Encryption Requirements for HIPAA | Compliance MAP

Does your organization need a HIPAA compliance map for 2012?  Many small companies and even some large organizations are still behind in conforming their computer systems to include the required level of data security to comply with federal and state laws. 

Don’t let your organization be the next big story on the news.  Consider auditing your entire computer and network system in 2012.  All end of life applications and operating systems should be phased out, upgraded or replaced.  This includes Windows 2000 Servers which Microsoft stopped supporting on July 13, 2010.  End of life operating systems like WIN2k (the bread and butter server choice in many industries) generally present the largest challenge for organizations who have built entire systems around older technology.  Layered encryption and second level authentication should be considerations for any company that stores PHI or HIPAA protected data.

Windows 7 operating system Ultimate and Enterprise editions include BitLocker and when enabled it provides HIPAA compliant hard drive level of encryption.  Windows XP is the still the most common office desktop operating system.  Many companies have been slow to embrace Windows 7 because it presents some new challenges with regard to compatibility with legacy systems.  With Windows XP desktops it is necessary to deploy some form of drive level encryption to remain compliant.  Truecrypt Open source software is a popular choice for drive level encryption and PGP is widely used at the file level.  Consideration must be given to all levels of data availability.  Users should only be given access to the information they require to perform their job.  Creating windows security groups to limit file access isn’t enough.  A second level of authentication to protect PHI data is required.  System backups need to be fully encrypted and protected, and the list goes on.  Make a difference in 2012 by taking the steps to secure, document and monitor your network!

HIPAA Penetration Testing

Is your (PHI) patient data secured? Are you in compliance with all HIPAA Regulations? The only real way to know is to preform extensive system penetration testing. Penetration testing of both internal and external systems is an extremely important step towards compliance and it serves as a valuable tool. Standard testing includes real world hacking techniques, the results of which can help an organization understand and address system vulnerabilities before a security breach occurs.

Testing often reveals actual, exploitable security threats. Identifying these issues early will allow you to safely identify which vulnerabilities are critical, which are insignificant, and which are false positives. Make informed decisions about the real risks to your network and assists you in prioritizing remediation efforts.

HIPAA IT security compliance regulations and guidelines require an organization to conduct independent testing of the Information Security Program, to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information.

Best Practices recommend that each organization perform an Internal and external Penetration Tests in addition to regular Security Assessments in order to ensure the security of their internal & external networks.