Security Services

Fortified Health Security’s Compliance Confidence services address the two key elements of any cyber security program: Risk Analysis and Vulnerability Threat Management. This service couples the “best practice” requirement of an annual risk assessment with visibility to ongoing threats through a monthly vulnerability threat management service.

Risk Analysis

Fortified’s HIPAA Risk Analysis is a very rigorous and detailed identification and prioritization of key risks currently facing our healthcare partners. Our HIPAA Risk Analysis explores the likelihood of a potential breach and the magnitude of its impact by assessing the physical, administrative and technical information security controls and safeguards outlined by the HIPAA Security Rule.

This service centers on threats, vulnerabilities, the risk they pose, and the controls recommended for mitigating those risks. Fortified closely adopts the NIST (National Institute of Standards & Technology) recommended methodology for conducting the HIPAA Risk Analysis.

This methodology, while modified to some extent by Fortified Health for our clients’ specific needs, is widely accepted as the “gold standard” for conducting risk analyses. The risk analysis, coupled with vulnerability scanning, brings a comprehensive view of organizational risk from a strategic, operational and tactical perspective.

Unlike some risk assessments, we actually scan your current environment through a technical scan versus a simple technical questionnaire. This provides a higher level of understanding versus a traditional assessment — especially with respect to vulnerabilities that might be exploited if not properly addressed.

Vulnerability Threat Management

Vulnerability Threat Management gives an organization continuous visibility into any vulnerabilities in their IT environment. The purpose of Vulnerability Threat Management is to identify and remediate vulnerabilities in a timely fashion and eliminate the snapshot in time.

Monthly Service

• Vulnerability Scanning: Standard scans performed monthly, on-demand scanning when required, and a monthly summary client call.
• Monthly Calls: A conference call will be scheduled on a monthly basis to cover the prior month’s security vulnerabilities
• Access to Fortified’s proprietary dashboard for near real-time monitoring and tracking

Fortified utilizes a leading industry tool to provide the most accurate and pertinent results. Tenable’s Nessus has been deployed by more than one million users across the globe for vulnerability, configuration and compliance assessments. Nessus prevents network attacks by identifying the vulnerabilities and configuration issues that attackers use to penetrate your network.

Fortified Health Security’s 24/7 monitoring facilitates compliance with the HIPAA Security Rule by utilizing custom-built reporting modules, macros, and taxonomies. With proposed monitoring in conjunction with other Fortified security services, such as vulnerability management, you can be assured that your facility meets the intent of HIPAA security provisions, and that you can demonstrate compliance for patient information safety as a normal part of your operational security.

Fortified will not only provide compliance monitoring like competing providers, but we also provide monitoring of all relevant security and system audit events – including those created by IT Staff. This complete separation of duty will aid response to complicated issues that otherwise may have gone unnoticed.

HIPAA specifically mentions event logs as an important vehicle to meet compliance and requires covered entities to collect, analyze, preserve, alert and report on system and application security event logs generated by all relevant systems. Fortified Health Solutions log management/correlation solutions, used in conjunction with internal procedures and policies, provide your facility with a strong, yet cost effective compliance strategy and the ability to easily demonstrate your adherence to external auditors.

Managing log data alone would be an extremely labor intensive activity that not only puts an immense amount of stress on your existing resources, but detracts them from other processes. Not to mention, failure to implement proper logging processes can translate to many thousands of dollars in liability for non-compliance, remediation and other related expenses. Information systems can be tough to properly monitor due to their dynamic nature. It is imperative that people who are knowledgeable with security incidents across many operating systems are assisting in event monitoring. Fortified Health Solutions will provide these solutions for you.

MDSP is a technology-enabled solution that offers real-time operational intelligence and compliance visibility for network-connected medical devices through automated device discovery, identification, and classification. When combined with other Fortified solutions, MDSP provides a holistic perspective of your security posture and a proactive stance toward identifying and remediating issues. MDSP integrates with our single pane-of-glass dashboard that empowers you with situational awareness of your network, devices, and potential threats.

MDSP Offers

• Network-connected IoT device discovery
• Classification of IoT assets
• Risk rating assignment for each device
• Vulnerability management
• Anomalous device behavior identification
• Zero-day attack identification
• Integration with existing security investments
• Advanced threat remediation expertise
• Monthly analysis, trending and reporting
• Risk prioritization and patch management

Data Loss Prevention (DLP) for healthcare organizations safeguards compliance with regulations such as the HIPAA Security Rule, PCI, Joint Commission, and state privacy regulations. Under the HITECH Act, implementing Data Loss Prevention meets Meaningful Use criteria, enabling healthcare organizations to receive maximum reimbursement by providing controls to protect Electronic Health Records (EHR).

Data Loss Prevention tools provide a number of mechanisms to analyze risks to ePHI per the HIPAA Security Rule and limit ePHI access to the “Minimum Necessary.”

• Discover ePHI stored on laptops, workstations and servers that are unencrypted
• Scrub ePHI being emailed out of your organization
• Detect ePHI being transferred out of your organization in unencrypted FTP and similar web based protocols
• Audit and control ePHI being copied to USB devices or burned to CDs or DVDs

A Virtual Information Security Program (VISP) is a team of experienced, compliance professionals who can serve as the part-time Information Security Officer (ISO) to any size organization.

An ISO is a senior-level team member that is responsible for establishing and maintaining an enterprise’s security vision, strategy, and programs to ensure information assets and technologies are appropriately protected. The key business benefit of retaining VISP services is that this team of security professionals provide expertise and capability of a full-time ISO without the associated level of overhead and benefits required when adding another top level executive.

Often you can derive a large portion of the benefit — security prioritization, risk evaluation, threat assessment, security training and security procedures — without staffing the role full-time. Some of those benefits include:

• Investment Value: Virtual Information Security Program (VISP) services add value by using their expert security and compliance skills to help deliver an outcome that provides a meaningful return on investment.
• Immediate Impact: VISP services can be added to an organization within days, instead of the months that a search for a full-time CISO / ISO would typically take.
• Knowledge and Expertise: VISP services can operate at any level in the client organization with expert understanding of the security needs of organizations.
• Impartial: Uninfluenced by company politics or culture, VISP professional services provide a fresh perspective and a team that is able to concentrate on what’s best for the business.
• Productivity: Operating alongside the executive management team, the VISP professional service consultant has the credibility to promote change or culture within the client company.

While most healthcare organizations have hundreds or thousands of vendors, many find it challenging to develop and implement a scalable, comprehensive vendor security program. Vendors present a real exposure risk to data breach. Even though ultimate responsibility for securing patient data resides with the covered entity, healthcare organizations serious about protecting patient data will establish safeguards that extend beyond their own walls to include their third party vendors.

The Omnibus Rule made significant changes to HIPAA regulations. It clarified that anyone hired to do work for or on behalf of a covered entity (CE) can fall into the business associate (BA) category if they create, receive, transmit or maintain PHI for a provider. More importantly, it made BAs liable for compliance with the HIPAA Security Rule and certain provisions of the Privacy Rule. As a result, providers need to have an effective vendor management program in place and document greater due diligence

Third Party Risk Management is a critical component of managing risk as part your overall cybersecurity program. Not all Business Associates represent the same level of risk but all must be managed through a coordinated process.