? Changes
More informationGetting Started with AWS Security
Getting Started with AWS Security Tomas Clemente Sanchez Senior Consultant Security, Risk and Compliance September 21st 2017 2016, Amazon Web Services, Inc. or its Affiliates. All rights reserved. Move
More informationUpdate on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016
Update on HIPAA Administration and Enforcement Marissa Gordon-Nguyen, JD, MPH October 7, 2016 Updates Policy Development Breaches Enforcement Audit 2 POLICY DEVELOPMENT RECENTLY PUBLISHED: RIGHT OF ACCESS,
More informationA Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud
A Checklist for Compliance in the Cloud 1 A Checklist for Compliance in the Cloud A Checklist for Compliance in the Cloud 1 With the industrialization of hacking and the enormous impact of security breaches,
More informationPutting It All Together:
Putting It All Together: The Interplay of Privacy & Security Regina Verde, MS, MBA, CHC Chief Corporate Compliance & Privacy Officer University of Virginia Health System 2017 ISPRO Conference October 24,
More informationIntroduction to AWS GoldBase
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS October 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationAWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE
AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE Education Edition 2018 1 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes
More informationThe HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance
The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance Russell L. Jones Partner Health Sciences Sector Deloitte & Touche LLP Security & Privacy IMLA 2013 Annual Conference San
More informationHIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp
HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp Agenda Introductions HIPAA Background and History Overview of HIPAA Requirements
More informationSIEMLESS THREAT DETECTION FOR AWS
SOLUTION OVERVIEW: ALERT LOGIC FOR AMAZON WEB SERVICES (AWS) SIEMLESS THREAT DETECTION FOR AWS Few things are as important to your business as maintaining the security of your sensitive data. Protecting
More informationInside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D.
Inside the OCR Investigation/Audit Process 2018 PBI HEALTH LAW INSTITUTE TUESDAY, MARCH 13, 2017 GREGORY M. FLISZAR, J.D., PH.D. HIPAA GENERAL RULE PHI may not be disclosed without patient authorization
More informationHIPAA ( ) HIPAA 2017 Compliancy Group, LLC
855 85 HIPAA (855-854-4722) www.compliancygroup.com 1 Started in 2005 by HIPAA auditors & Compliance experts Market need for a total end client solution Created The Guard: cloud-based solution Compliance
More informationHITRUST ON THE CLOUD. Navigating Healthcare Compliance
HITRUST ON THE CLOUD Navigating Healthcare Compliance As the demand for digital health solutions increases, the IT regulatory landscape continues to evolve. Staying ahead of new cybersecurity rules and
More informationHackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm
whitepaper Hackproof Your Cloud: Preventing 2017 Threats for a New Security Paradigm When your company s infrastructure was built on the model of a traditional on-premise data center, security was pretty
More informationEnhanced Threat Detection, Investigation, and Response
Enhanced Threat Detection, Investigation, and Response What s new in Cisco Stealthwatch Enterprise Release 6.10.2 Cisco Stealthwatch Enterprise is a comprehensive visibility and security analytics solution
More informationEnhancing the Cybersecurity of Federal Information and Assets through CSIP
TECH BRIEF How BeyondTrust Helps Government Agencies Address Privileged Access Management to Improve Security Contents Introduction... 2 Achieving CSIP Objectives... 2 Steps to improve protection... 3
More informationThe Relationship Between HIPAA Compliance and Business Associates
The Relationship Between HIPAA Compliance and Business Associates 1 HHS Wall of Shame 20% Involved Business Associates Based on HHS Breach Portal: Breaches Affecting 500 or More Individuals, Type of Breach
More informationLayer Security White Paper
Layer Security White Paper Content PEOPLE SECURITY PRODUCT SECURITY CLOUD & NETWORK INFRASTRUCTURE SECURITY RISK MANAGEMENT PHYSICAL SECURITY BUSINESS CONTINUITY & DISASTER RECOVERY VENDOR SECURITY SECURITY
