Their story:

As a regional hospital, they knew they had security needs, but budget constraints and other issues had left them behind. With recent changes to HIPAA, specifically Meaningful Use, they knew it was time to take action. Their challenge was trying to understand exactly how to comply with HIPAA Meaningful Use requirements in order to qualify for incentives.

What they needed:

Someone to explain the Meaningful Use requirement and help them get compliant.

"Conduct or review a security risk analysis per 45 CRF 164.308 (a)(1) and implement security updates as necessary and correct identified security deficiencies as part of its risk management process"

What we did:

• A full information security assessment focused on Administrative Security, External IT Security, Internal IT Security, Physical Security, HIPAA and Meaningful Use Compliance
• Policy/Procedure gap analysis
• External vulnerability assessment including penetration test
• Internal vulnerability assessment
• Physical security assessment

We helped them prioritize the issues we found. Since they have significant staff and budget issues, remediation will take time. We are helping write and rewrite policies and implement other security strategies as they are ready.

The outcome:

Given that this was their first assessment, it wasn't pretty. Hospitals and other healthcare facilities are very difficult to secure. With doctors and nurses that want shared or generic logins, visitors coming and going, etc. it is a challenge. To their credit, they took our assessment and have put it into action. It will take time, but they have shown a true desire to protect their patient's information, and they're taking steps to make sure it happens.

With all the changes to HIPAA, EMR and EHR the regulations around security will only become more intrusive. Organizations that take a "Risk Based" approach will be ahead of the curve. Organizations that take a "Compliance Based" approach will continue to chase a continuously moving target.

What they had to say:

"The depth of his (FRSecure professional) knowledge was outstanding. I was very impressed. He gave me exactly what I was looking for. You can definitely use me as a reference for future customers."