Articles & Blogs

HITRUST And HIPAA Compliance Helps Organizations Create More Walls Around Their Customer Information

December 15, 2022 | By Accorian
Accorian - HITRUST and HIPAA Compliance

Cybercriminals are often attracted to the data held by healthcare companies. Patient data, banking information, and other personal identifying information (PII) are gathered by healthcare organizations, forming rich collections of data. With such comprehensive data sets, cybercriminals are more frequently targeting healthcare providers and their service providers, sometimes resulting in significant losses. Ransomware is a type of malware that encrypts files, preventing access to the data. Given the increasing risk, it is all the more necessary that healthcare entities implement safeguards to protect against the harmful impacts of a ransomware attack. Information security compliance frameworks, such as HIPAA and HITRUST, provide reliable guidance to organizations seeking to prepare for ransomware attacks proactively.

A Rise in Ransomware Attacks in Healthcare

In October 2022, Common Spirit Health – one of the largest non-profit health systems in the United States – became the target of a ransomware attack that left some of their systems inaccessible even weeks later. This attack underscores the need for healthcare organizations to exercise due care in managing critical data.

In planning a ransomware attack, cybercriminals look for opportunities to exploit the workforce and unsecured data. A vulnerable cybersecurity risk management strategy could leave:

● Prescriptions unfilled
● Surgeries delayed
● Doctors unable to access records
● Patient information publicly exposed

How Does HITRUST and HIPAA Relate To Each Other

The Health Insurance Portability and Accountability Act (HIPAA) is a federal law of the United States of America that contains security and privacy rules to protect sensitive patient health information from use or disclosure without a patient’s consent. Healthcare providers, health plans, healthcare clearinghouses, and organizations that use or disclose healthcare information on their behalf (known as business associates) are all subject to HIPAA. The US government further strengthened the protections of HIPAA with the HITECH Act, adding requirements for enforcement and breach notification.

In drafting the CSF framework, HITRUST aligned numerous national and international regulations, standards, and frameworks, including HIPAA and the HITECH Act, to create a comprehensive and reliable set of privacy and security controls. Since its first release, the CSF has been updated numerous times, incorporating updated sources and an ever-expanding set of global privacy and security standards.

In addition to the CSF,  HITRUST provides the following resources for entities to further strengthen their cybersecurity and risk management programs:

● HITRUST CSF
● HITRUST Threat Catalogue
● MyCSF SaaS assurance and analytics platform
● Assurance assessments
● Assessment results management
● Risk management and compliance programs scaled for small businesses and startups
● Training programs for best HITRUST practices

Reinforcing Cybersecurity with HITRUST and HIPAA

These two work together most effectively by facilitating healthcare providers to prove their HIPAA adherence with HITRUST compliance.

Though Systems and Organizations Controls 2 (SOC 2) examinations exist – which CPAs administer – HITRUST is one of the key certification that prove HIPAA compliance. This is only one of the ways they work together to prevent ransomware attacks.

Because healthcare companies are looking into HITRUST and HIPAA, this prompts companies to inform staff about the risks of ransomware attacks. Aggressive ransomware attacks pressure healthcare executives to stay notified about emerging threats, requiring them to provide training and resources for staff to be aware of ransomware signals.

Abiding by HITRUST and HIPAA also creates more walls around customer information. It instructs employees but restricts access and usage of that information to prevent abuse and misuse.

It also improves aspects of risk management programs that might not have been identified if it weren’t for third-party oversight. HITRUST assessment reports not only highlight any gaps in healthcare company strategies but can also highlight inconsistencies and techniques for more effective data control and monitoring.

Unprepared healthcare entities will execute procedures reactively instead of proactively mitigating threats. Some companies rely solely on cyber insurance. However, with rising premiums and stricter qualification policies, HIPAA and HITRUST compliance are the best supplements to insurance. It provides both preventive management and proactive responses to cybercriminal attacks.

Preventing Ransomware Attacks in Healthcare

HITRUST and HIPAA provide resources for healthcare entities to advance patient peace of mind. Not only does it protect patients, but it protects employees and their assets as well.

Employing these standards reveals vulnerabilities, provides insight for system improvement, and increases operational efficiency. This helps mitigate the fear of ransomware attacks. Your healthcare business – whether a hospital, pharmacy, or non-profit group – will benefit from these regulations in many ways, not least because patients will trust your systems to keep their data secure.

