All Posts By

Siobhan Carroll

Webinar: Securing Your Third-Party Ecosystem

By | News, Webinars/Events, Home Page Top, Home Page Recent

Third parties (both vendors and business partners) with access to an organization’s Protected Health Information (PHI) and/or Personally Identifiable Information (PII) can put your organization at risk of a data breach. Until recently, Third-Party Risk Management (TPRM) has been primarily treated as a compliance and contract approval “checkpoint,” something to check off the to do list of your procurement process with some level of diligence. But with more frequent and complicated cyberattacks, organizations need to implement effective TPRM programs that truly identify, manage and mitigate security risks.

REGISTER HERE to join Intraprise Health & Westchester Medical Center on November 14 @ 1pm EST as we discuss how to structure a robust, best-practices driven security program that delivers a high degree of Validation and Assurance.

Read More

Third-Party Risk Management: Keeping Your Healthcare Organization’s Information Safe

By | Home Page Top, Home Page Recent, Press

Read the latest article by Intraprise Health’s CEO, Sean Friel in Security Magazine.

“As the person in charge of your healthcare organization’s information technology, one of your responsibilities is protecting patients’ and clients’ information. This can be difficult because third-party vendors with whom you contract can unwittingly jeopardize the security of that information. But you can take steps today to help prevent those problems tomorrow.

Data breaches are increasingly on the minds of every C-suite executive in healthcare. Reading about security breaches can make the mightiest execs groan at the possibility something like that could happen to their healthcare organization.”

Read more here.

What You Need to Know About Split Tunneling

By | Articles

Today’s modern networks require flexibility to allow workers to work from multiple locations.  One of the most common methods to achieve remote network access is a Virtual Private Network (VPN).  VPN’s can come in all shapes and sizes, from hosted to on-premises, to in the cloud, and can be built to fit all needs.  However, one topic that is often overlooked is whether or not to allow VPN users to utilize split tunneling. Webopedia defines split tunneling as “The process of allowing a remote VPN user to access a public network, most commonly the Internet, at the same time that the user is allowed to access resources on the VPN.” The idea is a user has a tunnel to the corporate network to access any apps or shared drives through the VPN connection while still utilizing the local internet connection of the remote user for access to the web or local resources.

Read More

Intraprise Health Appointed to 2 Seats on HITRUST CSF Assessor Council

By | News, Articles, Home Page Recent

Council Members Provide Expertise on Various Security and Privacy Programs of Interest to Healthcare Industry

Intraprise Health is pleased to announce that Ryan Patrick and Melissa Hawkins have been appointed to the HITRUST CSF Assessor Council. In its second year, the HITRUST CSF Assessor Council includes members representing a broad range of experience in information security and privacy. Appointees work closely with HITRUST to ensure and evolve HITRUST’s integrity, effectiveness and efficiency.

“We are honored to be appointed to the HITRUST CSF Assessor Council,” said Ryan Patrick, Senior Vice President and leader of Intraprise Health’s HITRUST practice. “Together with my colleague, Melissa Hawkins, we look forward to working closely with HITRUST to both learn from them and give them the benefit of our 8 years of field experience as a HITRUST Assessor firm.”

Certified Assessors since 2011, Intraprise Health (formerly BluePrint HIT) is completely focused on healthcare. With specifically designed programs for health systems, business associates and payers, Intraprise Health’s proven methodology and certification program management tools have helped healthcare organizations of all sizes achieve HITRUST certification. Intraprise Health’s broad range of security services include:

  • HITRUST Certification services
  • HIPAA Security Risk Analysis
  • Education and Awareness Training
  • Vulnerability/Penetration Testing
  • Security Risk Assessments
  • Third Party Risk Management

For more information about Intraprise Health and our HITRUST CSF services, please click here.

To register for our upcoming HITRUST CEP, being held in Malvern, PA on August 28 click here.

To register for our San Francisco CEP, to be held September 10, click here.

Intraprise Health Launches Software Service to Battle Security Breaches in Healthcare Organizations

By | News, Home Page Top, Home Page Recent, BluePrint Protect

BluePrint Protect™ Security Risk Management Software Manages and Automates Security

YARDLEY, Pennsylvania, August 13, 2019 – Utilizing more than a decade of expertise in security and technology for healthcare clients, Intraprise Health has created BluePrint Protect™ Security Risk Management Software.  BluePrint Protect™ was created to help organizations efficiently manage and automate their security program, starting with one of the most pressing needs for any organization, Third-Party (Security) Risk Management, or TPRM.

