HIPAA

How can Fluid Attacks help with HIPAA compliance?

Ensuring compliance with up-to-date security standards may become a complicated issue for diverse organizations that use continually evolving information technology for their businesses. Fluid Attacks recognizes this and offers you comprehensive testing and analysis to determine whether your company is effectively complying with all corresponding security requirements.

Although Fluid Attacks’ Continuous Hacking service goes beyond the HIPAA, testing around 200 technical security requirements in each of your projects, we can guarantee the detection of all vulnerabilities in your software associated with this standard. In addition, we provide you with reliable reports so that your team can take the necessary steps to adjust and maintain your information systems in line with such requirements. We allow you to avoid penalties and, above all, guarantee secure systems for customers or users, thus ensuring their continued trust.

All our security testing is based on Criteria, which is a set of security requirements written by us in a comprehensible manner, using several international standards as a reference. It allows you to parameterize the assessments we make to your systems and determine what your company agrees to comply with and what would be considered a vulnerability.

What is HIPAA?

The HIPAA or Health Insurance Portability and Accountability Act is legislation created by the U.S. Congress in 1996. It was enacted to regulate and improve the flow of Protected Health Information (PHI; any data that could be used to identify a patient) within the healthcare context to avoid fraud and theft. This standard comprises five general rules, among which we highlight the Privacy Rule and the Security Rule for the storage and handling of PHI by covered entities (i.e., health plans, healthcare clearinghouses and healthcare providers) and business associates.

What is HIPAA compliance?

The covered entities have to respond to and implement three particular safeguards for the protection of PHI. These sets of requirements belong to the Code of Federal Regulations, Title 45, Part 164, Subpart C - Security Standards for the Protection of Electronic Protected Health Information and are specifically the Administrative (164.308), the Physical (164.310) and the Technical (164.312) safeguards.

Among the Administrative safeguards, we can observe requirements related to implementing periodic reviews of information systems activity and implementing policies to guarantee access to data by authorized personnel and procedures for their supervision. Regarding the Physical safeguards, we can see requirements associated with the use strategies to control and validate individuals’ access to facilities and software and the implementation of policies for the final disposition of electronic PHI. Finally, for Technical safeguards, among other requirements, we can highlight the employment of unique user identifications, the automatic logoff for predetermined times of inactivity, and the use of PHI encryption and decryption processes.

To see all the requirements of each of the safeguards, you can follow these links: 164.308; 164.310; 164.312.

Every organization storing, processing or transmitting PHI must ensure that their security controls meet the HIPAA rules’ requirements in order to guarantee both the availability and privacy of data. Organizations must prevent all types of unauthorized access to their systems and PHI to avoid any security incidents and consequently respond to penalties. Therefore, it is recommended that the covered entities conduct regular evaluations of their security policies and procedures to identify weaknesses and take prompt remedial action.