HIPAA On-Site Assessment Review for Small Medical Practices

With all the attention that is paid to HIPAA compliance for hospitals, medical plans and other larger health care providers, we at The Saturn Partners do not believe enough attention is being paid to the real need by smaller medical practices (50 employees and under) for onsite review and HIPAA compliance audit assistance covering items in the HPAA rules concerning privacy and administration areas. Here is what The Saturn Partners can offer your small medical practice to assist your staff in staying on top of the latest HIPAA/HITECH standards developments:

  • Inspection of Office/Facility Environment. The approach to be used is to examine where information is stored, where the access is located of computer equipment used to store PHI, and location of hard copy PHI such as paper files or other filed documentation. We take the viewpoint of a government HIPAA auditor and follow proper guidelines to maximize levels of security regarding storage methods of this confidential information.
  • Review of Security Policies: One critical area of security vulnerability in storage and use of PHI involves the existence and relevance of network and physical security policies, regularly updated and reviewed at least annually, to satisfy requirements under the HIPAA/HITECH security rules. Review looks to ascertain that the policies are relevant as far as proper content, outlining all safeguards recommended or required by HIPAA to ensure security breach risk is minimal. We will revise security policy for your office, if need be, to be sure policies on file reflect proper content under HIPAA.
  • Managerial Interview: Here is where we talk with you about your managerial practices in handling employee training regarding proper HIPAA guidelines and make recommendations in our report about this important issue to be sure both new hires and existing employees are aware of their individual responsibilities involving everything from verbal communication, to proper handling of patient related paperwork and filing of insurance claims to be certain policy is in place or needs to be constructed by us to meet proper HIPAA guidelines.
  • Employee Interviews: We conduct these while onsite, if physically possible, (if not, by phone) to ascertain from individual employees their beliefs, practices and level of knowledge about handling both ePHI and physical PHI. If your policies don’t dictate it now we generally want to develop a short questionnaire on PHI handling measures and guidelines to with which to test existing employees’ knowledge of HIPAA PHI protection measures. This can be used as a “test” for new hires before proceeding past training into handling PHI on their own.
  • Review of Disaster Recovery/Business Continuity Plan: This should be a part of your set of security policies in place. Our experience shows us that most small offices don’t have one. This is both for your ePHI and PHI, in case of fire, flood, breach or any other element which could tamper with or destroy precious patient records. We review what you have or advise on what you should. The construction of this plan is beyond the scope of this review audit but we can quote the work if you need a plan from scratch. If you have one we review it for soundness and compliance; it should be tested in some capacity every six months. We also look at your vendors for emergency backup, power source and other recovery tools to be sure they are accessible in a disaster situation.
  • Review of Vendor Agreements: This is a very important area, as we review policy and procedures for allowing of vendor access to ePHI and PHI, with an eye on the HIPAA/HITECH rules under “Safe Harbor” and “Business Associate Agreements.”

In addition to this helpful onsite review, The Saturn Partners can also write and test network security policies, disaster recovery plans and conduct full vulnerability assessments to directly address the security rule under the HIPAA guidelines.

HIPAA rules

The Saturn Partners, Inc. offers a complete security audit for your health care IT environment. Whether you are a small clinic or large hospital, you know there are compliance standards you must maintain for the protection of PHI.

In addition, as an health care compliance officer, IT Direction, VP of Operations or Security, you are well aware of the daily threats to the privacy and security of your proprietary applications, server, firewall and wireless traffic.

We are experienced in taking the security standards below and performing an in depth on and offsite series of tests, social engineering, policy and emergency preparedness reviews in order to evaluate levels of overall security in the network environment.

Then we prepare a customized security and compliance program, working with your budget and management team, to ensure that your environment will show complete compliance to all of the applicable HIPAA standards as it applies to security of your PHI, infrastructure and network environment.

164.306(a)(1)

164.306(a)(2)

164.306(a)(3)

Security standards: General rules.