More informationSecuring IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates
Securing IT Infrastructure Improve information exchange and comply with HIPAA, HITECH, and ACA mandates Ruby Raley, Director Healthcare Solutions Axway Agenda Topics: Using risk assessments to improve
More informationBest Practices in Securing a Multicloud World
Best Practices in Securing a Multicloud World Actions to take now to protect data, applications, and workloads We live in a multicloud world. A world where a multitude of offerings from Cloud Service Providers
More informationManaging and Auditing Organizational Migration to the Cloud TELASA SECURITY
Managing and Auditing Organizational Migration to the Cloud 1 TELASA SECURITY About Me Brian Greidanus bgreidan@telasasecurity.com 18+ years of security and compliance experience delivering consulting
More informationAWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE
AWS SECURITY AND COMPLIANCE QUICK REFERENCE GUIDE 2018 1 2018, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document is provided for informational purposes only. It represents
More informationNERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS
NERC CIP VERSION 6 COMPLIANCE BACKGROUND The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards define a comprehensive set of requirements
More informationHIPAA-HITECH: Privacy & Security Updates for 2015
South Atlantic Regional Annual Conference Orlando, FL February 6, 2015 1 HIPAA-HITECH: Privacy & Security Updates for 2015 Darrell W. Contreras, Esq., LHRM Gregory V. Kerr, CHPC, CHC Agenda 2 OCR On-Site
More informationlocuz.com SOC Services
locuz.com SOC Services 1 Locuz IT Security Lifecycle services combine people, processes and technologies to provide secure access to business applications, over any network and from any device. Our security
More information[DATA SYSTEM]: Privacy and Security October 2013
Data Storage, Privacy, and Security [DATA SYSTEM]: Privacy and Security October 2013 Following is a description of the technical and physical safeguards [data system operator] uses to protect the privacy
More informationDon t Be the Next Headline! PHI and Cyber Security in Outsourced Services.
Don t Be the Next Headline! PHI and Cyber Security in Outsourced Services. June 2017 Melanie Duerr Fazzi Associates Partner, Director of Coding Operations Jami Fisher Fazzi Associates Chief Information
More informationThe HITECH Act. 5 things you can do Right Now to pave the road to compliance. 1. Secure PHI in motion.
The HITECH Act 5 things you can do Right Now to pave the road to compliance Beginning in 2011, HITECH Act financial incentives will create a $5,800,000 opportunity over four years for mid-size hospital
More informationHIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED
HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED HEALTHCARE ORGANIZATIONS ARE UNDER INTENSE SCRUTINY BY THE US FEDERAL GOVERNMENT TO ENSURE PATIENT DATA IS PROTECTED Within
More informationThe simplified guide to. HIPAA compliance
The simplified guide to HIPAA compliance Introduction HIPAA, the Health Insurance Portability and Accountability Act, sets the legal requirements for protecting sensitive patient data. It s also an act
More informationCyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK.
Cyber Risk Program Maturity Assessment UNDERSTAND AND MANAGE YOUR ORGANIZATION S CYBER RISK. In today s escalating cyber risk environment, you need to make sure you re focused on the right priorities by
More informationHIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, Looking Back at 2011
HIPAA/HITECH Act Update HCCA South Central Regional Annual Conference December 2, 2012 Phyllis F. Granade The Granade Law Firm Atlanta, GA (678) 705 2507 pgranade@granadelaw.com www.granadelaw.com Looking
More informationDATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE
DATA PRIVACY & SECURITY THE CHANGING HIPAA CLIMATE Melodi (Mel) M. Gates mgates@pattonboggs.com (303) 894-6111 October 25, 2013 THE CHANGING PRIVACY CLIMATE z HEALTH INSURANCE PORTABILITY & ACCOUNTABILITY
More informationALIENVAULT USM FOR AWS SOLUTION GUIDE