SOC2 Compliance

Recent Blog

Article

Questions to Ask my SOC2 Auditor before Signing up for a SOC 2 Compliance Audit

Written By Om Hazela & Sarthak Makkar ||  Ideally You want to find a service provider to take you from SOC 2 readiness to report. SOC 2 is a third-party review that attests the organization’s ability to protect the data and information they process and store. Given the current scenario where a lot of data breaches and cyberattacks are on the rise, a SOC 2 report help organizations empower with:• Enhance one’s view into your organization’s security posture• Identify opportunities for improvement over existing controls• Position your company competitively in the market (Prospects want to ensure Security is considered a priority in your organization).Many vendors offer different aspects of the SOC 2 process, from software providers who help you get audit-ready, to certified auditors from CPA firms who can assess your infrastructure and release a final SOC 2 report.Ideally, you will want to find a service provider to take you from SOC 2 readiness to report.Use these points to help you assess a vendor/service provider before signing a contract for your organization’s SOC 2 Assessment. These questions will provide you with clarity about your requirements for SOC 2 and how a service provider will be able to help you, from preparing your organization to getting attested for SOC.1. Are you a licensed CPA firm? The American Institute of Certified Public Accountants (AICPA) regulates SOC 2 audits, which must be carried out by an external auditor from a certified CPA firm. This is the only way you, as a company, can get an official SOC 2 report. Verifying that the SOC 2 vendor you are considering working with has the required accreditation is essential.2. Do you offer SOC 2 readiness services? Before you carry out a formal audit, a SOC 2 readiness assessment is a helpful way to assist you in evaluating your company's posture. Before a SOC 2 audit, gaps in your cybersecurity procedures that need to be closed (and their severity) can be identified using a readiness assessment. Ultimately, this will help you save time, establish priorities, and position your business to perform well during the SOC 2 assessment. 3. Evidence collection and validationThe evidence collection processes for SOC 2 Type 1 and Type 2 are very similar. The evidence is the same whether it is SOC 2 Type 1 or Type 2; they both cover a moment in time or a period of time. Thus, you could be required to submit the most recent Board of Directors meeting minutes for Type 1. However, if Type 2 applies to you, you must present those minutes for each quarter of your observation time. For a Type 2, there is more proof to gather, but the information is the same as a Type 1.4. How long does it take to complete a SOC 2 assessment?Many service providers claim to be able to finish a SOC 2 audit in 14 days. This clause should be clarified before a contract is signed. Although evidence collection is essentially one phase in the SOC 2 audit process and does not always lead to a full audit or final report, the two-week schedule is frequently used as an estimate for an expedited evidence collection procedure.Demand a detailed timeline from your vendor and ask them to walk you through each phase of the SOC 2 audit. This is crucial so that you can allocate resources effectively. Additionally, it is critical to understand when you might anticipate receiving a report to effectively interact with potential customers who inquire about a SOC 2 report during the sales process.5. Can you provide us with a final report?  Many SOC 2 service companies can only help you...

View More

Article

What is ISO 22301 Certification: The Business Continuity Management System Standard

