Healthcare
Healthcare data is the most sensitive, highly regulated data in business today. ZenGRC helps healthcare providers protect private health information (PHI) to comply with industry regulations, such as HIPAA.
GET A DEMO
The Regulatory Burden
The healthcare sector is under enormous pressure to cut costs and streamline operations. Government agencies and private insurers want to reduce their expenditures on medical expenses. They also want “outcome-based care,” where medical firms are paid for the quality of care they dispense, not the quantity of it.
Cloud-based IT can serve both goals. Healthcare providers can abandon paper-based records in favor of online records management. Those records, in turn, can be securely available. That means medical professionals themselves can be more mobile, giving healthcare providers more flexibility in delivering care. Telemedicine can bring far-away expertise to wherever the patient is. Billing and insurance claims can be managed online, accelerating payment cycles.
The federal HIPAA law has required any business dealing with “private health information” (PHI) to protect it. PHI is defined broadly: any information about a person’s health status, care he or she receives and payment for health services.
Meanwhile, healthcare organizations routinely collect data such as:
- Name
- Age
- Medical history
- Medications or other treatments received
- Payment information
Healthcare businesses also strive to give patients online access to medical records, appointment scheduling and so forth. That means “customer accounts” for patients, where the healthcare provider manages user IDs, passwords and possibly location data.
Beyond HIPAA, firms working with PHI also have breach disclosure laws to obey at the state level, should patient records ever be exposed.
Compliance Objectives
Firms handling medical data must ensure compliance with privacy and security rules from the moment a piece of PHI is created. In a major healthcare system that relies on cloud-based services, that means the system must:
HIPAA itself only tells firms the compliance objectives they must achieve, not how to achieve them. HITRUST, a consortium of healthcare businesses, has worked to map HIPAA requirements to the Common Security Framework, a standardized assessment and certification program. HITRUST can also be mapped to other frameworks such as NIST, PCI or COSO.
-
Assess vulnerabilities in the network, applications and devices.
-
Identify non-compliant data management behaviors (say, failure to encrypt data before sending it to the cloud).
-
Remediate weaknesses, either through security patches to software or through changes to data collection practices.
-
Map progress on those remediation efforts.
-
Be able to report those risk assessments and remediations to other parties as necessary.
-
Integrate new threats or updated regulations into your compliance program as they arise.
Guides
Case Studies
Omada Health: Driving Greater Information Security in Digital Healthcare
Read Case Study
Webinars
Articles
The Difference Between Vulnerability Assessment and Vulnerability Management
Read ArticleCCPA Exemptions: The California Consumer Privacy Act and the Gramm-Leach-Bliley Act
Read ArticleHow Big Data Analysis Helps Compliance & Business Leaders Make Better Decisions
Read ArticleCompliance Offers Internal Stakeholder Value: Automation as Transmogrifier
Read ArticleRisk Management Automation and Customer Engagement: Rupees in the Grass
Read Article7 Challenges of Being an IT Compliance Manager: Automation Makes You an American Ninja Warrior
Read ArticleCybersecurity Awareness Training Game to Celebrate Cybersecurity Awareness Month
Read ArticleProtecting Your Corporate Website as an Enterprise Risk Management Strategy
Read ArticleCloud Security Compliance: 11 Steps on the Stairway to Cloud Services Heaven
Read ArticleLegal Liability in Information Security: How Compliance Can Be Used to Protect Assets
Read ArticleWebinar Recording Now Available – 6 Time Saving Steps to Simplify Your GRC Strategy
Read ArticleHow to Conduct a Compliance Self-Assessment – an Excerpt from our GRC Software Buyers’ Guide
Read ArticleWhen to Implement a GRC Tool? – An Excerpt from Reciprocity’s GRC Software Buyer’s Guide
Read ArticleSmarter Compliance, Less Risk – an Excerpt from Reciprocity’s GRC Software Buyer’s Guide
Read ArticleWhat is GRC – an Excerpt from Reciprocity’s GRC Software Buyer’s Guide
Read ArticleZenGRC v2.4 Release Features New Audit and Evidence Request Dashboards, and More
Read Article“Competent Compliance” Webinar Recording Now Available, Learn How to Move Beyond Spreadsheets
Read ArticleJoin Our Live Webinar – Competent Compliance: 3 Ways to Move Beyond Spreadsheets
Read ArticleJune News Round-Up: More Data Breach News, Crypto Wars 2.0, and Acer Hack
Read ArticleZenGRC v2.2 Release Features New System of Record Dashboard, Tree View Updates
Read ArticleZenGRC v2.1 Release Features Improved Audit Capabilities, Simplified Customer Support
Read ArticleHow to Tell if it is Time to Start a Compliance Program [Infographic]
Read ArticleA Perfect Nightmare: Compliance and Record Keeping Disaster Waiting to Happen
Read ArticleAugust Standards Updates: FedRAMP Seeks Help, HIPAA Concerns, ISO “Landmark” and NIST Developments
Read ArticleChanges Are Coming For The Trust Services Principles And Criteria – Are You Ready?
Read ArticleSelecting the Right Service Organization Control Report for Outsourced Operations
Read Article
FAQs
Healthcare related Use Cases
Learn how we can fit into your business.
Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.