ALIENVAULT USM FOR AWS SOLUTION GUIDE Summary AlienVault Unified Security Management (USM) for AWS is a unified security platform providing threat detection, incident response, and compliance management
More informationAWS Webinar. Navigating GDPR Compliance on AWS. Christian Hesse Amazon Web Services
AWS Webinar Navigating GDPR Compliance on AWS Christian Hesse Amazon Web Services What is the GDPR? What is the GDPR? The "GDPR" is the General Data Protection Regulation, a significant new EU Data Protection
More informationDeMystifying Data Breaches and Information Security Compliance
May 22-25, 2016 Los Angeles Convention Center Los Angeles, California DeMystifying Data Breaches and Information Security Compliance Presented by James Harrison OM32 5/25/2016 3:00 PM - 4:15 PM The handouts
More informationAZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES. To Secure Azure and Hybrid Cloud Environments
AZURE CLOUD SECURITY GUIDE: 6 BEST PRACTICES To Secure Azure and Hybrid Cloud Environments Introduction Cloud is at the core of every successful digital transformation initiative. With cloud comes new
More informationeguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments
eguide: Designing a Continuous Response Architecture 5 Steps to Reduce the Complexity of PCI Security Assessments Today s PCI compliance landscape is one of continuing change and scrutiny. Given the number
More informationHIPAA Cloud Computing Guidance
HIPAA Cloud Computing Guidance Adam Greene, JD, MPH Partner Rebecca Williams, BSN, JD Partner Nature is a mutable cloud which is always and never the same Ralph Waldo Emerson 2 Agenda A few historical
More informationIT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I
Standards Sections Checklist Section Security Management Process 164.308(a)(1) Information Security Program Risk Analysis (R) Assigned Security Responsibility 164.308(a)(2) Information Security Program
More informationA HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP,
A HIPAA Compliance and Enforcement Update from the HHS Office for Civil Rights Session #24, 10:00 a.m. 11:00 a.m. March 6, 2018 Roger Severino, MSPP, JD Director, HHS Office for Civil Rights Nicholas Heesters,
More informationUpdate on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules
Update on Administration and Enforcement of the HIPAA Privacy, Security, and Breach Notification Rules Wandah Hardy, RN BSN, MPA Equal Opportunity Specialist/Investigator Office for Civil Rights (OCR)
More informationAWS Reference Design Document
AWS Reference Design Document Contents Overview... 1 Amazon Web Services (AWS), Public Cloud and the New Security Challenges... 1 Security at the Speed of DevOps... 2 Securing East-West and North-South
More informationSoftLayer Security and Compliance:
SoftLayer Security and Compliance: How security and compliance are implemented and managed Introduction Cloud computing generally gets a bad rap when security is discussed. However, most major cloud providers
More informationThe ABCs of HIPAA Security
The ABCs of HIPAA Security Daniel F. Shay, Esq 24 th Annual Health Law Institute Pennsylvania Bar Institute March 13, 2018 c. 2018 Alice G. Gosfield and Associates PC 1 Daniel F. Shay, Esq. Alice G. Gosfield
More informationHealthcare in the Public Cloud DIY vs. Managed Services
Business White Paper Healthcare in the Public Cloud DIY vs. Managed Services Page 2 of 9 Healthcare in the Public Cloud DIY vs. Managed Services Table of Contents Page 2 Healthcare Cloud Migration Page
More informationSecuring Your Most Sensitive Data
Software-Defined Access Securing Your Most Sensitive Data Company Overview Digital Growth Means Digital Threats Digital technologies offer organizations unprecedented opportunities to innovate their way
More informationHow Security Policy Orchestration Extends to Hybrid Cloud Platforms
How Security Policy Orchestration Extends to Hybrid Cloud Platforms Reducing complexity also improves visibility when managing multi vendor, multi technology heterogeneous IT environments www.tufin.com
More informationHIPAA COMPLIANCE AND DATA PROTECTION Page 1
HIPAA COMPLIANCE AND DATA PROTECTION info@resultstechnology.com 877.435.8877 Page 1 CONTENTS Introduction..... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and RESULTS Cloud
More informationHow to Ensure Continuous Compliance?