Written by Kiran Murthy | Naga Chinmai | Eishu Richhariya What is ISO 22301 Certification? ISO 22301 Certification provides a framework to plan, establish, implement, operate, monitor, review, maintain and continually improve a business continuity management system (BCMS). It is expected to help organizations protect against, prepare for, respond to, and recover when disruptive incidents arise. It provides the framework for businesses to increase their resilience and enables the organization to deal with disruptive incidents. Need for ISO 22301 Certification Obtaining ISO 22301 Certification should be high on the priority list of organizations that must prove to their stakeholders that they can immediately overcome operational disruptions to provide continued and effective service. Gaining ISO 22301 Certification puts the organization within an individual group of companies committed to business resilience. It ensures compliance with industry standards. It safeguards the brand’s interest and integrity. It reduces the financial risk of an organization. It gives a competitive advantage to a company. It helps to protect critical business assets. Benefits of ISO 22301              Why do you need a Business Continuity Management System (BCMS)? Looking back, could you have planned for Covid? The effects of Covid-19 have significantly raised awareness for Business Continuity Planning. Most office-based firms have adapted and applied their plans for a hybrid model to work from home.  However, many others did not foresee the operational impacts, including service providers and supporting customers. For most organizations, today might be business as usual. However, problems can happen when you least expect them. Whether it’s a cyber-attack, an IT-related issue, building unavailability due to natural disasters, a planned outage, or a supply chain disaster. We’re all at risk, and sooner or later, every business will have to deal with such issues. If there is no plan, the outcome could be much worse than they need to be. Organizations can opt for BCMS, ISO 22301:2019, one of the best suitable options as it lays down the requirements that an organization can use for understanding the needs and necessities for business continuity policy and objectives. It helps to protect business and reputation, stay agile and resilient, and to minimize the impact of unexpected interruptions.  Implementation Flowchart RECOMMENDATION: DESIGNING YOUR ISO 22301 CERTIFIED BUSINESS CONTINUITY PLAN A single disaster can put the entire organization’s structure in jeopardy. Here are a few best practises we can consider within the Information Security domain that can help keep the business running regardless of a disaster. Process and Strategy to ensure their effectiveness An organization cannot keep its operations running successfully without appropriate and realistic testing of its BCP/DR Plan regularly. Without this, the organization may not even know what is practically executable and what is not. Testing must be performed in a way that covers every process, from a younger failing process to the entire service being wiped out because of a tornado.  This gives a level of maturity to your plan over time and minimizes the recovery time during a disaster or crisis. Enhance the Utilization of Virtualization The objective must be to switch the users from the traditional environment to a virtualized environment smoothly, where they can continue their work and provide the services they always did. This helps build trust in the users, and predominantly towards the organization. It also allows the organization to continue its business seamlessly during a crisis. Conducting Business Continuity Awareness & Training Program Training & Awareness programs play an essential role in preparing employees and organizations for a crisis. These programs should be conducted regularly for each employee of an organization. For this, an organization can also create a Business Continuity Awareness Team, which performs regular Business Continuity Training & Awareness Programs and keeps track of the...

View More

Article

HITRUST CERTIFICATION: IMPORTANCE IN HEALTHCARE

Being HITRUST-certified is one-way companies can demonstrate their commitment to security and privacy to clients and partners Healthcare is one of the most highly regulated industries regarding privacy and security. There is a good reason for this, too, as personal health information (PHI) is some of the most valuable information for cybercriminals and people that commit fraud. According to the US Department of Health and Human Services 2020 Healthcare Breach Report, the average cost per breached record is $499 and can be sold for over $1000. As a result, PHI has become highly targeted by criminals, and to combat this, regulations and security standards have been created to ensure that businesses protect this information correctly. This article will discuss a popular security framework and certification in the healthcare industry called HITRUST. What is HITRUST Certification? HITRUST, created in 2007, is a standards and certification body that helps organizations manage information security, privacy, and regulatory compliance. Organizations that achieve HITRUST certification have passed the framework checks and have shown an ability to adhere to the security requirements of HIPAA.  Then there is the HITRUST CSF framework. What is HITRUST CSF The HITRUST CSF is a certifiable security and privacy controls framework that provides organizations with a comprehensive, flexible, and efficient approach to regulatory compliance and risk management. Developed in collaboration with data protection professionals, the HITRUST CSF provides structure, transparency, guidance, and cross-references to 40+ authoritative sources, standardizing requirements and providing clarity and consistency. The HITRUST CSF is regularly updated as mapped authoritative sources change and new sources are introduced. Because the HITRUST CSF is both risk- and compliance-based, organizations of varying risk profiles can customize the security and privacy control baselines through various factors, including organization type, size, systems, and regulatory requirements. The HITRUST CSF assurance program combines aspects of many popular security frameworks, including ISO, NIST, PCI, and HIPAA. So it’s not limited to just evaluating companies based on HIPAA requirements. There is a roadmap that organizations can follow to achieve data security and compliance with HIPAA.  Why is HITRUST Important in Healthcare? Whether you are a healthcare provider or a processor of healthcare information, you have a big responsibility to ensure that you protect that information. Not only is this heavily mandated through regulations like HIPAA, but your potential clients will want to know that you can uphold these standards as part of their requirements for doing business with you. Being HITRUST certified is one-way companies can demonstrate their commitment to security and privacy to potential clients and business partners. HITRUST vs. HIPAA The relationship between HITRUST and HIPAA can be confusing at first. However, it’s essential to understand that they are not the same but are closely related. HIPAA stood for the Health Insurance Portability & Accountability Act and was passed by Congress in 1996. While HIPPA is a regulation created by lawmakers, HITRUST is a framework developed by security experts that covers key aspects of HIPAA compliance and draws from dozens of other authoritative sources, as well. One of the issues organizations face with HIPAA compliance is translating somewhat vague requirements into quantifiable and measurable criteria and objectives. HITRUST helps companies achieve this by providing a framework for identifying the organization's appropriate administrative, technical, and physical safeguards.  HITRUST Certification Requirements Now that we’ve discussed the value of HITRUST in the healthcare industry, let’s look at how a company can become certified. For an organization to become HITRUST certified, it must undergo a validated assessment by a HITRUST assessor firm. The company must purchase a MyCSF subscription from HITRUST and a certification report credit. Upon completion of the validated...