Utilizing its intuitive, modern interface, BluePrint Protect™ customers gain a comprehensive, ongoing and dynamic view of their enterprise-wide third-party risks by automating TPRM processes and leveraging Intraprise Health’s third-party/vendor knowledge base, or “Third-Party Assessment Cloud.” Security team members, users from across an organization’s supply chain and their third parties can access or be connected to the platform to collaborate and communicate in real-time. BluePrint Protect™ drives task management and reporting to accelerate milestone completion, thereby reducing the resource burden and time commitment for all involved, especially the customer’s security team.

“BluePrint Protect™ is a unique software and service-delivery platform designed to solve some of the biggest cybersecurity challenges that health systems, payers, pharma companies and their third-party vendors must deal with today and into the future,” Intraprise Health CEO Sean Friel says. “It’s the first-ever healthcare-focused workflow automation and visualization platform designed by certified healthcare cybersecurity professionals for Chief Information Security Officers (CISOs) and their security teams.”

In addition to serving as a platform for delivering Intraprise Health’s healthcare industry-leading TPRM services, some unique BluePrint Protect™ features include:

  • Cyber Risk Index and Enterprise Risk Register
  • Healthcare-specific software to automate workflows, enable collaboration to drive efficiencies and scale
  • Visualization tools and dashboard for a “single-pane of glass” view of enterprise-wide security risks
  • Automation and acceleration of key Information Security Office functions

Steven Goriah, Westchester Medical Center Health Network’s Vice President of Information Technology/CIO and Chief Information Security Officer, recognizes the need to holistically manage third-party risk. “WMCHN has partnered with Intraprise Health for several years to build a robust and certified information security program including the implementation of our TPRM processes. Going through a security risk assessment is a rigorous and time-consuming process for everyone involved. We expect the use of BluePrint Protect™ along with their TPRM services will deliver more efficiencies and a better experience for all stakeholders including our third-party vendors and partners.”

These features can help reduce the costly possibility of breaches.  Each breached health record costs organizations on average $380 per record.  The HIPAA Journal estimates there were 2,546 healthcare data breaches involving more than 500 records between 2009 and 2018. The breaches resulted in the theft or exposure of almost 190M healthcare records. “That equates to more than 59% of the population of the United States,” the HIPAA Journal states. “Healthcare data breaches are now being reported at a rate of more than one per day.”*

About Intraprise Health

Intraprise Health is a healthcare focused cybersecurity solutions firm and a certified HITRUST Assessor with extensive experience in the NIST Cybersecurity Framework. Providing health information security products and services to assess, remediate and monitor cybersecurity risk,  Intraprise Health’s services include penetration testing, medical device security, third-party (vendor) risk management, phishing exercises and business impact analysis. Intraprise Health’s newest product, BluePrint ProtectÔ, helps organizations efficiently manage and automate their third party risk management program, providing hospitals and health systems with a comprehensive, ongoing and dynamic view of their enterprise wide third party risks and automating and accelerating key information security office functions.  Intraprise Health received a 97.2 rating in the 2018 KLAS Cybersecurity Services report in the Advisory Focused Firm category.

###

* https://www.hipaajournal.com/healthcare-data-breach-statistics/

Intraprise Health Featured in CISO Magazine — Read the article!

By | Home Page Top, BluePrint Protect, Press

“Taking control of third-party risk in healthcare”

Data breaches are on the minds of every C-suite executive in healthcare. Third parties (i.e., vendors) with access to organizations’ protected health information (PHI) and/or personally identifiable information (PII) represent a significant risk for data breaches to the organization.

The Information Systems Audit and Control Association (ISACA) defines TPRM as “The process of analyzing and controlling risks presented to your company, your data, your operations and your finances by parties OTHER than your own company.”

Data breaches in healthcare organizations continue to make the front page and the struggles of organizations to get a handle on their third-party risk are well documented. A study conducted by the Ponemon Institute notes, “Despite the number of publicized data breaches throughout the U.S., there continues to be a significant lack of confidence and understanding within companies as to whether their security posture is sufficient to respond to a data breach or cyberattack … Companies also need to do more than depend on business associate agreements to ensure that consumer information is being protected. Business should perform audits and assessments with vendors.”

Most organizations are aware of the information security risk posed by third parties. They also admit their current vetting process is ineffective or non-existent.

Why don’t organizations focus more on TPRM?

