Organizations conduct pen tests to learn about their systems and how cybercriminals might try to attack them. Getting the most out of penetration testing as a service requires proactive planning, scoping, testing, and remediation—all of which a quality pen test partner should help with.
Curious about penetration testing as a service? Schedule a consultation to learn more!
RSI Security recently hosted our first Executive Development Series webinar, Consciousness of Cyber defense, on July 12, 2024. Our founder and managing director, John Shin, developed the concept for the event in collaboration with Vistage, a leading executive coaching organization that serves over 45,000 executives across the world. He started the event by explaining the crucial importance of human awareness of security concepts at the top of organizations.
Shin also provided an overview of the format for this first module and the overarching structure for the follow-up sessions, encouraging interactivity and audience participation throughout.
Determining whether you need to become ISO 27001 certified requires knowing:
What options are available for comprehensive compliance
One way organizations assure partners around the world of their commitment to security and data privacy is by complying with international frameworks like ISO 27001. Complying efficiently requires scoping, implementation, and assessment—or an alternative path through mapping. Are you ready to achieve ISO 27001 certification? Schedule a consultation to find out!
Understanding physical penetration testing and how to take advantage of it requires:
As organizations scale upward, their technological capacities grow exponentially—as do their cyberdefense needs. Hiring a C-suite executive to oversee all cybersecurity concerns is one approach, but a virtual solution is often more efficient, especially if it’s an AI assisted vCISO. (more…)
Organizations in and around healthcare can streamline risk assessments in five easy steps:
The survey conducted independently by Ponemon Institute and published in May 2023, explores the significant cybersecurity risks faced by corporate executives in their personal digital lives. The report highlights the gap between corporate cybersecurity measures and the protection needed for executives at home. (more…)
If your organization provides services to healthcare entities, such as IT support, cloud storage, billing, or legal services—you may be legally required to sign a HIPAA Business Associate Agreement (BAA).
This agreement ensures that your organization complies with the Health Insurance Portability and Accountability Act (HIPAA) when handling or accessing protected health information (PHI).
Entering into a BAA means committing to partial or full HIPAA compliance, which includes conducting risk assessments, implementing security controls, and maintaining appropriate data protection policies.
Are you ready to fulfill the requirements of a HIPAA BAA? Schedule a consultation to find out!
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) exists to define and safeguard protected health information (PHI). It applies primarily to covered entities within the healthcare field. However, it also contractually requires business associates to safeguard PHI.
Understanding and staying compliant as a business associate requires knowing:
The big takeaway of business associate considerations under HIPAA is that the regulation applies beyond the boundaries of healthcare to many stakeholders adjacent to the industry.
A HIPAA Business Associate Agreement (BAA) is a legally binding contract that requires business associates to follow certain HIPAA compliance standards.
These associates, such as IT providers, billing services, or consultants, must either fully comply with HIPAA or support their covered entity partners in maintaining compliance.
The HIPAA BAA extends HIPAA’s privacy and security requirements beyond healthcare providers, ensuring that any third party with access to protected health information (PHI) also handles it responsibly.
These agreements are mandated and regulated by the Department of Health and Human Services (HHS) as part of HIPAA’s goal to safeguard patient data across the entire healthcare ecosystem.
To fully understand why these agreements are necessary, it’s important to know what qualifies as PHI. Protected health information includes any data that identifies an individual in connection with their physical or mental health, treatments received, or healthcare payments, whether in full documents or individual data points.
[su_button url=”https://www.rsisecurity.com/compliance-advisory-services/hipaa/” target=”blank” style=”flat” size=”11″ center=”yes”]Speak with a HIPAA / HITECH expert today![/su_button]
Business associate contracts are made between covered entities and their business associates, requiring the latter to (at minimum) help the former meet their HIPAA requirements. As for who these parties are, the HHS has established three categories of HIPAA covered entities:
Business associates are any organizations that work with these entities in a way that requires them to come into contact with PHI.
There is no explicit restriction on which kinds of partners are considered business associates, but common examples include third-party administrators, accounting and legal services providers, consultants, and benefits managers working on plans.
Covered entities are the parties who produce, use, and otherwise come into contact with PHI the most. Business associates also come into contact with it regularly, so it applies to them too.
HIPAA explicitly requires covered entities who work with business associates to operate under a business associate contract.
The specific requirements for what it must include are sparse, so covered entities have discretion over the particular terms. The only guarantee is that the contract ensures a business associate helps the covered entity ensure HIPAA compliance.
Under a business associate contract HIPAA can essentially apply to business associates as though they are HIPAA covered entities.
The practical upshot is that business associates need to prepare for HIPAA compliance just like covered entities to avoid any future complications.
The HIPAA Privacy Rule is the first and most fundamental part of the entire HIPAA framework. It defines both PHI and covered entities, along with their (and their business associates’) essential responsibilities with respect to safeguarding PHI.
Namely, PHI needs to be made available to its subjects (persons identified within the PHI) at their request. But it also needs to be protected such that no unauthorized disclosures or uses, except for a set of permitted ones, can happen.
Some practical examples of permitted disclosures include using limited data sets for approved research or making certain information available for disease prevention or other public benefits.
See the HHS’s summary of the Privacy Rule for a comprehensive list of permitted PHI uses.
The Security Rule builds on the Privacy Rule, adding specific controls organizations need to apply to ensure the confidentiality, integrity, and availability of PHI.
There are two major kinds of measures the Security Rule requires covered entities and business associates to implement.
The first prescriptive requirement is programmatic risk analysis and management, including regular risk assessments that document, address, and ideally neutralize threats to PHI.
The other prescriptive requirement is implementing three sets of safeguards:
Originally, these protections applied only to electronic PHI (ePHI), but the HITECH Act extended its requirements to all PHI that covered entities and business associates come into contact with.
