In the U.S., any organization maintaining or transmitting electronic protected health information, commonly known as ePHI, must comply with The Health Insurance Portability and Accountability Act (HIPAA). Trustwave provides a comprehensive portfolio of services and technologies that can help organizations of any size respond to HIPAA regulations.

$250.15

mean price for a stolen health care record

33%

percentage of health care records compromised related to financial/user credentials

Almost all

health care industry attacks focused on corporate and internal networks

Overview

  • In addition to healthcare providers, organizations that must comply with HIPAA include third-party contractors, subcontractors and business associates that perform services on behalf of a healthcare or healthcare insurance provider.

    HIPAA features three components related to data protection: the Security Rule, the Privacy Rule and the Breach Notification Rule.

    Trustwave offers a suite of customizable HIPAA services and solutions that work together to safeguard protected health information (PHI) and address HIPAA requirements. We focus our services on helping you create a compliance program centered on the administrative, physical and technical requirements of HIPAA.


  • Security Rule

    This rule dictates the administrative, physical, technical controls necessary to secure electronic protected health information (ePHI), whether it is created, maintained, stored or in transit. Among the requirements: Covered entities and business associates must conduct risk assessments and prevent against unauthorized access.

  • Privacy Rule

    This rule institutes safeguards for the control of personal health information, no matter its format: oral, written or electronic. Broadly, it sets limits for the disclosure of patient information without their consent and spells out the rights patients have over their data.

  • Breach Notification Rule

    This rule orders HIPAA-covered entities and their business associates, in the event of a data breach involving ePHI, to notify affected individuals, the secretary of the U.S. Health & Human Services Department (HHS) and, in some cases, prominent media outlets – unless they can prove there is a low risk of compromise based on a risk assessment.

Consequences

  • The Office for Civil rights (OCR), within U.S. Department of Health and Human Services has investigated and resolved over 25,000 cases by requiring changes in practices and corrective action plans. The OCR has settled or imposed a civil monetary penalty in 55 cases resulting in total dollar amounts averaging $1.43M per case, across entity types including national pharmacy chains, major medical centers, group health plans, hospital chains and small provider offices as of March 31, 2018.

    The most investigated compliance issues are:

    • Impermissible uses and disclosures of protected health information
    • Lack of safeguards of protected health information
    • Lack of patient access to their protected health information
    • Lack of administrative safeguards of electronic protected health information
    • Use or disclosure of more than the minimum necessary protected health information

Solutions

  • Trustwave provides a comprehensive portfolio that can help organizations of any size respond to HIPAA regulations. We are ideally suited to help support a compliance program centered on the administrative, physical and technical requirements of HIPAA.

    Prepare

    The Trustwave HIPAA Compliance Pre-Assessment is designed to identify the degree of conformity that your organization displays relative to the HIPAA Omnibus standards. Our consultants are positioned to examine your environment for successes and faults, to help you understand your true compliance posture.

    Evaluate Your Compliance Level

    The Trustwave HIPAA Risk Assessment helps you identify safeguards necessary to meet HIPAA compliance. Trustwave helps you find gaps that may exist between your current security posture and HIPAA requirements. The customizable assessments, scaled individually for covered entities and business associates, include identification of key assets and IT systems, assessment of controls and frameworks and a review of third-party providers and incident response programs.

    Address Gaps and Vulnerabilities

    The Trustwave HIPAA Compliance Readiness Service helps you address your HIPAA compliance gaps so that specific risks can be categorized, quantified and considered for remediation or acceptance.

    Supporting Security Technologies

    HIPAA requires covered entities and their business associations to deploy technical controls to prepare for audits and protect sensitive ePHI, whether it is being stored or transmitted. Some of the ways we can help you include:

  • Data Loss Prevention 

    Allows you to discover and classify sensitive data and prevent it from leaving the network.

    Secure Web Gateway 

    Enables safe and productive access to Web 2.0 while ensuring compliance, minimizing data loss and eliminating malware risks

    File Integrity Monitoring 

    Addresses the HIPAA Security Rule standard that specifically references “integrity” and states ePHI cannot be improperly altered or destroyed.

    Network Access Control 

    Ensures managed and unmanaged devices connecting to the network comply with policies and do not introduce malware.

    Web Application Firewall 

    Protects web applications against external attackers who may use vulnerabilities, such as SQL injection, to steal patient information.

    SIEM 

    Helps you gain broad visibility of threats to your network and improve your compliance process through logging, monitoring, and analysis of events.

    Security Awareness Education 

    Instructs your employees and contractors to understand the threat of social engineering and follow best practices for security, including password management and the safe use of web and social media tools.

    Penetration Testing 

    Identifies and manages potential vulnerabilities in your networks, applications or databases.

  • Automate and Manage

    TrustKeeper Compliance Manager helps you to centrally automate and manage controls, policies and procedures across multiple compliance frameworks, including HIPAA. Compliance Manager is delivered through our cloud-based management portal Trustkeeper, which provides a real-time view into the status of your compliance and security programs and offers access to all of your managed services. Through one easy-to-use dashboard, you can submit support requests, see event history, run reports and manage your account at any time.

Resources