Healthcare Services

Protect your staff, customers and patients from loss of protected health information

Healthcare service providers have become key targets of identity theft crime due to the depth of personal, demographic, and financial information they collect on patients. Cyber criminals and malicious hackers are mounting targeted attacks to steal electronic unsecured protected health information (PHI) so it can be sold to the highest bidder for use in identity theft schemes. PHI includes identifiable health information, including items such as the patient’s name, address, e-mail address, birth date, Social Security number, employee number, claim number and health plan beneficiary number.

Healthcare service providers are required to be increasingly vigilant in protecting data transmitted on both wired and wireless systems, including healthcare plan enrollment systems, e-prescription kiosks, electronic heath record (EHR) devices, health information exchange (HIE) networks, and back office databases. Stolen personal data leads to significant legal liability and costs for those affected, from healthcare service providers to victims of stolen identities. Data breaches of PHI can lead to tremendous hardship for patients, who may then struggle for years to recover from identity theft. One insurer estimated that the August 2009 loss of just 38,000 patient records from the Naval Hospital Pensacola will cost the hospital approximately $6 million. The healthcare service providers found responsible for data breaches suffer a loss of reputation which may drive patients away for their services.

To protect the privacy and integrity of personal records, IT security administrators at healthcare organizations need to keep watch for vulnerabilities that can enable unauthorized users to access private information. They also need to document HIPAA security compliance. Manual security auditing processes are not comprehensive and take too long to implement in order to protect the organization from exposure to viruses, worms, or hackers looking to steal personal information. Automating your security audits and speeding up the remediation process enables you to more effectively secure your networked environment.

Security standards for Healthcare Services

The Health Insurance Portability and Accountability Act (HIPAA) is a federally mandated law that was created to confront the rising number of incidents of stolen PHI. The Health Information Technology for Economic and Clinical Health (HITECH) Act strengthens HIPAA requirements, particularly by raising the financial penalties incurred by HIPAA violators. HIPAA mandates that all covered entities establish appropriate administrative, technical, and physical safeguards to protect the privacy and security of sensitive health information. Covered entities include providers, health plans, clearinghouses, and their business associates. To be compliant with HIPAA, health-related institutions must employ procedures that protect the disclosure of an individual's personal health information, ensuring the privacy and security of that information as it is collected, processed and transferred to other health organizations. The Administrative Simplification (AS) provisions of HIPAA address provisions for both the security and privacy of electronic health data, including the Security Rule. To achieve HIPAA compliance, covered entities must demonstrate adherence to the Security Rule, which mandates protection of all electronic PHI created, received, maintained, or transmitted by any covered entity. Healthcare who fail to protect PHI are subject to serious financial repercussions. The HITECH Act permits state attorney general’s offices to pursue civil charges on behalf of victims, in addition to fines for HIPAA violators of up to $1.5 million per year.

Building a secure network and maintaining a vulnerability management program are necessary prerequisites for ensuring HIPAA compliance. To protect the privacy and integrity of PHI, security administrators at healthcare organizations need to scan systems for vulnerabilities that put systems at risk of unauthorized access. Healthcare organizations also need to document HIPAA security compliance, train employees on privacy measures, appoint someone to oversee privacy initiatives, implement measures to secure storage of and access to patient records, and automate audits. Manual security auditing processes are not comprehensive enough and take far too long to implement. Automating security measures enables faster notification of exposures and quicker remediation so that systems can be secured against unauthorized access to PHI and be HIPAA compliant.

How Rapid7 Helps

Rapid7 Nexpose helps organizations that handle sensitive patient information achieve HIPAA compliance, including medical schools, hospitals and their business associates, private labs, and insurance companies. Rapid7 has extensive experience partnering with healthcare service providers such as BlueCross BlueShield of Vermont, Memorial Sloan-Kettering Cancer Center, and the Spectrum Health System, to help them with the complex regulatory environment of the health sector. Rapid7’s solutions for healthcare services meet the Protected Health Information (PHI) safeguards required to achieve HIPAA compliance in accordance with relevant sections of §164.308 to §164.316 of the HIPAA Security Rule. Here’s how Rapid7 prepares you for a HIPAA audit while providing sound vulnerability management practices that ensure that your entire infrastructure is protected from intruders:

Rapid7 helps you comply with sections of §164.308 to §164.316 of the HIPAA Security Rule.

Rapid7 Nexpose can help your business achieve HIPAA compliance by:

• Automating HIPAA audit requirements with pre-configured HIPAA compliance scanning and reporting with Rapid7’s Nexpose for the broadest, deepest and most accurate vulnerability management solution so you can find vulnerabilities other scanners miss
• Providing both executive HIPAA summary reports for management and detailed HIPAA remediation plan for security administrators
• Performing internal scanning of your entire infrastructure with Nexpose in preparation for HIPAA audits by evaluating potential security risks to electronic PHI, including monitoring of system activity for vulnerability and patch status on devices with PHI
• Performing asset discovery, vulnerability detection, event management and compliance reporting on workstations, as well as automated monitoring of passwords policies with the customized policy compliance framework
• Performing external scanning with Nexpose either using distributed engines, or with Rapid7 Managed Services to detect and close any holes in your network perimeter

With Rapid7 Nexpose, our HIPAA Compliance Services staff can perform internal and external vulnerability scans as part of your HIPAA risk assessment, and provide healthcare providers with documentation on their current security posture in accordance with HIPAA audit standards.

These services include:

• Defining policies and procedures to secure protected health information
• Providing Rapid7 security experts to perform vulnerability scanning, penetration testing and a detailed audit of your networked environment to enable you to detect deficiencies more quickly and get recommendations for fixes that would prevent attacks.
• Identifying protected health information (PHI) and unprotected health information
• Providing Rapid7 Remediation Plan and Report with detailed step-by-step instructions for vulnerability remediation to attain HIPAA Compliance
• Providing Rapid7 HIPAA Professional Services Review to evaluate all security policies and procedures, in addition to providing guidance on developing missing control policies for all areas, including control for modifying access rights
• Rapid7 Security Awareness Training to provide staff with knowledge needed to secure PHI from electronic, physical and behavioral challenges that put data at risk

To learn more about how Nexpose capabilities meet the requirements to comply with the HIPAA safeguards, refer to the Rapid7 HIPAA and HITECH Act Compliance Guide.

Contact us to find out more about how Rapid7 can help you achieve HIPAA compliance so you can avoid costly data breach penalties faced by HIPAA violators, and secure personally identifiable patient PHI.