How to Ensure Continuous Compliance? Episode I: HIPAA Compliance 101 Speaker: Danny Murphy Sr. Sales Engineer, Netwrix Corporation Danny.Murphy@netwrix.com +44 (0) 203 588 3023 ext 2202 Agenda Compliance
More informationThe Honest Advantage
The Honest Advantage READY TO CHALLENGE THE STATUS QUO GSA Security Policy and PCI Guidelines The GreenStar Alliance 2017 2017 GreenStar Alliance All Rights Reserved Table of Contents Table of Contents
More informationHIPAA Regulatory Compliance
Secure Access Solutions & HIPAA Regulatory Compliance Privacy in the Healthcare Industry Privacy has always been a high priority in the health profession. However, since the implementation of the Health
More informationPrivacy and Security in the Age of Meaningful Use
Privacy and Security in the Age of Meaningful Use David S. Finn Health IT Officer Lewis Etheridge Principal Systems Engineer, Symantec Healthcare Privacy & Security in the Age of Meaningful Use SYMANTEC
More informationWITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE BENEFITS HOW THREAT MANAGER WORKS SOLUTION OVERVIEW:
SOLUTION OVERVIEW: ALERT LOGIC THREAT MANAGER WITH ACTIVEWATCH EXPERT BACKED, DETECTION AND THREAT RESPONSE Protecting your business assets and sensitive data requires regular vulnerability assessment,
More informationHIPAA & Privacy Compliance Update
HIPAA & Privacy Compliance Update Vermont Medical Society FREE Wednesday Webinar Series March 15, 2017 Anne Cramer and Shireen Hart Primmer Piper Eggleston & Cramer PC acramer@primmer.com shart@primmer.com
More informationWHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty
WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty WHITE PAPER HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty By Jill Brooks, MD, CHCO and Katelyn Byrne, BSN, RN Data Breaches
More informationGDPR: An Opportunity to Transform Your Security Operations
GDPR: An Opportunity to Transform Your Security Operations McAfee SIEM solutions improve breach detection and response Is your security operations GDPR ready? General Data Protection Regulation (GDPR)
More informationIntroduction to AWS GoldBase. A Solution to Automate Security, Compliance, and Governance in AWS
Introduction to AWS GoldBase A Solution to Automate Security, Compliance, and Governance in AWS September 2015 2015, Amazon Web Services, Inc. or its affiliates. All rights reserved. Notices This document
More informationand Privacy HIPAA-Compliance Checklist
Email and Privacy HIPAA-Compliance Checklist TBHI Checklist Copyright 2017 Telebehavioral Health Institute All rights reserved. Telebehavioral Health Institute www.telehealth.org No part of this publication
More informationCYBER SECURITY WHITEPAPER
CYBER SECURITY WHITEPAPER ABOUT GRIDSMART TECHNOLOGIES, INC. GRIDSMART Technologies, Inc. provides Simple, Flexible, and Transparent solutions for the traffic industry that collect and use data to make
More informationHospital Council of Western Pennsylvania. June 21, 2012
Updates on OCR s HIPAA Enforcement and Regulations Hospital Council of Western Pennsylvania June 21, 2012 Topics HIPAA Privacy and Security Rule Enforcement HITECH Breach Notification OCR Audit Program
More informationHIPAA COMPLIANCE FOR VOYANCE
HIPAA COMPLIANCE FOR VOYANCE How healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class
More informationSECURITY & PRIVACY DOCUMENTATION
Okta s Commitment to Security & Privacy SECURITY & PRIVACY DOCUMENTATION (last updated September 15, 2017) Okta is committed to achieving and preserving the trust of our customers, by providing a comprehensive
More informationDevice Discovery for Vulnerability Assessment: Automating the Handoff
Device Discovery for Vulnerability Assessment: Automating the Handoff O V E R V I E W While vulnerability assessment tools are widely believed to be very mature and approaching commodity status, they are
More informationHealthcare Privacy and Security:
Healthcare Privacy and Security: Breach prevention and mitigation/ Insuring for breach Colin J. Zick Foley Hoag LLP (617) 832-1000 www.foleyhoag.com www.securityprivacyandthelaw.com Boston Bar Association
More informationTracking and Reporting
Secure File Transfer Tracking and Reporting w w w. b i s c o m. c o m 321 Billerica Road, Chelmsford, MA phone: 978-250-1800 email: sales@biscom.com EXECUTIVE SUMMARY The Internet has made it easier than
More informationCloud Communications for Healthcare
Cloud Communications for Healthcare Today, many powerful business communication challenges face everyone in the healthcare chain including clinics, hospitals, insurance providers and any other organization
More informationTitle: Planning AWS Platform Security Assessment?