(a) General requirements. Covered entities

must do the following:

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains,or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part.

 
164.308 (a)(1)(i)(ii)(A) (a) A covered entity must, in accordance

with § 164.306:

(1)(i) Standard: Security management process. Implement policies and procedures to prevent, detect, contain, and correct security violations.

(ii) Implementation specifications:

(A) Risk analysis (Required). Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

164.308(a)(1)(ii)(D) (D) Information system activity review

(Required). Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

 

For more information, please send us an email at cacrawf@saturnpartners.com or contact us at 312-961-9469.

 

The Saturn Partners… providing cutting edge network and critical infrastructure security and compliance solutions since 2001.

Software Exploitation via Hardware Hacking

Whether you are in the financial services, health care, utilities or any other industry, this is one HOTBED issue you cannot ignore whether you are an IT, eCommerce, compliance or critical infrastructure director.  We at The Saturn Partners have many years of experience conducting testing, research, and planning for clients in the U.S. and Caribbean, staying on top of every cutting edge IT security threat since our beginnings in 2001.

The Embedded System Security effort focuses on making technologies secure from cyber threats through techniques such as penetration testing, risk management, threat analysis, and by performing applied security research. We provide embedded and wireless security testing services for customers in the areas of retail, financial services, smart grid, industrial control systems, railway control systems, mobile devices, and healthcare/medical devices.

 We specialize in embedded testing of devices and rapid development of custom testing tools for emerging communication protocols and systems. Additionally, we actively perform research in a number of security areas such as wireless protocol security, automated vulnerability testing, fuzzing, insider threats, and hardware-based-roots-of-trust. This focus ensures that we are the forefront of both offensive and defensive capabilities as it relates to secure system development and penetration testing.

Secure boot, trusted execution environments and many other security mechanisms depend on the security of the underlying hardware. What if we can break the actual hardware? And what if that’s EASIER than breaking the software?

Side channel analysis and fault injection are techniques to break various security mechanisms, allowing an attack to load arbitrary firmware code and discover secrets such as cryptographic keys and PINs from hardware and embedded software. They were first (publicly) discovered on smart cards in response to the major platforms becoming highly resistant against “software” attacks. Now that this type of security is becoming more widely understood and implemented on most embedded systems, attackers are also moving into the field of hardware attacks.

Side channel analysis is achieved by listening to and understanding the information that (hardware) channels emit when processing information. Fault injection is accomplished by forcing hardware into operating conditions outside of spec; causing a circuit to introduce errors in its computation.

Hardware Enabled Software Exploitation can be described as manipulating, modifying, debugging, reverse engineering, interacting with, and exploiting the software and hardware of embedded systems. Among other things, an intruder can, with the right skill set:

  • Conduct Bus spying, tampering, spoofing, injection (UART, SPI, I2C, USB, etc.)
  • Involve serial interfaces (UART, SPI, I2C)
  • Intruders can use JTAG surreptitiously for reverse engineering, attacks, and exploit development,   “JTAG Fuzzing”
  • They can steal Firmware non-destructively (JTAG, direct interface, serial interfaces, etc.)
  • They can Steal Firmware destructively (pulling chips from the board and reading them)
  • They can Firmware images and disassemble them
  • Conduct Firmware analysis
  • They can conduct Simple Side Channel Attacks and use them in Power Analysis and Power Side   Channel attacks.
  • They can conduct “Glitching Attacks”
  • Performa ARM Exploitation via hardware debuggers
  • Attack Low-power RF devices (Zigbee, etc.)

To speak to us about a consultation about the threats in your network or critical infrastructure environment, or to find out more about our services, visit us at www.saturnpartners.com, email us at cacrawf@saturnpartners.com

The Saturn Partners … Securing Your World since 2001

Finding the Right IT Security Partner and Solution for You

The sophistication of the technology and tactics used by online criminals—and their nonstop attempts to breach network security and steal data—have outstripped the ability of IT and security professionals to address threats. Most organizations do not have the people or the systems to monitor their networks consistently and to determine how they are being infiltrated.

