Information Security Overview
- Information Security Program is a documented set of organization’s security policies, procedures, guidelines, and standards.
- The security program provides a roadmap for effective security management and practices.
- Breaches affect large numbers of diverse organizations, including healthcare industry and can result in significant fines and penalties.
- Effectively maintained and adaptable programs mitigate potential risks and quickly manage incidents or exposures.*
* average cost of a breach is $255 per compromised record.
Security in the Cloud
- As more and more companies run natively in the cloud, you need to understand the complexity and responsibility with that approach.
- AWS have explicitly stated that they are responsible for the security of the cloud, meaning they are responsible for the data centers, hardware, network, servers, power, connectivity and some of the managed services they provide.
- At the same time AWS states that the customer is responsible for the security in the cloud, meaning that the information flow, customer networks, ports, encryption, data, and server access is the responsibility of the customer. Just being in the cloud does not automatically mean you are secure.
- Customers realize that and, therefore, request compliant frameworks and certificates to provide assurance of the secure operations in the cloud before signing business associate agreements or contracts.
Healthcare in the Cloud
- The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was enacted into a federal law to protect sensitive patient health information from being disclosed without patient’s consent. It was later enhanced by HITECH in 2009 to promote secure exchange of EHR. It applies to companies who handle medical information electronically and so is a requirement for [Company].
- The Health Information Trust Alliance (HITRUST) created the Common Security Framework (CSF) to address security, privacy, and regulatory compliance. While this is not a requirement, HITRUST is a modern security standard in healthcare and many customers or partners request HITRUST compliance in order to close contracts or start interoperability initiatives. Thus, [Company] will need to pursue HITRUST certification if any customers require this to be in place. One advantage of HITRUST is that this framework includes HIPAA assessment, among others. In other words, HIPAA is a set of regulations and HITRUST is how to achieve compliance to them.
- Systems and Organizations Controls 2 (SOC2) is designed for SaaS companies and [Company] can be considered a SaaS provider with the patient portal app and so some of the providers that partner with [Company] may request a SOC 2 compliance in addition to HITRUST and HIPAA. SOC 2 is a reporting framework, meaning that it documents all systems, processes, and procedures company is doing, quarterly, throughout the year and provides a report that states that the company is doing what it says (in policies and procedures) it is doing. This is not a requirement for [Company] but may be needed to have a contract with some entities.
- There are many other compliance requirements that depend on the geographical location of patients, such as GDPR for the European markets or CCPA for California specific market and these can be addressed separately.
FinTech in the Cloud
The Payment Card Industry Data Security Standard was created in 2006 and is an information security standard for organizations that handle branded credit cards from the major card companies. The PCI Standard is mandated by the card brands but administered by the Payment Card Industry Security Standards Council.
The PCI Data Security Standard specifies twelve requirements for compliance, organized into six logically related groups called “control objectives”. The six groups are:
- Build and Maintain a Secure Network and Systems
- Protect Cardholder Data
- Maintain a Vulnerability Management Program
- Implement Strong Access Control Measures
- Regularly Monitor and Test Networks
- Maintain an Information Security Policy
You must provide your Attestation of Compliance (AOC) with PCI-DSS standard to all parties that you connect and transact with. This certification must be renewed on the annual basis.
You can be PCI compliant in the cloud such as AWS. You must implement end-to-end encryption, implement encryption at rest using KMS services with appropriate key rotations, and implement secure network segmentation.
Virtual CISO Services
- Understanding clients, internal resources, and resource allocation (team).
- Policies and procedures review/update, incident response plan.
- Advise on improving security controls, monitoring, threat detection.
Consulting (includes above)
- Implement Information Security Program
- Review Data Handling, Encryption, and Network Protection
- Implement mandatory information security training
- Cloud Architecture Security Best Practices
Managed Security (includes all above)
- Represent Information Security externally
- Engage with auditors (PCI, SOC, HIPAA, HITRUST)
- Evidence tracking and issue remediation
- Grow, manage, and mentor your security team
- Become a dedicated full-time resource
Contact us for pricing
We want to hear about your project. Get a free consultation and estimate.