Covered entities and business associates also need to comply with the Breach Notification Rule, which requires monitoring and communication infrastructure to be in place to report on breaches as swiftly as possible.
HIPAA considers a breach to have happened if identifiable PHI is accessed without authorization in any way beyond the permitted uses and disclosures.
If a breach has occurred, the covered entity or business associate who becomes aware of it needs to provide notice to one or more parties.
In particular, notice needs to be given to all pirates impacted by the breach. The secretary of the HHS must also be notified. And, if the breach impacts 500 or more people, media outlets serving their community must be notified.
If the breach is discovered by the business associate, their responsibility may be to provide these notices or to inform the covered entity proper to handle other required notices.
The business associate agreement will detail all specific responsibilities related to this rule.
Unlike some other regulatory contexts, HIPAA does not require a certification assessment to affirm compliance. Instead, the HHS mandates that organizations operating in the field are HIPAA compliant, and assessments happen if a breach or other non-compliance incident occurs.
If a covered entity (or business associate) is found to be in violation, one or both parties may be subject to HIPAA enforcement, including fines and criminal charges.
In particular, business associate contracts often distribute the liability for noncompliance issues between the business associate and covered entity, depending on the responsible party for the particular data breach or incident in question.
In practice, causing a HIPAA violation might be a breach of contract, and it can open the business associate up to the HHS’s enforcement arm.
To avoid these possibilities, covered entities and business associates are encouraged to work with third-party HIPAA advisors and assessors to optimize all elements of their cyberdefenses.
If your organization works directly in healthcare, or it partners with other organizations that are covered entities, you may need to comply with HIPAA—or at least help a partner comply. If that’s the case, you’ll need to ensure that your cyberdefenses meet HIPAA standards.
RSI Security has helped countless organizations in and adjacent to healthcare comply with HIPAA. We know that the right way is the only way to keep sensitive data and patients safe.
Protect your organization from costly HIPAA violations, download our HIPAA Checklist today to ensure you’re fully compliant
If your organization needs to comply with HIPAA, you’ll need to safeguard protected health information (PHI) and keep an eye out for:
The Health Insurance Portability and Accountability Act (HIPAA) exists to ensure that protected health information (PHI) is safeguarded. The kinds of information that can qualify as PHI are defined in the Privacy Rule.
The first of these is any record that contains or pertains to an individual’s past, present, or future health conditions—including physical and mental health.
The first example is the most straightforward and involves the least abstraction. Records that contain identifiable information about a patient (i.e., their name—see below) alongside any information about their health conditions can qualify as PHI.
One common pitfall in this respect is the mishandling of demographic data pertaining to individuals’ disabilities. Even if collected or used in good faith, this information needs to be safeguarded to protect these individuals’ rights.
Closely related to the example above, yet distinct from it, PHI includes all records of healthcare services provided to an individual. The distinction is that the first example specifically hinges on whether or not a person is being identified alongside a condition (permanent or otherwise). But, in this case, a document is PHI if it associates an individual with a procedure they’ve received.
Common examples of service-provision PHI documents include:
Any organization that is subject to HIPAA needs to de-identify and/or protect these kinds of documents, and any traces of this kind of information. See below for guidance on how.
[su_button url=”https://www.rsisecurity.com/compliance-advisory-services/hipaa/” target=”blank” style=”flat” size=”11″ center=”yes”]Speak with a HIPAA / HITECH expert today![/su_button]
In addition, according to the HIPAA Privacy Rule protected health information includes records of past, present, or future payment made in exchange for the provision of healthcare. If #2 is an abstraction of #1, this type of PHI further abstracts the individual from their health concerns, qualifying a document as PHI if it associates an individual with a payment made for healthcare.
One common instance of payment information qualifying as PHI under HIPAA is credit card and other transaction records being maintained digitally. Often, records of this nature are kept for standard bookkeeping or even for compliance with other regulatory frameworks.
However, if they include patients’ names and other identifiable criteria, they may qualify as electronic protected information (ePHI). If so, they need to be de-identified and/or safeguarded.
Under HIPAA protected health information needs to be treated such that, if it were leaked or otherwise fell into the wrong hands, the individual it concerns could not be identified by it.
The Department of Health and Human Services (HHS) prescribes two de-identification methods:
Organizations subject to HIPAA, including both covered entities and their business associates, should utilize one or both methods as much as possible to minimize the scope of identifiable PHI within their systems. HIPAA data breaches concern identifiable PHI exclusively.
All protected health information, identifiable or not, needs to be safeguarded according to HIPAA’s prescriptive rules. The Privacy Rule, noted above, requires controlling use and disclosure and preventing all but a select set of permitted disclosures while also ensuring information subjects have the ability to access PHI about or concerning them on demand.
The Security Rule augments the Privacy Rule, adding proactive protections and controls that organizations need to install. These include administrative, physical, and technical safeguards, along with programmatic risk assessments that often necessitate the use of penetration tests.
Finally, there is the Breach Notification Rule, which requires monitoring and communication infrastructure to identify and report on any breach of identifiable PHI as soon as possible.
Critically, PHI is a relatively wide category of information that includes both health-specific documentation and more generalized records, such as payment data.
Organizations in and adjacent to healthcare need to be aware of these common PHI types that they may come across so that they can de-identify and safeguard them to maintain HIPAA compliance.
RSI Security has helped healthcare organizations and their strategic partners steer clear of HIPAA enforcement for over a decade.
We believe that discipline up-front unlocks greater freedom to grow down the road, and we’ll help you rethink and optimize your compliance.
To learn more about protected health information and HIPAA, contact RSI Security today!