View More

Article

Penetration Testing: Search Engine based Reconnaissance

Written by Vivek JaiswalReconnaissance is an essential phase in Penetration Testing, before actively testing targets for vulnerabilities.It helps you widen the scope & attack surface and helps uncover potential vulnerabilities. There are already multiple open-source and proprietary automated tools available in the market to perform reconnaissance or scan any host/application for vulnerabilities, while penetration testing. However, the manual and professional approach is what gives you the actual understanding of the backend technology, it’s workflow, and helps you uncover potential vulnerabilities.A basic reconnaissance includes:Subdomain EnumerationDirectory EnumerationPort ScanningSearch Engine based reconGithub reconShodan reconEnumerating backend technologiesWayBack Historyand so on In this article, I will demonstrate how a simple Search Engine based Reconnaissance helped me identify a potential security vulnerability that leads to dumping the entire database - SQLiWhile I was recently working on an External Network Penetration Testing project, as usual, I started with the basic reconnaissance approach.Now, for a Network Penetration Testing activity, I started with the basic port scan and services enumeration. Once the scans were complete, I found the 80/TCP port open which is an HTTP webpage. I then quickly visited the site and found that it did not have any feature or functionality and was only a static error page. After this, I started performing some directory brute forcing using a common wordlist of directories. You can find the payload list here.I couldn’t find any valid directory or any entry point, on trying the common directory wordlist. I then proceeded with another reconnaissance approach which was the Search Engine Based Information Discovery.Tip: It is always better to use custom directory names wherever possible, as they are difficult to guess and brute force. Here comes the interesting part First, what is Search Engine based discovery or reconnaissance in penetration testing? Search Engine based reconnaissance in simple terms is a method to extract all the information which are publicly available on the internet in the databases of various search engine(s).Basically, all search engines work in an automated fashion where they use software known as web crawlers that explore the web regularly to find pages to add to their indexes. In fact, the vast majority of pages listed in our results aren't manually submitted for inclusion but are found and added automatically when the web crawlers explore the web. Coming back to our scenario: While I was trying to enumerate via Search Engine discovery, looking for information publicly disclosed over the Internet, I came across a very interesting directory. In this article, I will call it “/unique_directory”. I quickly accessed the URL (http://example.com/unique_directory) and found a simple login page. I then started to poke the login page to find weaknesses that I could leverage and, in the process, I sent a single quote (‘) as the username. The server responded with an error page, and the error message indicated that there was an unclosed quotation mark, as the addition of the single quote made the backend query syntactically incorrect. this behavior and the error message from the server,is an indication of a possible SQLi. After numerous attempts of carefully crafting and recrafting payloads, it was observed that the servers revealed the backend database information in the error message, which confirmed the presence of a SQLi vulnerability and also the database server used in the backend. Payload used: ') and (select CASE WHEN (substring(@@version,1,50))=1 THEN 1 ELSE 0 END )=1 and ('1'='1 Explanation of the payload: The CASE statement goes through conditions and returns a value when the first condition is met (similar to an if-then-else statement). So, once a condition is true, it will stop reading and return the result. If no conditions...

