HEALTHCARE

PRAGMATIC

Anitian’s healthcare team works creatively and  collaboratively with you to develop a sound, business-friendly way to meet HIPAA and HITECH requirements.

EXPERIENCED

Anitian brings a practical  approach to compliance. Furthermore, our hands-on expertise means we look beyond the checkbox to the financial and operational realities of your business.

EFFECTIVE

Our experienced healthcare team delivers actionable, sustainable security results. Our solutions are built to meet the unique needs of your business, clients, and stakeholders. 

HEALTHCARE INDUSTRY SERVICES

OVERVIEW

 

Anitian’s healthcare practice delivers practical, pragmatic, business-friendly security that maximizes technology and process investments to close regulatory gaps, reduce risk and protect patients. Anitian offers a number of services that can be customized to meet the needs of healthcare providers and covered entities. And Anitian’s Sherlock was designed specifically to meet the security and compliance needs of health care organizations.

First, Sherlock never commingles your data. Your data, and your patient’s data, never leave your environment. Sherlock also can sign your BAA with no reservations.

We run our platform on an AWS cloud which is compliant with HIPAA rules. Furthermore, every Sherlock subscription for a health care organization includes a HIPAA-specific risk assessment. We use the intelligence from that assessment to optimize your threat hunting.

Finally, Sherlock also includes threat intelligence specifically designed for attacks on EMR platforms and exfiltration of PII.

Sherlock Compliance Automation and Sherlock MDR is ideal for healthcare. Let’s chat.

 

GAP ASSESSMENT
Begin your HIPAA or HITRUST compliance efforts with a gap assessment. This project identifies areas of non-compliance and establishes an action plan for compliance.

Your Gap Assessment will include:

  •  Facilitated interviews with appropriate project stakeholders
  •  Review of relevant documentation
  •  Identification of gaps and determination of remediation efforts
  •  Development of a gap assessment report, including a description of our findings and an Action Plan that provides you with a roadmap to compliance

  •  Relevant policies and procedures
  • Risk assessment and meaningful use documentation
  • Operational procedures and practices
  • Employee security awareness
  • Physical security
  • Technical controls
  •  Data handling policies and practice
  • Privacy controls
  • Compliance reporting and tracking practices
  • Disaster recovery and business continuity
  • Business associate agreements (BAAs)
HIPAA RISK ASSESSMENT
HIPAA requires an annual risk assessment for all covered entities. Anitian’s RiskNow, Rapid Risk Assessment is an ideal way to not only perform your required assessment, but also improve information security. As part of the assessment, Anitian determines the baseline threats relevant to the in-scope environment, and catalogs, qualifies, and analyzes the risk those threats pose to your information security, IT operations, and reputation. This assessment also fulfills the HIPAA Meaningful Use risk assessment requirements, and is based upon the NIST 800-66 control framework.

  • Project Planning: Validate the scope of the project. Define the assessment context or “lens” for how assets will be analyzed. Establish schedules and rules of engagement. Document these issues in a project plan. Determine appropriate business and IT stakeholders.
  • Asset Validation: Catalog and validate the relevance of the in-scope assets and sampling strategies.
  • Stakeholder Interviews: Conduct a series of facilitated discussions with relevant project stakeholders. Capture key concerns and issues to assist with threat definition.
  • Ring.Zero Security Testing: Anitian will conduct a series of network, system, and application
  • layer security tests on in-scope assets. Anitian uses the technical results from these tests to corroborate the threats and vulnerabilities. Anitian will determine the relevant sample of systems to test. Testing services may include:
    • Vulnerability scanning
    • Network and system penetration testing
    • Web application security testing
    • Configuration analysis
    • Log review (firewalls, SIEM, endpoint security, etc.)
  • Documentation Review: Anitian will conduct a high-level review of Client’s documented policies, procedures, practices, guidelines, data flows, network diagrams, architectural designs or any other relevant documentation. Specific issues Anitian will consider as part of this Risk Assessment include:
    • Clarity and relevance of content
    • Impact of documentation on identified threats and vulnerabilities
    • Alignment with operational and technical realities in the organization
  • Physical Security Review: Anitian will conduct a review of physical security controls of Client’s data center and offices.
  • Threat Identification: Using data from interviews and security testing, Anitian will define the potential threats that are applicable to the in-scope assets.
  • Control Maturity Assessment: Anitian will determine what security controls (people, processes, and technologies) are in place and how effective they are at mitigating the identified threats.
  • Risk Assessment: Anitian will establish risk rankings for each threat, based on vulnerabilities present, probability of exploitation, impact on the organization, and the maturity of existing controls. Determine what, if any, residual risk exists if control maturity is improved.
  • Recommendations: Anitian will define enhancements or improvements to controls that can mitigate or eliminate risk.
  • Action Plan: Analyze risk exposure and recommendations to develop a step-bystep Action Plan for reducing risk.
  • Reporting: Complete the Business Risk Intelligence Report and supporting Threat Matrix.
HIPAA PROGRAM REVIEW
A holistic review of your HIPAA, HITECH, or HITRUST compliance efforts in the context of your overall information security program. This assessment focuses on ways to optimize or mature your program.