Title: Planning AWS Platform Security Assessment? Name: Rajib Das IOU: Cyber Security Practices TCS Emp ID: 231462 Introduction Now-a-days most of the customers are working in AWS platform or planning
More informationManaging Privacy Risk & Compliance in Financial Services. Brett Hamilton Advisory Solutions Consultant ServiceNow
Managing Privacy Risk & Compliance in Financial Services Brett Hamilton Advisory Solutions Consultant ServiceNow 1 Speaker Introduction INSERT PHOTO Name: Brett Hamilton Title: Advisory Solutions Consultant
More informationCyber Risks in the Boardroom Conference
Cyber Risks in the Boardroom Conference Managing Business, Legal and Reputational Risks Perspectives for Directors and Executive Officers Preparing Your Company to Identify, Mitigate and Respond to Risks
More informationThe threat landscape is constantly
A PLATFORM-INDEPENDENT APPROACH TO SECURE MICRO-SEGMENTATION Use Case Analysis The threat landscape is constantly evolving. Data centers running business-critical workloads need proactive security solutions
More informationThe HIPAA Omnibus Rule
The HIPAA Omnibus Rule What You Should Know and Do as Enforcement Begins Rebecca Fayed, Associate General Counsel and Privacy Officer Eric Banks, Information Security Officer 3 Biographies Rebecca C. Fayed
More informationCompleting your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT
Completing your AWS Cloud SECURING YOUR AMAZON WEB SERVICES ENVIRONMENT Introduction Amazon Web Services (AWS) provides Infrastructure as a Service (IaaS) cloud offerings for organizations. Using AWS,
More information10/18/2016. Preparing Your Organization for a HHS OIG Information Security Audit. Models for Risk Assessment
Preparing Your Organization for a HHS OIG Information Security Audit David Holtzman, JD, CIPP/G CynergisTek, Inc. Brian C. Johnson, CPA, CISA HHS OIG Section 1: Models for Risk Assessment Section 2: Preparing
More informationTRACKVIA SECURITY OVERVIEW
TRACKVIA SECURITY OVERVIEW TrackVia s customers rely on our service for many mission-critical applications, as well as for applications that have various compliance and regulatory obligations. At all times
More informationSYMANTEC DATA CENTER SECURITY
SYMANTEC DATA CENTER SECURITY SYMANTEC UNIFIED SECURITY STRATEGY Users Cyber Security Services Monitoring, Incident Response, Simulation, Adversary Threat Intelligence Data Threat Protection Information
More informationCybersecurity in Higher Ed
Cybersecurity in Higher Ed 1 Overview Universities are a treasure trove of information. With cyber threats constantly changing, there is a need to be vigilant in protecting information related to students,
More informationALERT LOGIC LOG MANAGER & LOG REVIEW
SOLUTION OVERVIEW: ALERT LOGIC LOG MANAGER & LOG REVIEW CLOUD-POWERED LOG MANAGEMENT AS A SERVICE Simplify Security and Compliance Across All Your IT Assets. Log management is an essential infrastructure
More informationMcAfee Public Cloud Server Security Suite
McAfee Public Cloud Server Security Suite Comprehensive security for AWS and Azure cloud workloads As enterprises shift their data center strategy to include and often lead with public cloud server instances,
More informationefolder White Paper: HIPAA Compliance
efolder White Paper: HIPAA Compliance November 2015 Copyright 2015, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within
More informationMapping Your Requirements to the NIST Cybersecurity Framework. Industry Perspective
Mapping Your Requirements to the NIST Cybersecurity Framework Industry Perspective 1 Quest has the solutions and services to help your organization identify, protect, detect, respond and recover, better
More informationHIPAA / HITECH Overview of Capabilities and Protected Health Information
HIPAA / HITECH Overview of Capabilities and Protected Health Information August 2017 Rev 1.8.9 2017 DragonFly Athletics, LLC 2017, DragonFly Athletics, LLC. or its affiliates. All rights reserved. Notices
More informationHIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood
HIPAA Audit Don t just bet the odds Good luck is a residue of preparation. Jack Youngblood Braun Tacon Process Architect / Auditor Owner: www.majorincidenthandling.com Winning Lotto.1 in 175 Million Attacked
More informationSIEMLESS THREAT MANAGEMENT
SOLUTION BRIEF: SIEMLESS THREAT MANAGEMENT SECURITY AND COMPLIANCE COVERAGE FOR APPLICATIONS IN ANY ENVIRONMENT Evolving threats, expanding compliance risks, and resource constraints require a new approach.
