The healthcare industry is facing unprecedented challenges to improve quality, expand coverage and reduce costs. Health information technology (Health IT) is an enabler to overcoming these challenges.  As a part of the American Recovery and Reinvestment Act of 2009, the Health Information Technology for Economic and Clinical Health Act (HITECH ACT) imposes new privacy and security requirements on personal health record vendors, covered entities and business associates.  There are also numerous other laws and regulations globally that have implications for both HIPAA and non-HIPAA organizations alike.  At the same time, Government agencies and their contractors acquire, build and deploy numerous types of technology in order to achieve their missions with an increased need for services such as cloud computing and other forms of outsourcing. Ensuring that appropriate information security protections are appropriately implemented is a challenge. 

SecureIT understands these regulations and challenges and can help your organization ensure cost-effective solutions are in-place to protect your most sensitive data.  Our corporate experience and past performance with a diverse set of organizations ranging from Federal government regulatory agencies, Federal government healthcare organizations, Medicare contractors, Private and Non-Profit healthcare organizations, and Health IT solution providers provide us with unique experience and capabilities to assist organizations in the following areas:

• HITECH Security Assessment
• Privacy Diagnostic
• Medicare Contractor Compliance Program Strategy & Planning
• IT Controls Testing, Continuous Monitoring, and C&A
• Compliance & Audit Liaison
• Vendor Risk Management
• Data Breach Incident Response Planning

HITECH Security Assessment: SecureIT leverages a risk-based security assessment approach to validate compliance with the standards defined in the Security Rule of the Administrative Provisions in Title II of HIPAA.  We help ensure that organizations are in compliance with the HIPAA security rule, that Electronic Protected Health Information (EPHI) is well-protected against breach, and that information protection resources are effectively deployed.  The result of this assessment is a plan of detailed, actionable steps aimed at ensuring risks are effectively mitigated and cost-effective controls are adequately implemented.

Privacy Diagnostic: Effective privacy programs require a focused approach that couples a holistic view with pragmatic action plans. How does your privacy program measure up? Would your Inspector General or GAO agree? The Privacy Diagnostic is a structured progression to assess your privacy program that ensures every dollar invested provides value and contributes to achieving the agency’s overall mission. Additionally, it is a modular and customizable program which recognizes that privacy programs are at different levels of maturity. While using the same basic framework, a modular approach allows focused activities in the areas requiring enhancement.

IT Controls Testing: A core requirement for organizations needing to be NIST-compliant is that one-third of the controls shall be tested each Federal fiscal year so that all controls are tested over a three-year period.  This requirement is evolving to be more continuous monitoring focused, but the need for technical, certified, and experienced testing resources remains.  SecureIT’s CISA-certified consultants have the experience and expertise to test the full suite of controls contained in the Centers for Medicare and Medicaid (CMS) Business Partner Systems Security Manual (BPSSM) and NIST certification and accreditation (C&A) guidelines NIST SP 800-37 and NIST SP 800-53A.  In addition, SecureIT maintains relationships with the Big Four, OIG and other Oversight Groups which help us to ensure your organization meets their expectations and produces the documentation required for the audit work performed.

Compliance & Audit Liaison:  SecureIT has extensive experience in managing the Compliance and Risk Management Program Offices for large organizations. Our consultants serve as the primary interface between technology resources, and any audit entity that needs to interface with them (External Audit, OIG, Sec 912, SAS70, etc.). We ensure that communications are effective, data requests are not duplicated, staff interruption is minimized, and all parties are getting what is needed to be successful.

Vendor Risk Management: The HITECH Act raises the bar on compliance requirements for business partners and vendors.  Many organizations will need to redesign their oversight and monitoring processes for these trusted entities.  SecureIT can help ensure that appropriate vendor management processes are in place, assessments are performed prior to entering into contractual relationships, and that ongoing monitoring/auditing is performed.

Data Breach Incident Response Planning: Almost every state in the U.S. has a law pertaining to what you have to do if certain personal information you are responsible for, including the information you’ve entrusted to outsourced vendors, is lost or stolen. Certain international markets are considering similar laws.  In the event of data loss or theft, a fast well-executed incident response plan is essential to limiting damage to your brand and reputation, pre-empting potentially relentless media coverage or speculation and meeting your legal notification responsibilities. While the response to every potential scenario cannot be scripted in advance, many parts of the response can be pre-planned.  SecureIT can work with your organization to create or review your incident response plan, facilitate practice walkthroughs of the plan, conduct annual tests of the plan, or assist in executing the plan in the event of an actual data loss or theft.

For additional information, refer to our Enterprise Security, Governance, Risk & Compliance and Audit capabilities.