View More

Article

ISO 27001 AND ISO 27002 CHANGES FOR 2022

(ISO/IEC 27001:2022 and ISO/IEC 27002:2022) Written by Kiran Murthy & Eishu Richariya Recently a publication notice was released regarding the ISO 27001 and ISO 27002 changes in 2022, which states that, “all organizations having an ISO 27001:2013 (ISMS) will be required to map and update their controls in place in accordance with the new recommendations in the revised ISO/IEC 27002:2002, considering their organizational needs and context.” /*! elementor - v3.6.6 - 08-06-2022 */ .elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading-title[class*=elementor-size-]>a{color:inherit;font-size:inherit;line-height:inherit}.elementor-widget-heading .elementor-heading-title.elementor-size-small{font-size:15px}.elementor-widget-heading .elementor-heading-title.elementor-size-medium{font-size:19px}.elementor-widget-heading .elementor-heading-title.elementor-size-large{font-size:29px}.elementor-widget-heading .elementor-heading-title.elementor-size-xl{font-size:39px}.elementor-widget-heading .elementor-heading-title.elementor-size-xxl{font-size:59px} Highlight of ISO 27001 Updates /*! elementor - v3.6.6 - 08-06-2022 */ .elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=".svg"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block} ISO/IEC 27001:2022: All organizations having an ISO 27001:2013 (ISMS) will be required to map and update their controls in place in accordance with the new recommendations in the revised ISO/IEC 27002:2002, considering their organizational needs and context. ISO/IEC 27002:2022: The current version of ISO 27002 that contains 114 controls divided over fourteen chapters, and  the version of ISO 27002:2022 that will contain 93 controls will all be divided over four categories/themes: Chapter 5 Organizational (37 controls) Chapter 6 People (8 controls) Chapter 7 Physical (14 controls) Chapter 8 Technological (34 controls) THE NEW CONTROLS The guidance section for each control have been examined and updated to reflect current advancements and practices (as necessary). Additionally, each control now has a 'Purpose' statement and a set of 'Attributes' to be used in conjunction with cybersecurity principles and other industry standards. An update to the standard also needs to factor in today's threat landscape and security threats. The new controls are: Threat intelligence Information deletion Information security for the use of cloud services ICT readiness for business continuity Physical security monitoring Configuration management Data masking Secure coding Data leakage prevention Monitoring activities Web filtering CONTROL ATTRIBUTES These controls have five types of 'attributes' to make them easier to categorize: Control type (preventive, detective, corrective) Information security properties (confidentiality, integrity, availability) Cybersecurity concepts (identify, protect, detect, respond, recover) Operational capabilities (governance, asset management, etc.) Security domains (governance and ecosystem, protection, defense, resilience) Timing & Enforcement: A two-year transition period will be granted (unlike three years in several previous transitions). FAQs ON ISO 27001 and ISO 27002 1. Will Accorian help us transition to the new revision of ISO 27001:2022? We will assist in preparing material for the adjustments, and the organization will be able to upgrade until the 2022 revision is published, which is likely to occur soon, unless their existing ISO 27001 certificate expires after 2024, in which case, the certification bodies will conduct regular surveillance visits to ensure compliance with the new revision.  If the organization's existing ISO 27001 certificate expires before 2024, then they will need to upgrade through subsequent re-certification. 2. We have chosen to begin implementing ISO 27001 now; which controls should we apply considering future changes? Organizations should begin applying the clauses mentioned in the ISO 27001:2013 standard until this new standard is available. This will ensure the upcoming modifications and the work required to implement the new standard will be minimal. 2.1 How to plan a transition from ISO 27001:2013 revision to 2022 revision? Contrary to popular belief, there will be no ISO 27001:2022 but an addendum to 27001:2013 (dubbed ISO/IEC 27001:2013+A1:2022, source). Annex A will be superseded by a normative version of ISO 27002:2022's 93 new regulations (but without the useful hashtags). If ISO 27001:2022 is amended, organizations who have already implemented ISO 27001:2013 are undoubtedly thinking to themselves, "Oh no, now that the 2022 revision has been published, we have to start over." This is not true — while the 2022 revision does introduce some modifications, they are quite trivial. Organizations should...

View More

    Ready to Start?



      Ready to Start?



        Download Case study




          Download Guide




          Human Resources Director

          Posted On: 09 May, 2022

          Drop your CVs to joinourteam@accorian.com

            Interested Position

            First Name

            Last Name

            Email

            Total Experience

            Mobile Number

            Upload Resume

            Cancel