More informationMitigating Risks with Cloud Computing Dan Reis
Mitigating Risks with Cloud Computing Dan Reis Director of U.S. Product Marketing Trend Micro Agenda Cloud Adoption Key Characteristics The Cloud Landscape and its Security Challenges The SecureCloud Solution
More informationHIPAA Controls. Powered by Auditor Mapping.
HIPAA Controls Powered by Auditor Mapping www.tetherview.com About HIPAA The Health Insurance Portability and Accountability Act (HIPAA) is a set of standards created by Congress that aim to safeguard
More informationSecurity by Design Running Compliant workloads in AWS
Security by Design Running Compliant workloads in 2015 Amazon.com, Inc. and its affiliates. All rights reserved. May not be copied, modified, or distributed in whole or in part without the express consent
More information01.0 Policy Responsibilities and Oversight
Number 1.0 Policy Owner Information Security and Technology Policy Policy Responsibility & Oversight Effective 01/01/2014 Last Revision 12/30/2013 Department of Innovation and Technology 1. Policy Responsibilities
More informationHIPAA Compliance Officer Training By HITECH Compliance Associates. Building a Culture of Compliance
HIPAA Compliance Officer Training By HITECH Compliance Associates Building a Culture of Compliance Your Instructor Is Michael McCoy Nationally Recognized HIPAA Expert » Nothing contained herein should
More informationHIPAA COMPLIANCE AND
INTRONIS MSP SOLUTIONS BY BARRACUDA HIPAA COMPLIANCE AND DATA PROTECTION CONTENTS Introduction... 3 The HIPAA Security Rule... 4 The HIPAA Omnibus Rule... 6 HIPAA Compliance and Intronis Cloud Backup and
More informationCybersecurity Auditing in an Unsecure World
About This Course Cybersecurity Auditing in an Unsecure World Course Description $5.4 million that s the average cost of a data breach to a U.S.-based company. It s no surprise, then, that cybersecurity
More informationWHITE PAPER. Five AWS Practices. Enhancing Cloud Security through Better Visibility
WHITE PAPER Five AWS Practices Enhancing Cloud Security through Better Visibility Continuous innovation and speed to market are mandating dynamic paradigm shifts in how companies conceive, develop and
More informationA CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management
A CISO GUIDE TO MULTI-CLOUD SECURITY Achieving Transparent Visibility and Control and Enhanced Risk Management CONTENTS INTRODUCTION 1 SECTION 1: MULTI-CLOUD COVERAGE 2 SECTION 2: MULTI-CLOUD VISIBILITY
More informationHIPAA Privacy, Security and Breach Notification
HIPAA Privacy, Security and Breach Notification HCCA East Central Regional Annual Conference October 2013 Disclaimer The information contained in this document is provided by KPMG LLP for general guidance
More informationBuilding Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus
Building Cloud Trust Ioannis Stavrinides Technical Evangelist MS Cyprus If you re resisting the cloud because of security concerns, you re running out of excuses. The question is no longer: How do I move
More informationCipherCloud CASB+ Connector for ServiceNow
ServiceNow CASB+ Connector CipherCloud CASB+ Connector for ServiceNow The CipherCloud CASB+ Connector for ServiceNow enables the full suite of CipherCloud CASB+ capabilities, in addition to field-level
More informationIndustrial Defender ASM. for Automation Systems Management
Industrial Defender ASM for Automation Systems Management INDUSTRIAL DEFENDER ASM FOR AUTOMATION SYSTEMS MANAGEMENT Industrial Defender ASM is a management platform designed to address the overlapping
More informationEU General Data Protection Regulation (GDPR) Achieving compliance
EU General Data Protection Regulation (GDPR) Achieving compliance GDPR enhancing data protection and privacy The new EU General Data Protection Regulation (GDPR) will apply across all EU member states,
More information