Healthcare Security

Healthcare Information Security and Privacy Consulting

Over the last several years, the healthcare industry has been subject to sweeping changes as technology advances and the law catches up.  Today, virtually all healthcare data is created, transmitted, and stored digitally.  As a result, sound information security and data privacy practices are utterly vital to the survival of healthcare organizations – so much so that “Health Information Technology” (HIT) has grown into a highly specialized area of healthcare information management.

The healthcare industry itself is also subject to unique challenges.  Healthcare is in a state of constant flux, due in large part to the political and economic pressures that surround it.  In addition, organizations have to sort out the (often times) incompatible forces of company governance, remaining profitable, and providing sufficient caregiving.  That, combined with the variety of third parties and business associates that make up a healthcare system, make managing HIT a rigorous and nuanced endeavor.

Lunarline knows how to effectively handle the challenges of HIT, healthcare security, and healthcare privacy.  Our expert team of healthcare consultants can guide your organization through the maze of healthcare regulation, information governance, risk management, and third party oversight.

Healthcare Governance

Effective implementation of HIT, use and maintenance of electronic health records (EHRs), information security, and data privacy has to be woven into the mission of a healthcare organization.  Said differently, the importance of protecting health data must be a message from the top brass.  And that’s where effective governance comes into play – ensuring that management is given adequate direction on what the overarching data protection goals are and how to achieve them.

Lunarline can support a realignment or reestablishment of an organization’s governance model.  This includes:

  • Creating the core healthcare information security and privacy goals, specific to the company
  • Making executives and managers accountable to the stakeholders
  • Ensuring governance directives trickle down to policies and procedures
  • Integrating security and privacy into the data lifecycle
  • Creating or revising performance metrics

Healthcare Operations 

Healthcare operations touch on many different business areas, such as IT, clinical administration, non-clinical administration, delivery of care, and regulatory compliance.   Coordinating these disparate concerns towards security and privacy is far from easy. 

Lunarline can assist to streamline operations, identify areas of improvement, and manage workflow.  A few examples of how we can help include:

  • Creating or optimizing healthcare records management strategies
  • Analyzing data flows to identify in-scope regions of the organization’s system(s)
  • Determine what Federal laws (i.e., HIPAA), state laws, or other regulations apply to the organization
  • Classify data types to add efficiency to HIT processes
  • Revising or drafting healthcare information security and privacy policies and procedures
  • Tracking amount and types of third parties that may handle the organization’s sensitive data.

Healthcare Compliance Assessments 

Compliance within the healthcare industry can take several forms.  Some compliance activities are mandated by law, such as HIPAA.  Others may be required if the organization does business with the government, like NIST.  Some may be implemented based upon industry best practices or upon the determination of the stakeholders. 

Lunarline has unparalled expertise in all of these compliance frameworks, a few of which include:

  • Health Information Portability and Accountability Act (HIPAA): HIPAA is a federal law that has far reaching implications on the healthcare industry.  However, healthcare organizations are mostly concerned about complying with 3 major parts of the law – the Security Rule, the Privacy Rule, and the Breach Notification Rule.  Lunarline has conducted many assessments of covered entities and business associates based upon these rules, and have been able to vastly improve those organization’s level of compliance.  
  • NIST 800-53 Revision 4:  the NIST Special Publication 800-53 revision 4 is an in-depth set of information security and data privacy controls.  If a healthcare organization does business with a federal agency, compliance with 800-53 is likely required.  However, the 800-53 is highly regarded as a comprehensive control framework and as such, is adopted by many private organizations as an information security and privacy guide.
  • Privacy-Focused Frameworks:  there are a handful of data privacy frameworks that are appropriate for use by healthcare organizations.  Of course, HIPAA’s Privacy Rule is mandated.  Other privacy controls include Appendix J to the 800-53, the OECD guidelines, Fair Information Practice Principles (FIPPS); and Generally Accepted Privacy Principles (GAPP).  

Risk Management, Assessment, and Mitigation

In the healthcare setting, implementing proper risk management can mean the difference between life and death.  In today’s healthcare settings, the medical hardware and medical devices are linked together logically on a network, which puts them at risk of malicious attack and other significant threats.  A hacked IV pump, for example, can have devastating results.  The protection of people should be the number one priority in a healthcare setting, and performing comprehensive and regular risk assessments in a highly effective way of identifying mitigating risks.  Risk management includes performing risk assessments to determine where weaknesses are and the level of threat they represent, remediating those weaknesses, and determining how to deal with risks that cannot be fixed.  

Lunarline’s expertise in conducting and supporting risk assessment activities is extensive.  Equipped with this expertise, we can provide the following risk assessment support services:

  • Determine the scope of risk assessment by identifying the assets that contain, transmit, or handle PII or ePHI
  • Evaluate the current threats to those assets, and in turn, ascertain the vulnerabilities created by the threats and resultant impact if the vulnerabilities were exploited
  • Integrate a HIPAA or NIST compliance assessment to find compliance and/or control gaps
  • Determine remediation actions
  • Create remediation reporting mechanisms and deploy ongoing and continuous monitoring solutions.

Third Party Management

Healthcare organizations have to pay close attention to the third parties with which they share healthcare information.  In fact, laws such as HIPAA require it.  It’s very common for organizations such as hospitals, physicians, and insurance companies to employ third parties.  Healthcare information processing, billing, coding, storage, and transmission are regularly outsourced to healthcare vendors, and when these third parties become part of the data flow, several obligations are triggered. 

The most important factors to consider include the manner in which the third party protects the data, with who the third party shares the data, how specifically will the third party use and handle the data, the maturity of the third party’s information security and data privacy controls, the third party’s breach notification and response procedures, and the extent to which the third party complies with applicable laws and regulations.

Healthcare organizations have to ensure that its own HIT practices are sufficient and that the vendors it uses meet acceptable levels of security and privacy sophistication.   This daunting task gets more burdensome when an organization has several vendors.  

Lunarline is here to help.  Whether the organization is large hospital, a small doctor’s office, or a mid-stream business associate, Lunarline has the capabilities to perform:

  • Healthcare information security and privacy training to third party staff
  • HIPAA and other compliance assessments of third parties
  • Risk assessments of third parties
  • Create remediation plan to address areas of non-compliance
  • Review or creation of Business Associate Agreements and related contracts
  • Continuous monitoring of third party environments
  • Evaluation of third party’s breach notification and response procedures

Lunarline is a company of experts.  Our industry-leading Healthcare Department will be glad to discuss your healthcare protection, management, and maintenance needs.  Please contact us at (571) 481-9300.