Intraprise Health’s security services (which include BluePrint HIT) have been at the vanguard of healthcare information privacy and security since 2009. Completely healthcare focused, we provide advisory services and solutions to meet the pressing information security needs you face now and in the future.
- Security Risk Assessment
- Penetration Testing
- Medical Device Security Program
- Security Education
- Business Impact Analysis
- Tabletop Exercises
- Phishing Exercises
- Third Party Risk Management Services
Security Risk Assessment
Our Security Risk Assessment looks at an organization’s information security and risk management program in a collaborative, standards-based, and compliance-aware approach. Our Security Risk Assessment service includes strategic, operational, and tactical assessments in order to achieve comprehensive risk mitigation.
Progressive healthcare organizations perform a Security Risk Assessment on an annual basis, resulting in the creation of a remediation plan. Our cyber security professionals have deep expertise and are armed with the latest scanning tools and techniques. This gives us the most meaningful and accurate vulnerability intelligence for risk analysis and remediation planning.
- Map vulnerabilities identified to both HIPAA (as amended by HITECH and the Omnibus 2013 Final Rule), NIST Cybersecurity Framework and the HITRUST CSF
- Draft a comprehensive Report of Findings incorporating practical, real-world remediation recommendations
- Present findings and recommendations in stakeholders’ briefing session(s)
- Provide subject matter expertise for senior management decisions, regarding risk
- Assist with alignment of strategy, business objectives, and information assurance
- Evaluate HIPAA/HITECH compliance
- Document current state of security controls
- Meet the requirements associated with Meaningful Use
- Identify gaps that pose true business risk
- Create a practical remediation roadmap
- Establish a sustainable operating model for information security and privacy
- Further relationships based on trust and confidence with its clients and business partners.
Penetration Testing uses existing vulnerabilities to uncover security blind spots as well as to determine to what extent they can be exploited. Our penetration testing expert (“ethical hacker”) simulates the actions of an external cyber attacker to expose critical systems and strives to gain access to sensitive data.
We use a mix of proven penetration frameworks and tools containing databases of known exploits that are deployed against a set of discoverable entry points and the services that run on them.
Medical Device Security Program
Our Medical Device Assessment and Program Development experts carry out planning, process and procedure development exercises that highlight the steps necessary to assess and secure your connected medical devices through appropriate safeguards.
Our Medical Service Security Service team will:
- Convene an interdepartmental governance group (IT, Biomed, Facilities/Physical Security, Nursing, CMO’s office, other Client functional areas as required).
- Form an interdepartmental group responsible for leading the planning, administrative management and implementation of the your medical device security program.
- Review, revise or create policies and procedures to govern medical device security.
- Adapt NIST Cybersecurity or HITRUST CSF to create a Medical Device Security Risk Analysis framework.
- Apply Probability and Impact Rating System (PAIRS) to identify criticality and prioritize current risks.
- Carry out Physical and Technical Testing.
- Perform walkthrough of one or two physical areas to observe medical device utilization and physical security environment.
- Perform vulnerability scan of a small subset (1-5 devices) of medical devices in “safe zone” VLAN. Document findings and remediation recommendations to include Common Vulnerability Scoring System (CVSS) ratings.
- Review medical device security management program incorporating learnings from technical security scan and physical security assessment.
- Provide recommendations for overall program redesign as well as policy and procedure revisions/enhancements to optimize for future expansion.
Security Education and Awareness Training
Education and Awareness Program Development
Security vigilance is achieved through staff awareness and education. It is an organization’s most powerful risk mitigation tool.
Our programs feature security experts who make security education engaging and interesting with the goal of increasing competence and confidence.
- Content and material development for education and awareness training sessions
- One-time topic workshops
- Year-long progressive topic development
- Customized content and topics to suit organizational goals
- Communication and internal promotion plans and content
- Tailored topics by audience or skill level
- Online education and content
Business Impact Analysis
Business Impact Analysis (BIA) is a systematic process to assess and evaluate the potential effects of an interruption to operations as a result of a natural or man-made disaster, accident, or other emergency, and to gather information needed to develop recovery, prevention, and risk mitigation strategies. We conduct Business Impact Analysis in accordance with NIST Special Publication 800-34 and best practices outlined by the Disaster Recovery Institute International (DRII).
- Mission/business processes and recovery criticality:
- Outage impacts
- Maximum tolerable downtime
- Recovery time objectives
- Recovery point objectives
- Resource requirements
- Recovery priorities for system resources
- Review of business continuity plan to assess potential gaps and to prepare remediation recommendations
- Tabletop exercises are a proven method for practicing the skills and knowledge needed to implement a plan or operation during an incident from within that organization or across several organizations.
- Our TTXs are discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during a crisis like, a data breach or disaster recovery scenario, as well as practice their responses to various high-value scenarios. Most tabletop exercises can be conducted in a few hours and create an environment for shared learning and cross-organization collaboration.
- TTX topics can include business continuity and disaster recovery, as well as various breach management and incident response issues.
- Phishing campaigns have a two-fold benefit. First, they test an organization’s overall level of awareness about these very common, but high-risk attacks. Second, they create an opportunity to improve user competence for those susceptible to compromise through personalized learning experiences.
- The best safeguard against targeted phishing attacks is to educate staff and ensure they know how critical their role is in protecting the information they possess. Educating staff on current threats, like phishing attacks, empowers them to become proactive protectors of your organization’s most valuable asset — your data.
Third Party Risk Management Services
Data breaches are on the minds of every C-Suite executive in Healthcare. Third-Parties (i.e., vendors and business partners) with access to an organization’s Protected Health Information (PHI) and/or Personally Identifiable Information (PII) represent a significant risk due to the potential for data breaches. Until recently, Third-Party Risk Management (TPRM) has been primarily treated as a compliance and contract approval “checkpoint”. Due to the significant growth in healthcare data breaches and the awareness of the risk posed by third-party security weaknesses, healthcare organizations have started implementing stronger TPRM programs that try to focus on uncovering true security weaknesses in the hopes of addressing this large-scale problem. However, most organizations struggle to assess their third-parties and business partners effectively, mostly through a patch-work of static forms, lengthy security questionnaires and haphazard email-based communication. Requests come from almost anywhere in the supply chain without consistent information and solid process.
Intraprise Health delivers industry-leading TPRM services provided by certified, expert and proven healthcare security experts. Organizations seeking a security-focused solution and the ability to scale-up to meet their needs can rely on Intraprise Health. Although we customize our program to meet your requirements, our core TPRM services utilize the following approach:
- Evaluate the current TPRM security environment throughout the Supply Chain
- Optimize current-state processes and workflows
- Establish communication and reporting protocols
- Assign each vendor to a risk-based tier (i.e., risk category) based on the vendor’s profile and contracted solution/services
- Perform standards-based Third-Party evaluations via Intraprise Health Assessments (HIPAA, MU, NIST, HITRUST, PCI, etc)
- Coalesce documentation
- Perform thorough Security Assessment and Audit Evidence
- Identify and record risks and remediation actions
- Establish a Corrective Action Plan (CAP) with the Third-Party
- Track remediation progress of the CAP and re-evaluation milestones
- Provide status updates, metrics and analysis
Our TPRM Services provide a comprehensive and scalable set of services performed by seasoned experts on a fully or partially outsourced basis. Contact us to learn more about Intraprise Health’s industry-leading TPRM services.