Leveraging Penetration Testing to Secure Patient Data and Comply with HIPAA Regulations
The Security Rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that healthcare institutions implement appropriate information security policies and procedures to protect ePHI (electronic Protected Health Information) from "reasonably anticipated threats and hazards". Penetration testing with CORE IMPACT helps to ensure the integrity and confidentiality of patient information, while enabling you to abide by HIPAA security standards.
Penalties for not complying with HIPAA can reach $25,000 per year for violations of a single requirement, and penalties for wrongful disclosure include fines up to $250,000 and up to 10 years imprisonment. These penalties can quickly add up, as a single transmission or incident can trigger multiple violations.
Meet Specific HIPAA Standards with CORE IMPACT
CORE IMPACT helps you secure patient information and address HIPPA standards across a range of topics, including:
Risk Analysis and Management
"Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity."
( § 164.308(a)(1)(ii)(A))
"Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [the general requirements of the Security Rule]"
( § 164.308(a)(1)(ii)(B))
CORE IMPACT reveals actual, exploitable security threats, allowing you to safely identify which vulnerabilities are critical, which are insignificant, and which are false positives. This allows you to make informed decisions about the real risks to your network and assists you in prioritizing remediation efforts.
Re-Evaluation
"Perform a periodic technical and non-technical evaluation, ... in response to environmental or operations changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of [the Security Rule]"
( § 164.308(a)(5))
CORE IMPACT enables you to keep pace with vulnerabilities as new network infrastructure is deployed, as applications are upgraded and patched, and as new facilities are added. You can therefore regularly evaluate the effectiveness of your existing security measures while justifying proposed security investments.
Documentation
"If an action, activity or assessment is required by [the Security Rule] to be documented, maintain a written (which may be electronic) record of the action, activity, or assessment."( § 164.308(a)(1)(ii)(B))
CORE IMPACT generates clear, informative reports that provide data about the targeted network and hosts, audits of all exploits performed, and details about proven vulnerabilities.
Ensure Patient Confidentiality and Safety
In the healthcare industry, protecting patient information means more than simply preventing identity theft and other crimes. Securing ePHI also ensures the physical safety of patients, since data that is improperly altered or destroyed can lead to clinical quality problems. CORE IMPACT equips you with the information you need to prevent security breaches before they occur, allowing you to maintain the integrity of ePHI while ensuring patient safety.
