Healthcare
Healthcare data is the most sensitive, highly regulated data in business today. See how ZenGRC helps healthcare providers protect private health information (PHI) to comply with industry regulations such as HIPAA.
GET A DEMO
The regulatory burden
The healthcare sector is under enormous pressure to cut costs and streamline operations. Government agencies and private insurers want to reduce their expenditures on medical costs, period. They also want “outcome-based care,” where medical firms are paid for the quality of care they dispense, not the quantity of it.
Cloud-based IT can serve both goals. Healthcare providers can abandon paper-based records in favor of online records management. Those records, in turn, can be securely available. That means medical professionals themselves can be more mobile, giving healthcare providers more flexibility in how they deliver care. Telemedicine can bring far-away expertise to wherever the patient is. Billing and insurance claims can be managed online, accelerating payment cycles.
The federal HIPAA law has required any business dealing with “private health information” (PHI) to protect it. PHI is defined broadly: any information about a person’s health status, care he or she receives, and payment for health services.
Meanwhile, healthcare organizations routinely collect data such as:
- Name
- Age
- Medical history
- Medications or other treatments received
- Payment information
Healthcare businesses also strive to give patients online access to medical records, appointment scheduling, and so forth. That means “customer accounts” for patients, where the healthcare provider manages user IDs, passwords, and possibly location data.
Beyond HIPAA, firms working with PHI also have breach disclosure laws to obey at the state level, should patient records ever be exposed.
The compliance objectives:
Firms handling medical data must ensure compliance with privacy and security rules from the moment a piece of PHI is created. In a major healthcare system that relies on cloud-based services, that means the system must:
HIPAA itself only tells firms the compliance objectives they must achieve, not how to achieve them. HITRUST, a consortium of healthcare businesses, has worked to map HIPAA requirements to the Common Security Framework, a standardized assessment and certification program. HITRUST can also be mapped to other frameworks such as NIST, PCI, or COSO.
Assess vulnerabilities in the network, applications, and devices
Identify non-compliant data management behaviors (say, failure to encrypt data before sending it to the cloud)
Remediate weaknesses, either through security patches to software or through changes to data collection practices
Map progress on those remediation efforts
Be able to report those risk assessments and remediations to other parties as necessary
Integrate new threats or updated regulations into your compliance program as they arise
Click on one of the tabs to learn more about ZenGRC's compliance, risk or reporting features.
Centralized Dashboard
Program Progress
Control Completion
Risk Assessment
Unified Control Management
Map Controls Across Frameworks
System of record
Streamlined Workflow
Continuous System Monitoring
What can ZenGRC do for you?
As a cloud-based solution, ZenGRC deploys simply and quickly (six to eight weeks) even across a large enterprise. It also provides a unified platform to manage controls across multiple frameworks, and a dashboard that lets CISOs monitor key performance indicators for compliance and IT security efforts.
Perhaps crucial for those possessing PHI, ZenGRC gives full visibility into risks and deficient controls, so you can coordinate remediation and surprises that affect your customer. It also allows for consistent compliance and security policies across multiple locations, to help meet challenges such as proper disclosure of data breaches.
