Health Insurance Portability and Accountability Act (HIPAA) Compliance
HIPAA, enacted in 1996, mandates that companies protect the medical information they collect from patients.The law affects insurers, hospitals, laboratories, doctor's offices and the pharmaceutical industry. The law also applies to employers who keep employee health data for insurance purposes. SAINT vulnerability assessments provide proactive security for companies that deal with medical information. HIPAA also mandates that organizations conduct assessment of potential risks and vulnerabilities to systems that maintain electronic protected health information (ePHI) data, and implement security measures sufficient to reduce risks and vulnerabilities to that data. The Security Rule in HIPAA focuses on administrative, technical, and physical safeguards specifically as they relate to ePHI. Two key principals in the security management process are Risk Analysis and Risk Management:
164.308(a)(1)(ii)(A) R - Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic Protected Health Information (ePHI) held by the covered entity.
164.308(a)(1)(ii)(B) R - Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a).
Also, as stated in the DRAFT HIPAA Security Standards: Guidance on Risk Analysis, dated May 7, 2010:
Organizations must identify and document reasonably anticipated threats to e-PHI. (See 45 C.F.R. §§ 164.306(a)(2) and 164.316(b)(1)(ii).) Organizations may identify different threats that are unique to the circumstances of their environment. Organizations must also identify and document vulnerabilities which, if triggered or exploited by a threat, would create a risk of inappropriate access to or disclosure of e-PHI. (See 45 C.F.R. §§ 164.308(a)(1)(ii)(A) and 164.316(b)(1)(ii).)
A SAINT scan can pinpoint vulnerabilities before hackers exploit them to obtain patient information. SAINT offers a number of benefits to companies working to comply with HIPAA regulations:
- Detect vulnerabilities before they can be exploited. SAINT's vulnerability assessment allows administrators to identify security deficiencies and risks within their environment to allow them to take precautions and bolster network security.
- Validate internal security controls. SAINT's policy and configuration customization facilitates validation of compliance with internal security controls, such as password aging (ref: 164.308(a)(5)(ii)(D)), operating system configurations, and anti-virus deployment.
- Find fixes fast. When SAINT finds vulnerabilities, it leads network administrators to details about the vulnerability and facilitates the fastest fixes for them.
- Demonstrate protection from attack. The SAINTexploit penetration testing tool provides a higher level of assurance of protection from attack by executing exploits and providing additional evidence of risk and impact to critical resources. This information can then be used to resolve potential risks and reduce threats from these issues.
- Assessment and tracking of progress. SAINTmanager provides additional management tools for tracking vulnerabilities found during scans, assigning work to staff members for resolution, and monitoring progress to resolve vulnerabilities and, in the end, reduce risk.