HIPAA Covered Entities and Business Associates are faced with increased pressure to achieve compliance and protect Electronic Patient Health Information (ePHI ) or face significant fines and negative press. The Pondurance Compliance practice focuses on building information security programs that both secure your ePHI data and result in compliance with HIPAA Security standards. We also assist our clients in remediation projects when non-compliant to the HIPAA Security standards, or a Compliance Management Program to monitor and maintain HIPAA Security compliance.
Below is an outline of our full HIPAA Security lifecycle services:
HIPAA Security Assessment Services
HIPAA Security Review: Pondurance will perform a high-level HIPAA review to assist clients in understanding the scope of their HIPAA environment, current status of compliance, and a roadmap to start working on achieving compliance. The review is not intended for companies that currently believe they are complaint, but is intended to provide an organization that is new to HIPAA Security a starting point in their quest to become compliant.
HIPAA Security Assessment: Pondurance will perform a detailed HIPAA Security assessment based on the OCR Audit Protocol to identify areas of non-compliance to the HIPAA Security standard and provide risk-based remediation recommendations to achieve compliance. We also provide a remediation plan to combine our findings into actionable projects.
HIPAA Security Comprehensive Assessment: The HIPAA Security Comprehensive Assessment combines the HIPAA Security Assessment services with comprehensive technical security testing to gain a complete understanding of an organization’s compliance and Information Security posture. The comprehensive assessment includes network penetration testing, web application penetration testing, wireless security testing, security configurations reviews, and ePHI data discovery.
ePHI Data Discovery: Pondurance will perform technical and non-technical discovery of our client’s network and systems to identify known and unknown storage of ePHI data. We will also evaluate encryption solutions in use and confirm logging of access to ePHI data.
HIPAA Security Remediation Projects
Information Security Program Development: Pondurance will assist in the development and implementation of an Information Security Program that achieves and maintains compliance with all applicable HIPAA Security standards. This includes policies, procedures, configuration standards, awareness training, vulnerability management program, and a risk management program.
Security Awareness Program Development & Training: One of the largest weaknesses in an information security program is people. Pondurance will develop a plan to train employees, managers and IT staff on information security issues and the appropriate HIPAA Security areas.
Vulnerability Management Program Development: In order to protect systems and achieve compliance with HIPAA Security standards, an effective vulnerability management program is required. Pondurance can develop a program to address vulnerability identification, risk rating, patching and vulnerability scanning.
Security Monitoring Program Development: Pondurance can assist in developing program to monitor information security controls such as audit logging, IDS monitoring and A/V monitoring. Our services include requirements definition, RFP creation and management, implementation planning, and procedures for monitoring logs and alerts.
Security Testing Program Development: An effective information security program should include regularly scheduled security testing including vulnerability scanning, penetration testing, wireless security testing and web application security testing.
Incident Response Plan Development & Testing:Pondurance can develop an effective incident response plan that provides clear procedures on how to respond to suspected security incidents and to align with HIPAA Security requirements. We will also train the client’s staff on incident response and test the plan as required by HIPAA Security requirements.
HIPAA Security Compliance Programm
HIPAA Security Compliance Monitoring: HIPAA Security compliance is not a project but an activity that must be maintained year-round as a business-as-usual process. Pondurance will implement a year-around HIPAA Security monitoring process that includes monthly and quarterly assessment activities to identify and correct compliance issues to insure compliance with HIPAA Security standards.
Vulnerability Management Program: In order to reduce the threats to ePHI data, Pondurance provides a vulnerability-monitoring program that includes vulnerability management, vulnerability scanning, wireless scanning and web application vulnerability scanning. Activities are scheduled for monthly and quarterly testing and reports are provided to clients through our secure portal.
Network Security Monitoring: Pondurance provides Network Security Monitoring (NSM) services to identify malicious network activity that involving ePHI data environments. Our NSM services include Network IDS (NIDS), Full Packet Capture (PCAP), Passive Meta-data Collection, and IP/URL Reputation Monitoring to detect and respond to malware.
Incident Response Team: For clients with limited skills in Incident Response and Digital Forensics, Pondurance provides a program to respond to suspected information security incidents and perform digital forensics when a breach is confirmed. We also specialize in malware identification, containment and removal.