Our Program Review service includes:

  •  Facilitated interviews with business process owners, system administrators, and compliance officers
  • Review of relevant documentation
  •  Observation of business processes and practices
  • Assessment of the effectiveness of security controls and policies
  • Identification of any areas of concern
  •  Development of a report that includes a description of our findings and an Action Plan that provides you with a roadmap to compliance

  • Relevant policies and procedures
  •  Risk assessment and meaningful use documentation
  • Operational procedures and practices
  •  Employee security awareness
  •  Physical security
  • Technical controls
  • Data handling policies and practices
  • Privacy controls
  • Compliance reporting and tracking practices
  •  Disaster recovery and business continuity
  • Business associate agreements (BAAs)
READINESS ASSESSMENT
A comprehensive assessment of your HIPAA, HITRUST and/or HITECH compliance efforts to prepare you for any formal external audit. This assessment digs into the details of your program, identifying any areas of non-compliance.

Your Readiness Assessment includes:

  • Facilitated interviews with appropriate project stakeholders
  •  Review of relevant documentation
  • Identification of gaps and determination of remediation efforts
  • Development a readiness assessment report, including a description of outstanding areas of noncompliance and an Action Plan that provides you with a roadmap to remediating these gaps

  •  Relevant policies and procedures relevant
  • Risk assessment and meaningful use documentation
  • Operational procedures and practices
  •  Employee security awareness
  • Physical security
  • Technical controls
  • Data handling policies and practices
  • Privacy controls
  • Compliance reporting and tracking practices
  • Disaster recovery and business continuity
  • Business associate agreements (BAAs)
HIPAA ADVISORY SERVICES
For organizations looking for expert consultation, Anitian offers flexible, open-ended arrangements to provide guidance, feedback, and insight into HIPAA, HITRUST, and HITECH compliance processes. Anitian’s consultants deliver pragmatic, practical advice tailored to the unique needs of your business.

While consultation services can cover any topic, some of the assistance Anitian commonly provides includes:

  •  Guidance on requirements
  • Assistance with limiting the scope of compliance
  • Technology recommendations and guidance
  • Review and feedback on policies, practices, and configurations
  • Assistance with compensating controls
  • Application design consulting
  • Assistance implementing required controls
  • Clarification of the expectation or intent of requirement
REMEDIATION SERVICES
One of the benefits of working with Anitian is that, in addition to being able to conduct compliance assessments, we also have a complete staff of technology integrators. This gives us a real “nuts & bolts” view of HIPAA, HITRUST, and HITECH compliance. We know exactly how to implement necessary controls, technologies, and practices to meet their requirements.

Our remediation services include implementation, optimization, and testing of the following:

  •  Firewalls / UTM / NGFW
  • File integrity monitoring
  •  SIEM / Log Management
  • Antivirus / Endpoint security
  • Encryption
  • Vulnerability management
  • Configuration management
  • Incident response
  • IDS / IPS
  • Security awareness
  • Software development life-cycle (SDLC)
  • System auditing and access control
PENETRATION TESTING
Anitian offers comprehensive internal and external penetration testing services designed to meet requirement 11.3. For more information on Anitian’s penetration testing services click here.
WEB APPLICATION PENETRATION TESTING
Anitian offers comprehensive web application penetration testing services designed to meet requirement 6.6. For more information on Anitian’s application testing services click here.

Learning Resources

Presentation

Security as
Code

b

Paper

Communicating Risk
to Leadership

eBook

The Case for Security
in the Cloud

Contact

Share This