Security is vital to the healthcare industry. Thirteen percent of CIOs, CTOs and CSOs reported being targeted by external threat attempts almost once a day, and 12 percent reported about two or more attacks per week. Furthermore, 16 percent of healthcare organizations admitted they are unable to detect in real time if their systems are compromised.

As larger players in the healthcare industry like Anthem, Humana, and UnitedHealth Group begin to embrace the HITRUST Common Security Framework (CSF) in an attempt to manage the ever-evolving compliance landscape, the desire for HITRUST certification has increased exponentially. However, for many organizations the road to certification is a long one.

Healthcare service providers are being told that they must begin their HITRUST Validated Assessment process soon, especially to meet the 2017 deadline for HITRUST Certification. The looming deadline and the lack of familiarity with the validation process are causing some fear. But have no fear! This article will provide guidance on the process and the necessary information needed to navigate the Validated Assessment process and obtain certification.

As organizations grow and expand their client base, especially in regulated or security-conscious industries, the demand for third-party assurance has never been higher. It’s common to be faced with requests for both an ISO 27001 certification and a SOC 2 report, but you may be wondering if they are really different. Companies often ask, “can my ISO 27001 certification cover what’s needed for SOC 2?” or “do I really need both?”

According to a study by Ponemon Institute, companies that had data breaches involving less than 10,000 records had an average cost of data breach of $4.7 million and those companies with the loss or theft of more than 50,000 records had a cost of data breach of $11.9 million.

Effective compliance and risk management goes far beyond a set of policies. To be effective, a company’s compliance and risk management program must be embedded in its culture. All too often, companies see compliance as a separate activity that does not need to be integrated into the day-to-day business operations. All employees should share responsibility, and an intelligent risk framework should be created that brings compliance out in the open — letting employees know the importance of compliance while allowing them to communicate. But that’s often easier said than done.

Overview In the last 30 days, the FedRAMP Program Management Office (PMO) has published guidance for both vulnerability scanning and penetration testing. The updated guidance comes on the heels of PCI mandating the enhanced penetration testing requirements within its requirement 11.3 as part of the 3.0, now 3.1, version of the DSS. These augmented PCI requirements, introduced in the fall of 2013, took effect on June 30th. For many cloud service providers this means the requirements for vulnerability scanning and penetration testing are more thorough and will require additional resources for planning, executing and remediating findings. This article will walk through the updates and discuss the differentiation between FedRAMP and the PCI Data Security Standard (DSS).

With proper design, implementation and maintenance, periodic user access reviews can be an effective tool for service organizations in achieving their security and compliance goals.