Ultimate Internet Access, Inc. - UIA.net

HITECH Services by UIA.net

Technology Risk & Security Compliance Services

As of February 2010, compliance became more imperative than ever. An excerpt from the HIPPA survival guide...

"… the HITECH Act contains language that implies lax enforcement may be ancient history. Under HITECH, mandatory penalties will be imposed for “willful neglect.”… a provider with “no story” regarding compliance will likely be at significant risk.

Civil penalties for willful neglect are increased. These penalties can extend up to $250,000, with repeat violations extending up to $1.5 million… Finally, HHS is now required to conduct periodic audits of covered entities and business associates… the HITECH Act significantly ups the ante for non-compliance."

HITECH Act Security Services Provided by UIA
  • Firewall & Intrusion Detection Systems Security
  • Information Security Assessment / Review
  • Network Operational and Administrative Security Assessment
  • Information Security Policy & Procedure Development
  • Access Controls Audit & Assessment
  • Vendor Management Assessment & Review
  • Technical Security (Intrusion) Testing - Internal & External
  • IT General Control (ITGC) Review
  • Social Engineering Assessment - including Social Networking Analysis
  • Business Continuity Plan Assessment
Expected Challenges of Compliance
HIPAA Security Standards: Guidance on Risk Analysis

UIA will conduct a risk analysis as the first step to identify and implement safeguards that comply with the specifications in the Security Rule and address safeguards and technologies that will best protect electronic protected health information (e-PHI).

UIA HITECH Compliance Solutions
  • Policies and Procedures with web based WIKI for documentation for HITECH compliance with secure SSL Certification.
  • Security Ticket System. Web based ticket system for tracking security breaches and IT related issues.
  • Disc Encryption of desktops and laptops Training. UIA will conduct a one hour security training session for management and staff on-site regarding the new HITECH rules and procedures.
  • Business Associate Agreement Template. Compliance Announcement. UIA will send a HITECH Compliance announcement to notify all Business Associates, critical vendors and customers. This will assure your customers that their data is secure and protected.
  • Quarterly Reviews to confirm HITECH policies and procedures are followed and logged in the Security Ticket System.
Average Cost Per Compromised Record

Federal regulators have calculated the cumulative tally of the number of Americans affected by major healthcare breaches. They now estimate that nearly 4.8 million individuals have been affected by the 138 breaches reported so far.

Christopher Hourihan, manager of development and programs at the Health Information Trust Alliance, bases his estimate on the total cost of healthcare breaches on the Ponemon Institute's calculation of an average of $204 in costs for every compromised record, across all industries.

In addition to direct costs -- such as a forensic investigation, modification in security strategies, legal defense and credit protection for victims -- organizations face hefty indirect costs, such as the loss of current and new customers who no longer trust the organization, Hourihan notes.

Hourihan recently conducted a detailed analysis of breach statistics based on information on 108 breaches reported to federal authorities. That analysis determined, for example, that 20 percent of cases involved business associates.

Key Breach Prevention Steps
  • Conducting a detailed risk analysis. "Focus your limited budget on the highest risk areas."
  • Encrypting mobile devices and media as well as desktop computers. Although the theft or loss of mobile devices is the leading cause of breaches so far, several incidents have involved the theft of desktop devices.
  • Working with business associates to ensure they take adequate security steps. Relying simply on a business associate agreement "is grossly inadequate." In cases where relatively low risk is involved, organizations should review business associates' documentation of security steps and interview executives about policies and enforcement. In higher-risk scenarios, organizations should consider hiring a third party to review a business associate's security program and develop an action plan.
  • Educating staff about security procedures and the reasons behind them. For example, physicians, nurses and others should be aware that "a lack of security can affect the safety of patients," such as if their records are altered or unavailable.
  • Investigating whether to limit the amount of patient information stored on mobile and desktop devices, relying instead primarily on network drives and other central storage devices.
  • Requiring vendors that remotely host electronic health records to spell out their approach to access control, vulnerability management and other security strategies.
  • Guarding against data loss, such as banning file sharing programs on computers. "Make sure people are aware of the risks of downloading from an untrusted website."