The security talent shortage makes this problem worse: even when budgets are generous, CISOs struggle to hire people with up-to-date security skills. It’s estimated that by 2020, the industry will still be short more than 12 million security professionals across the globe. Also in short supply are security professionals with data science skills—understanding and analyzing security data can help improve alignment with business objectives.

CISOs struggle to hire people with up-to-date security skills.  The Saturn Partners, Inc., founded in 2001, began its existence at the very core of the security equation:  Writing much needed network security policies for banks, hospitals, utilities and other markets facing regulatory crackdowns on the handling, processing and transport of sensitive electronic data and traffic.

With services ranging from vulnerability and penetration testing to social engineering, disaster recovery planning, security policy development and regulatory compliance assistance, The Saturn Partners can provide the talent on a scalable and affordable basis for any organization no matter the size or budget.

For more information, visit us at www.saturnpartners.com, email us at cacrawf@saturnpartners.com. 

 

The Saturn Partners and Cyber Security Lifecycle Management – Our Commitment To You

The Saturn Partners’ cyber security team delivers security assessments and recommendations, solution engineering and implementation, training, auditing, and disaster planning and recovery. The Saturn Partners’  team of cyber security experts develops and implements solutions that conform to standards such as HIPAA, NERC, PCI, SOX and GLBA among others.

  • Cyber Security Policies Review & Development
  • Enterprise Mobile Application Security Assessments/Testing
  • Cyber Security Vulnerability Assessments
  • Social Engineering
  • SCADA and Critical Infrastructure Security Assesssments
  • Penetration Testing
  • Regulatory Compliance Assistance
  • Threat Detection & Deterrence
  • Information Assurance

Systems Management and Security Measures Under NERC CIP-007 – Are You Taking These Precautions?

First of all, how are you handling patch management?

These guidelines will help you grade your own “report card” as to how your current security measures stack up against our recommended security measures under NERC CIP-007:  Systems Management:

We at THE SATURN PARTNERS recommend that you:

  • Disable unused ports and services.  We have cited this basic security rule forever.  You would be surprised at how many ports we find left open in our assessments which are unused and therefore a security risk for entry.
  • Track security patches for critical cyber assets.
  • Shouldn’t you patch?  If you think there aren’t compelling reasons to patch document them!
  • Capture traffic to see what ports are in use.  (It is useful to capture traffic for ten to fifteen minutes first to see what the typical ports and settings are being used).
  • Test all patches on development/beta systems FIRST.
  • Document implementation of the patches in detail.
  • Document known ports and services
  • Pay attention to prevention of malicious software by using anti-virus/anti-malware prevent tools which are able to detect, prevent, deter or limit exposure.
  • DEPLOY such anti-virus software on the wire at the perimeter than on systems within it!
  • Use security monitoring controls which can issue automated or manual alerts when they detect something out of the norm
  • Stay current on latest and best processes for enabling ports on hosts, routers and firewalls
  • Maintain logs a minimum of 90 days.  We at THE SATURN PARTNERS recommend six months due to length of time it takes to get litigation for prosecution to court as these logs can be used as evidence if properly preserved.   NOTE:  PLEASE GO TO www.saturnpartners.com AND VISIT OUR FORENSICS SECTION FOR MORE DETAILS ON THE IMPORTANCE OF PRESERVING ELECTRONIC EVIDENCE!

At The Saturn Partners, we have over a dozen years of hands on experience working with utilities and other highly regulated industries to help keep our clients safe from intrusion/theft of precious data and cyber assets.  Contact us today at cacrawf@saturnpartners.com for a consultation with one of our engineers.

Fighting cyber crime since 2001… The Saturn Partners… your one-stop shop for customized, hands-on cyber and critical infrastructure security services.

Google