Lynjonic HIPAA-HITECH analysis

With our remote services we can examine your network using our award winning SAINT vulnerability scanner, and expose where an attacker could breach your network.
Then using
we prove without a doubt that the vulnerability exists!

Find out why our approach of combining both an automated approach, and if needed, a manual solution is unique today's Network Security testing.

HIPAA/HITECH Compliance

Physicians and Healthcare organizations must comply with the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The Security Rule is a key part of HIPAA -- federal legislation that was passed into law in August 1996. The overall purpose of the act is to enable better access to health insurance, reduce fraud and abuse, and lower the overall cost of health care in the United States.

See where you stand....allow us to conduct a two-day HIPAA/HITECH Gap Analysis. Call us today to schedule a HITECH consultation..... 405-255-6862

FACT: If you create, transmit, receive, or store electronic Protected Health Information (ePHI), then you need to be HIPAA Compliant

Section §164.308 of the HIPAA Security Rule. A covered entity must implement:

* Risk analysis (Required). - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity.

* Risk management (Required). - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a)
.
Lynjonic helps you comply with HIPAA Regulations sections §164.306 to §164.316 by:
Performing HIPAA compliance scanning, and providing reports that outline an accurate vulnerability management solution.
.
• Our reports include executive HIPAA summary reports for management and detailed HIPAA remediation plans for security administrators.

• We perform internal scanning of your entire infrastructure to help you prepare for HIPAA audits. Our scans evaluate potential security risks to electronic PHI (ePHI), and we have the ability to continually monitor system activity for vulnerability and patch updates on devices processing, transmitting, or storing ePHI.

• We perform external scanning of your devices exposed to the Internet and detect and identify any potential security holes in your network perimeter.

HIPAA compliance does not give you security. A proactive approach is to take a risk-based view of managing security so that your efforts ensure that not only is your organization compliant, but that the modern day threats have been addressed.

Security Rule: If your organization is a Covered Entity (one that must comply with HIPAA), it is imperative that you understand the rule and take the necessary steps toward compliance.

What: The rule applies to electronic protected health information (EPHI), which is individually identifiable health information (IIHI) in electronic form. IIHI relates to 1) an individual's past, present, or future physical or mental health or condition, 2) an individual's provision of health care, or 3) past, present, or future payment for provision of health care to an individual. The primary objective of the Security Rule is to protect the confidentiality, integrity, and availability of EPHI when it is stored, maintained, or transmitted.

Who: Covered Entities (CEs) must comply with the Security Rule. These are health plans (HMOs, group health plans, etc.), health care clearinghouses (billing and repricing companies, etc.), or health care providers (doctors, dentists, hospitals, etc.) who transmit any EPHI. Their business associates (including private sector vendors and third-party administrators)

How: Covered Entities must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect the confidentiality, integrity, and availability of their EPHI against any reasonably anticipated risks.

When: The final Security Rule became effective as of April 21, 2003. Most Covered Entities must be in compliance by April 21, 2005; small health plans (those with annual receipts of $5 million or less) have until April 21, 2006. When private medical records are breached, healthcare service providers suffer damage to their brand, reputation, loss of trust from their patients, and severe financial repercussions.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) mandates that appropriate administrative, technical, and physical safeguards be used to protect the privacy and security of sensitive health information. The Health Information Technology for Economic and Clinical Health (HITECH) Act signed into law February 2009 as part of the American Recovery and Reinvestment Act (ARRA) clarifies and supplements HIPAA requirements, particularly by raising the financial penalties incurred by covered entities that violate the HIPAA Privacy and Security Rules. Both HIPAA and the HITECH Act are enforced by the U.S. Department of Health and Human Services.

The Security Rule is based on several important principles.

Scalability: All sizes of Covered Entities must be able to comply with the rule, from the one-person doctor office to the insurance company with thousands of employees.

Comprehensiveness: Covered Entities must have a unified security approach based on the principle of "defense in depth."

Technology: The rule does not require Covered Entities to implement specific security technology (for example, a specific type of firewall or IDS). Each Covered Entity must choose the appropriate technology to protect its EPHI.

Internal and external security threats: Covered Entities must protect their EPHI against both internal and external threats.

Risk analysis: Covered Entities must regularly conduct thorough and accurate risk analysis.

Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to EPHI that is being transmitted over an electronic communications network (e.g., the Internet).

Penalties for non-compliance

The HITECH requirements for breach prevention activities, audits, notifications, and penalties for disclosures came into effect on February 17th 2009. However, HITECH standards become mandatory and enforceable as of February 18th 2010 when the HHS OCR begins conducting mandatory audits and enforcement of civil monetary penalties. The HITECH Act permits state attorney general’s offices to pursue civil charges on behalf of victims, in addition to fines for HIPAA violators of up $50,000 fine for each violation, to a maximum of $1.5 million per year. The high fines levied on HIPAA violators reflect the importance of safeguarding protected health information. Faced with the looming threat of steep fines from failing to meet HIPAA data breach requirements, the health service industry is seeking ways to become HIPAA compliant.