Free Trial

Regulatory Compliance

A Catch-up Plan for Technical Controls

In under 60 days, the GDPR regulation officially takes effect in the EU, and will impact companies well beyond Europe’s borders.  As a reminder, on May 25 the GDPR will replace the EU’s existing privacy regulation, and in a nutshell, data protection is now by design and by default.  And, data includes both personal and professional information.  A major point is the ‘right to be forgotten,’ and some of the controversies around Google and Facebook is a result of this intent.

By now, organizations should have a well-developed plan in place for implementation, including the assignment of a Data Protection Officer and coordination across all impacted business functions.  An issue is that this planning is not universal, and in fact, many US companies don’t realize their exposure.  In a recent study, less than 25% of US Firms consider themselves to be GDPR-ready.   Not a good place to be in, given that a just-released ESG survey shows GDPR-subject data as the most widely deployed in the cloud.

GDPR ready

Digging further, the GDPR defines three elements of compliance – people, process, and technology.   Cavirin can’t directly address the first two, but we can help with plugging holes in the third.  In a four-phase process that includes discover, manage, protect, and report, the third – protect – closely aligns with Cavirin’s capabilities.  We’ve created a policy framework that helps to automate the following across cloud providers and operating systems: 

  • Auditing Personal Data Processing Systems: Ensuring that all user and admin activities in personal data processing systems are traceable at all times.
  • Monitoring Personal Data Processing Systems: Ensure they are safe from software vulnerabilities
  • Personal Data Access controls: Ensure that access to systems storing or processing personal data is restricted to only users or programs that need it
  • Personal Data Security controls: Monitoring configuration settings for systems storing or processing personal data to prevent breaches and disclosure
  • Personal Data Transfer Security: Monitoring usage of encryption and network configuration to detect and/or prevent unauthorized transfers of personal data

So how to get started?  In under 30 minutes (really), you can deploy the solution on-premise or within your public cloud provider.  The deep discovery of the critical workloads, you identified in the steps above, then commences, and in a short amount of time, you’ll have actionable reports that identify your top risks.  The assessment delivers remediation guidance, and even for the largest of infrastructures, you’ll have plenty of time to take action before the deadline.  But don’t stop there!  Configure the platform for continuous assessment, so if the configuration of any of your servers changes, or new ones are added, you’ll be immediately notified and can then take action.

Download the linked infographic for more on the above!  And listen to the on-demand webinar for further information on putting your own plan in place for GDPR enforcement day, May 25th, 2018.

 

0
0
0
s2sdefault

 

This last week, the US Centers for Medicare & Medicaid Services (CMS) announced MyHealthEData, a federal initiative that for the first time will provide patients with full and secure control over their healthcare data, no longer locking it to a single healthcare system or provider.

When announcing the program, CMS Administrator Verma related an experience where her husband was in the hospital for a week due to heart failure. Upon discharge, Verma asked for her husband’s records, and was presented with a CD-ROM, itself incomplete. This brought up memories of my wife’s experience in Taos where she came down with a bad case of pneumonia and upon discharge was presented with a large folder containing X-Rays. Very useful. Verma then went on to question the $30 billion spent to-date by the US government on EHR implementation, and whether the patient experience has improved.

Key stakeholders in MyHealthEData include the White House, the NHS, the VA, and the NIH. The intent is to completely revamp the way patients interact with the healthcare system, making them the center of control and permitting them to better compare providers based on cost and capabilities. Other impacts of greater data sharing should be better diagnosis and less duplication of care, outcomes that will hopefully drive down the cost and raise the quality of care for everyone.

Note that the data ‘ownership’ aspect of MyHealthEData is much like the intent of GDPR within the EU, placing people and privacy first. It reflects a growing trend given the pervasiveness of personal data hosted across the Internet and especially within healthcare. And paralleling the EU, we’ll see the rise of the Data Protection Officer (DPO) within US enterprises and other organizations, a role integral to privacy.

But with portability comes additional requirements for security. No longer confined to the network of a single provider, records will be ‘borderless,’ accessible by almost every healthcare provider and across multiple devices including smartphones. To encourage security, MyHealthEData will leverage the Merit-based Incentive Payment System (MIPS) which includes penalties for security breaches. This is where Cavirin can help.

With data spread across a much larger and interconnected threat, there are many more chances for breach, both intentional and non-intentional. The workload and cloud account protection provided by Cavirin will be even more critical, and since security is a function of its weakest link, the ease of implementation and automation we provide will permit the adoption of best practices by anyone within the healthcare value chain.

Cavirin as a company is not new to healthcare, with customer use cases spanning the OS hardening of servers used in medical device manufacturing, HIPAA compliance on-premise and within AWS, including the application of the AWS HIPAA Quickstart, and use of our open APIs to connect to other security platforms within a genomic research environment.  We also have multiple deployments within the largest dental benefits provider in the United States.  Learn more at http://www.cavirin.com/solutions/continuous-compliance/hipaa-hitech.html.

0
0
0
s2sdefault
cloud computing and hipaa compliance

As we get ready to head east next week to Boston and the HIMMS Cybersecurity Forum, download our new infographic covering the less than excellent state of HIPAA in America.   From multiple analysts and interviews, the key takeaway is that the healthcare rates a ‘C’ in security.   The industry must improve today’s state of affairs where the sector has had more incidents of breaches than any other sector critical to the economy, the personal health data (ePHI) of almost half of US residents have been compromised, and the resulting non-covered impact to these victims is $30B or more.  Looking back, the implementation of electronic health records was to help streamline care, but in fact interconnectivity and poor practices have helped the hackers are well.   The theft of ePHI also opens the door to persistent identity theft, since a social security number can’t be replaced as easy as a credit card.  On a larger scale, the total cost of a breach isn’t limited to the impact on the patient alone.  Once revealed, the organization is subject to fines, increased oversight, and damage to its brand.

0
0
0
s2sdefault

THE ISO/IEC 27002:2013 CHALLENGE

ISO/IEC 27002:2013 Information technology -- Security techniques -- Code of practice for information security controls

You might think that implementing an ISO 27002 ISMS program is fairly straight forward, and even an easy sell to the business and supporting enterprise.  After all, Information Security is defined by the the C-I-A triad, the most well-known model for security policy development.  Who can resist a tried and true C-I-A triad?

0
0
0
s2sdefault
“If your company currently uses third party vendors to provide services that include the collection, processing and/or retention of sensitive information, you should consider inquiring into whether they have successfully completed a SOC 2 Type 2 audit, as it helps to ensure a higher standard for protecting your data.” Jeanne Madden, Vice President Operations, ADP Tax Credit Services

0
0
0
s2sdefault

THE CYBER CHALLENGE

If you intend to do business with the United Kingdom (UK) Government, and you handle any aspect of personal and sensitive information, you cannot even bid without having completed Cyber Essentials certification. (more at http://www.cyberessentials.org/)

0
0
0
s2sdefault

© 2018 Cavirin Systems, Inc. All rights reserved.