Courtesy of these exceptional times we live due to the global response to COVID-19, it should come as no surprise that healthcare companies are under more attack from cyber criminals for claims and insurance related infrastructure. It should also come as no surprise that “an ounce of prevention is worth a pound of cure” so taking the steps to ensure your security strategy is comprehensive enough to meet these extra burdens becomes paramount.
Why Health Insurance Security assessments
The short answer to this very important question is that it is “the law”; specifically a US government regulation requires this. According to HealthIT.gov:
“The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities and its business associates conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. To learn more about the assessment process and how it benefits your organization, visit the Office for Civil Rights' official guidance.”
HHS.gov also offers resources to help out with these requirements:
“The NIST HIPAA Security Toolkit Application, developed by the National Institute of Standards and Technology (NIST), is intended to help organizations better understand the requirements of the HIPAA Security Rule, implement those requirements, and assess those implementations in their operational environment. Target users include, but are not limited to, HIPAA covered entities, business associates, and other organizations such as those providing HIPAA Security Rule implementation, assessment, and compliance services.
The Office of the National Coordinator for Health Information Technology (ONC) and the HHS Office for Civil Rights (OCR) have jointly launched a HIPAA Security Risk Assessment (SRA) Tool. The tool’s features make it useful in assisting small and medium-sized health care practices and business associates in complying with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule.”
One other item should be addressed at this stage. Specifically, that this is a process not a project and should be treated as such. Meaning that best practices dictate an ongoing due diligence
A Health Insurance Security Assessment Case Study
nVisium performed a comprehensive review and ongoing application security initiative for a major health insurance provider. The goal of this engagement was to help close existing security flaws while identifying issues earlier in newly developed code.
Due to the sensitivity of data held for millions of users, it was essential to ensure that personally identifiable information (PII) was protected at every layer of the infrastructure. As critical security issues were identified, nVisium worked directly with developers and architects to build security fixes, test the fixes, and implement them in production.
Over a three-year period, nVisium helped the insurance provider reduce their risk profile significantly and the organization’s primary consumer facing product has demonstrated a gradual and significant reduction in risk.
Understanding all aspects of security assessments is always a great refresher. You can get that refresher here in previous blogs. Partnering with a trusted advisor with experience in healthcare specific requirements is a next great step on your journey to IT security protection.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our experienced team of security-savvy developers and engineers guide organizations to build best practices with high ROI into their engineering and secure development lifecycles across applications, operating systems, networks, mobile, cloud and IoT through services, software solutions and R&D unique to business operations and compliance initiatives. Additionally, nVisium provides a fully managed platform for tracking and measuring performance as well as instructor-led and online training.
nVisium empowers organizations to eliminate application and cloud security vulnerabilities before cyber threats exploit them with proven in-depth security assessments, remediation and training programs. Our security-savvy team implements leading-edge assessment techniques and world-class secure development training programs to eliminate vulnerabilities for both global enterprises as well as startup organizations, so when you are ready, schedule a consultation today or download our new eBook titled “Demystifying DevSecOps” to get started yourself.