BluePrint Health Information Security™

Security Services

The BluePrint Security Difference

Intraprise Health’s BluePrint Security services have been at the vanguard of healthcare information privacy and security since 2009.

Completely healthcare focused, we provide advisory services and solutions to meet the pressing information security needs you face now and in the future.

Webinar 11/14: Medical Device Security Risk

Our Goal

To craft a comprehensive program based on vigilant security controls, organizational resilience, and expert oversight.

Comprehensive Security

Organizational Resilience

Expert Oversight

97.2

Rating in the 2018 KLAS Cybersecurity Report

* limited data

100%

Healthcare focused

2011

Became one of industry’s first HITRUST Certified Assessors

Vulnerability Assessment and Risk Analysis (VARA)

The Vulnerability Assessment and Risk Analysis (VARA) looks at an organization’s information security and risk management program in a collaborative, standards-based, and compliance-aware approach. Our VARA service includes strategic, operational, and tactical assessments in order to achieve comprehensive risk mitigation.

Progressive healthcare organizations perform a Vulnerability Assessment on an annual basis, often in conjunction with a Risk Analysis, resulting in the creation of a remediation plan. Our cyber security professionals have deep expertise and are armed with the latest scanning tools and techniques. This gives us the most meaningful and accurate vulnerability intelligence for risk analysis and remediation planning.

Compliance Frameworks

During the course of a VARA engagement, we will:

  • Map vulnerabilities identified to both HIPAA (as amended by HITECH and the Omnibus 2013 Final Rule), NIST Cybersecurity Framework and the HITRUST CSF
  • Draft a comprehensive Report of Findings incorporating practical, real-world remediation recommendations
  • Present findings and recommendations in stakeholders’ briefing session(s)
  • Provide subject matter expertise for senior management decisions, regarding risk
  • Assist with alignment of strategy, business objectives, and information assurance

Get the structure, detail and clarity that you need to:

  • Evaluate HIPAA/HITECH compliance
  • Document current state of security controls
  • Meet the requirements associated with Meaningful Use
  • Identify gaps that pose true business risk
  • Create a practical remediation roadmap
  • Establish a sustainable operating model for information security and privacy
  • Further relationships based on trust and confidence with its clients and business partners.

Contact Us

Embedded Contact - Security
Submit

Additional Services

Vulnerability Scanning

Our cyber security professionals have deep expertise and are armed with the latest scanning tools and techniques. This gives us the most meaningful and accurate vulnerability intelligence for risk analysis and remediation planning.

We perform internal and external Vulnerability Scanning using leading industry tools.

Penetration Testing

Penetration Testing uses existing vulnerabilities in order to uncover security blind spots as well as to determine to what extent they can be exploited. Our penetration testing expert (“ethical hacker”) simulates the actions of an external cyber attacker to expose critical systems and strives to gain access to sensitive data.

We use a mix of proven penetration frameworks and tools containing databases of known exploits that are deployed against a set of discoverable entry points and the services that run on them.

Medical Device Security Program

Medical Device Security Assessment and Program Development

Our Medical Device Assessment and Program Development experts carry out planning, process and procedure development exercises that highlight the steps necessary to assess and secure your connected medical devices through appropriate safeguards

Our Medical Service Security Service team will:

  • Convene an interdepartmental governance group (IT, Biomed, Facilities/Physical Security, Nursing, CMO’s office, other Client functional areas as required).
  • Form an interdepartmental group responsible for leading the planning, administrative management and implementation of the your medical device security program.
  • Review, revise or create policies and procedures to govern medical device security.
  • Adapt NIST Cybersecurity or HITRUST CSF to create a Medical Device Security Risk Analysis framework.
  • Apply Probability and Impact Rating System (PAIRS) to identify criticality and prioritize current risks.
  • Carry out Physical and Technical Testing.
  • Perform walkthrough of one or two physical areas to observe medical device utilization and physical security environment.
  • Perform vulnerability scan of a small subset (1-5 devices) of medical devices in “safe zone” VLAN. Document findings and remediation recommendations to include Common Vulnerability Scoring System (CVSS) ratings.
  • Review medical device security management program incorporating learnings from technical security scan and physical security assessment.
  • Provide recommendations for overall program redesign as well as policy and procedure revisions/enhancements to optimize for future expansion.

Security Education and Awareness Training

Education and Awareness Program Development

Security vigilance is achieved through staff awareness and education. It is an organization’s most powerful risk mitigation tool.

Our awareness and educational programs feature security experts who make security education engaging and interesting with the goal of increasing competence and confidence.

Education and Awareness Services include:

  • Content and material development for education and awareness training sessions
  • One-time topic workshops
  • Year-long progressive topic development
  • Customized content and topics to suit organizational goals
  • Communication and internal promotion plans and content
  • Tailored topics by audience or skill level
  • Online education and content

Business Impact Analysis

Business Impact Analysis (BIA) is a systematic process to assess and evaluate the potential effects of an interruption to operations as a result of a natural or man-made disaster, accident, or other emergency, and to gather information needed to develop recovery, prevention, and risk mitigation strategies. We conduct Business Impact Analysis in accordance with NIST Special Publication 800-34 and best practices outlined by the Disaster Recovery Institute International (DRII).

Business Impact Analysis (BIA) Report of Findings includes:

  • Mission/business processes and recovery criticality:
  • Outage impacts
  • Maximum tolerable downtime
  • Recovery time objectives
  • Recovery point objectives
  • Resource requirements
  • Recovery priorities for system resources
  • Review of business continuity plan to assess potential gaps and to prepare remediation recommendations

Tabletop Exercises

  • Tabletop exercises are a proven method for practicing the skills and knowledge needed to implement a plan or operation during an incident from within that organization or across several organizations.
  • Our TTXs are discussion-based sessions where team members meet in an informal, classroom setting to discuss their roles during a crisis like, a data breach or disaster recovery scenario, as well as practice their responses to various high-value scenarios. Most tabletop exercises can be conducted in a few hours and create an environment for shared learning and cross-organization collaboration.
  • TTX topics can include business continuity and disaster recovery, as well as various breach management and incident response issues

Phishing Exercises

  • Phishing campaigns have a two-fold benefit. First, they test an organization’s overall level of awareness about these very common, but high-risk attacks. Second, they create an opportunity to improve user competence for those susceptible to compromise through personalized learning experiences.
  • The best safeguard against targeted phishing attacks is to educate staff and ensure they know how critical their role is in protecting the information they possess. Educating staff on current threats, like phishing attacks, empowers them to become proactive protectors of your organization’s most valuable asset — your data.
Copyright © 2018 – TouchPoint Health, LLC t/a Intraprise Health
All Rights Reserved