The landscape of information security in healthcare can be very confusing. There are federal laws such as HIPAA and HITECH, which are part of the American Recovery and Reinvestment Act (ARRA) passed in 2009. HITECH regulations expand the kinds of entities governed by regulations on the safeguarding of Personal Health Records (PHR) and what must happen in the event of a breach.
Then there is the PCI standard imposed by financial institutions on any organization that takes credit or debit cards as payment. Some of these standards are more general, while others are quite prescriptive. Some have the power of law, while others are private initiatives that are gaining governmental blessing.
In 2010, the Drug Enforcement Administration (DEA) issued an interim final rule (IFR) that will allow healthcare providers and pharmacies to use electronic prescriptions with controlled substances (EPCS). The EPCS Rule's requirements are very detailed and include strict requirements that must be implemented by software vendors and service providers.
To make matters more confusing, laws and interpretations of the laws change frequently and at times without advance notice. In all its audit services, NetSPI offers detailed program guides, which walk a client through the audit process and spell out what is required at each step.
HITRUST Alliance, a consortium of healthcare, business, technology, and information security leaders, has established the Common Security Framework (CSF), a certifiable framework that can be used by organizations that create, access, store, or exchange Protected Health Information (PHI). NetSPI can help organizations comply with HIPAA and HITECH regulations, and help them use the CSF.
As a leader in healthcare security and compliance, NetSPI has formed a local Special Interest Group (SIG) for information security professionals in healthcare who are interested in evaluating the value of the CSF to their organizations.
HIPAA and HITECH Assessment
A gap analysis compares current practices and methodologies against HIPAA/HITECH security requirements in four areas: Administrative, Technical, Physical, and Documentation. The gap analysis establishes the benchmark for the subsequent mandated risk analysis.
HITRUST Readiness Assessment
NetSPI will help clarify the scope of certification and identify the degree of an organization's readiness to proceed with the CSF certification process.
NetSPI can help organizations achieve HITRUST certification with guidance from our specialists in information security for healthcare and our custom-developed tools.
DEA EPCS Certification
Several of the DEA requirements deal with implementation of encryption within the organization as well as management of the DEA registration information. The requirements address all three phases of the electronic prescription's process:
- Origination: Where a provider prescribes the medication
- Transmittal: For anyone that transmits or routes scripts, even if conducted internally and without use of third-party exchange networks
- Fulfillment: Pharmacies involved with validating prescriptions and dispensing medication
Building on NetSPI's extensive experience both with healthcare and application security, NetSPI was one of the first professional services firms to develop program compliance guides that have proven instrumental in working with other complex regulatory requirements. These guidelines break down the regulatory requirements into technical controls, which are then tied to specific audit requirements and can help make the process of undergoing an audit easier and more successful.
DEA EPCS Readiness Assessment
Ensuring an appropriate level of understanding of requirements at the design stage of a software development initiative is one of the best ways of ensuring passing the audit on the first try. NetSPI will work with your software development and product management teams to provide the necessary guidance or validation of the application's features dealing with EPCS. Additionally, NetSPI can provide a readiness assessment dealing with individual aspects of EPCS, such as documentation and development of the implementation guide.
DEA EPCS Certification
Our experience with PCI PA-DSS has allowed NetSPI to develop a mature application audit methodology, which we can apply towards providing a DEA EPCS Certification. Our consultants have experience with software development, so rather than depending on check-lists, NetSPI consultants will work with your development and product management teams in order to gather sufficient information to validate requirements. Once all requirements have been validated, NetSPI will issue a report that highlights the state of compliance, which can then be freely distributed to any client or third party.