Healthcare data is the most sensitive, highly regulated data in business today. See how ZenGRC helps healthcare providers protect private health information (PHI) to comply with industry regulations such as HIPAA.


The regulatory burden

The healthcare sector is under enormous pressure to cut costs and streamline operations. Government agencies and private insurers want to reduce their expenditures on medical costs, period. They also want “outcome-based care,” where medical firms are paid for the quality of care they dispense, not the quantity of it.

Cloud-based IT can serve both goals. Healthcare providers can abandon paper-based records in favor of online records management. Those records, in turn, can be securely available. That means medical professionals themselves can be more mobile, giving healthcare providers more flexibility in how they deliver care. Telemedicine can bring far-away expertise to wherever the patient is. Billing and insurance claims can be managed online, accelerating payment cycles.

The federal HIPAA law has required any business dealing with “private health information” (PHI) to protect it. PHI is defined broadly: any information about a person’s health status, care he or she receives, and payment for health services.

Meanwhile, healthcare organizations routinely collect data such as:

  • Name
  • Age
  • Medical history
  • Medications or other treatments received
  • Payment information

Healthcare businesses also strive to give patients online access to medical records, appointment scheduling, and so forth. That means “customer accounts” for patients, where the healthcare provider manages user IDs, passwords, and possibly location data.

Beyond HIPAA, firms working with PHI also have breach disclosure laws to obey at the state level, should patient records ever be exposed.

The compliance objectives:

The compliance objectives:

Firms handling medical data must ensure compliance with privacy and security rules from the moment a piece of PHI is created. In a major healthcare system that relies on cloud-based services, that means the system must:

HIPAA itself only tells firms the compliance objectives they must achieve, not how to achieve them. HITRUST, a consortium of healthcare businesses, has worked to map HIPAA requirements to the Common Security Framework, a standardized assessment and certification program. HITRUST can also be mapped to other frameworks such as NIST, PCI, or COSO.

Assess vulnerabilities in the network, applications, and devices

Identify non-compliant data management behaviors (say, failure to encrypt data before sending it to the cloud)

Remediate weaknesses, either through security patches to software or through changes to data collection practices

Map progress on those remediation efforts

Be able to report those risk assessments and remediations to other parties as necessary

Integrate new threats or updated regulations into your compliance program as they arise

Click on one of the tabs to learn more about ZenGRC's compliance, risk or reporting features.

Centralized Dashboard

Program Progress

Control Completion

HIPAA audit dashboard

Risk Assessment

Unified Control Management

Map Controls Across Frameworks

ZenGRC risk dashboard

System of record

Streamlined Workflow

Continuous System Monitoring

What can ZenGRC do for you?

As a cloud-based solution, ZenGRC deploys simply and quickly (six to eight weeks) even across a large enterprise. It also provides a unified platform to manage controls across multiple frameworks, and a dashboard that lets CISOs monitor key performance indicators for compliance and IT security efforts.

Perhaps crucial for those possessing PHI, ZenGRC gives full visibility into risks and deficient controls, so you can coordinate remediation and surprises that affect your customer. It also allows for consistent compliance and security policies across multiple locations, to help meet challenges such as proper disclosure of data breaches.

Learn More