Building and maintaining a solid TPRM program can be difficult, time consuming and resource-intensive, especially when starting from scratch. Executives admit to several barriers:

  • Some organizations don’t have a complete and accurate list of vendors that have access to sensitive organizational data.
  • The prospect of starting a new program or beefing up an existing one without subject matter expertise can be daunting.
  • It takes money and people – something that is often in short supply and competing with other priorities.
  • There is an assumption that the third party is responsible and is protecting sensitive data.
  • Third-party risk is seen as something outside the four walls, so it doesn’t get the priority it deserves.
  • There is a lack of perceived value versus the expertise, time and effort required to build and maintain a program.

These reasons, while valid, do not absolve an organization of its responsibility to protect the PHI/PII with which it is entrusted.

Thanks to the HITECH regulation and associated Meaningful Use program, as well as related technology advances over the last 15 years, healthcare is becoming less insular and increasingly interoperable. The dependency on third parties by covered entities to adhere to the regulation and deliver the best coordinated care possible is inextricable, increasing the technical integration requirements, which raises the risk profile greatly.

However, making risk-based decisions on whether to engage a third party require reliable, consistent information related to a third party’s policies, procedures, practices and overall information security risk profile; this is essential for risk mitigation for a healthcare organization.

How can you raise TPRM’s profile in your organization?

To overcome the many perceived barriers to getting started with an effective program, you need a champion. The chief information security officer (CISO) or equivalent leader needs to get the buy-in of the C-suite executives, and together they must evangelize the importance of TPRM for the entire organization, not just the IT department.

Knowing about the risk posed by third parties and appreciating the need to assess and remedy those risks will improve the program’s success rate greatly. These are messages everyone in the organization — from the leadership on down — needs to hear and understand implicitly.

Your organization’s Compliance department needs to be actively engaged; they’re often terrific champions in managing third-party risk. Once a program is implemented, Compliance staff often has ultimate responsibility for enforcing the organization’s adherence.

Any organizational channel that introduces third parties and the associated exposure of PHI/PII needs to be an integral part of a complete TPRM program that includes assessments and monitoring. These channels include department heads (where the vendor relationship often originates) and procurement, legal, contracting and IT/IT security departments, to name a few.

A strong TPRM program is vital to the health of your organization. Understanding the requirements for TPRM and how to create buy-in throughout your organization is critical to creating a strong security posture. Don’t wait until one of your third parties is compromised to begin implementing your own TPRM program.

By Brian Parks, Senior Vice President, Security Services, Intraprise Health

https://www.cisomag.com/taking-control-of-third-party-risk-in-healthcare/

 

How to Prepare for HITRUST Certification: Gaining Organizational Support

By | Articles

Why HITRUST?

More than 81 % of U.S. hospitals and health systems and 80 % of U.S. health plans use the HITRUST Common Security Framework (CSF). It provides implementation standard that is understood and accepted throughout the healthcare industry. Having HITRUST certification in place shows other healthcare entities that you take your security seriously.

Now what?

You and your cybersecurity colleagues have done your research. You know the HITRUST framework is top-notch and addresses federal and state regulations and several security frameworks. Executives of your organization see the value in HITRUST’s CSF that will help you assess and manage your organization’s information security. You’ve got the green light. Where do you go from here? Education. From executive leadership to front line employees everyone needs to understand and accept the level of effort and commitment it takes to properly adopt the HITRUST CSF. Organizing educational sessions with stakeholders and identifying an organizational champion (someone that is very visible, respected and influential in the organization) to assist in sending the message.

What’s next?: Engaging staff throughout the organization

Read More

Microsoft and Intraprise Health Announce HITRUST® Community Extension Programs in Malvern, PA and San Francisco

By | News

Microsoft and Intraprise Health have opened registration for two HITRUST Community Extension Programs. One to be held at the Microsoft Technology Center in Malvern, PA on Wednesday, August 28, 2019, and the other to be held in San Francisco on September 10, 2019. Supported by HITRUST, hosted by Microsoft, and facilitated by Intraprise Health, the one-day, no cost, events will provide healthcare organizations of all types and sizes an opportunity to engage with local peers to discuss the challenges, best practices, and lessons learned in effectively implementing a risk management program, operating a third-party risk management program and improving cybersecurity practices by leveraging the HITRUST CSF® and the HITRUST Approach.

“We are extremely pleased to be a part of the Community Extension Program with Microsoft at their Technology Centers in Malvern and San Francisco. These events allow us to bring together CIOs and CISOs from all over to learn and share their risk management concerns and questions regarding the HITRUST CSF certification process.” said Ryan Patrick, Senior Vice President, Intraprise Health.

Read More