aligncompliance - Tumblr blog

aligncompliance · 2 years

Text

How to Minimize the Risk of Healthcare Cyberattacks

This year, we’ve seen an influx of healthcare cyberattacks where threat actors have stolen large volumes of electronic protected health information (ePHI) and personally identifiable information (PII). It’s a familiar problem: the healthcare sector lost more than $20 billion in 2020 as the result of ransomware attacks alone. Now, the threat level is only rising.

To protect themselves, healthcare organizations need to implement a robust cybersecurity program. From completing assessments, to partnering with cybersecurity vendors, or updating internal processes, there are specific actions healthcare organizations should pursue to minimize their risk of a cyberattack.

In this blog, we’ll detail which steps healthcare organizations can take to help bolster their internal defenses.

Focus on Strengthening Internal Resources

Even more important than finding strong partners is creating a strong security structure within your own organization. To do so, begin by appointing a security officer and a privacy officer. The individuals in these roles should develop and document security and privacy policies, standards, and procedures to ensure all personnel are aware of their responsibilities. As can be said for all important guidelines, every employee should have easy access to this information.

An internal security committee composed of stakeholders from all departments across the organization should also be established. By making sure every branch has a representative present, organizations can more easily identify cross-departmental vulnerabilities.

The goal of the committee is to perform a risk assessment and develop controls to mitigate risk to an acceptable level. Some of those controls include:

Installing endpoint protection on all company devices and servers.

Implementing media and mobile device policies and encrypting data at rest.

Enforcing a strong WPA AES-256 encryption policy for all wireless networks.

Adopting Open Web Application Security Project (OWASP) level security when developing applications and deploying changes. The Committee must patch all systems periodically to ensure they are operating under the best practices.

Installing security information and event management (SIEM) tools to detect and monitor all activities within the network.

Ensuring the organization has put an Incident Response Plan in place, along with testing the plan on an annual basis.

On a broader level, there are certain actions that all employees at healthcare organizations should take to aid in security efforts. These include completing a comprehensive security awareness and HIPAA training on an annual basis, ensuring all of the software they use is up to date, and reading and acknowledging their organization’s Acceptable Use Policy.

Partner With Vendors Who Can Mitigate Risk During Healthcare Cyberattacks

In addition to pursuing audits and assessments, healthcare organizations should seek out partnerships with vendors who specialize in cybersecurity services.

While most organizations likely already have a dedicated IT team, they should still maintain a relationship with a breach forensic firm. Not only will a firm help an organization identify and report breaches in a timely manner, but they will also make sure the organization stays in accordance with all of the compliance standards they follow, such as the HIPAA breach notification law.

Additionally, organizations should make sure they have a cyber insurance plan in place. As there is no framework or guideline that can 100% eliminate the possibility of a cyberattack, having an insurance policy will minimize the amount an organization would have to pay if a breach should occur.

Focus on Compliance and Security Assessments

There are several security compliance assessments unique to healthcare organizations that can help ensure information remains private and protected. For organizations that store, process, or transmit, ePHI, HIPAA compliance is a must. HIPAA is a U.S. law that was enacted to protect sensitive patient data. For organizations that are uncertain if they are currently HIPAA compliant, a third-party organization like A-LIGN can review current safeguards in place and identify areas where organizations can enhance their information security program. A-LIGN’s audit experts created A-SCEND’s HIPAA Readiness Assessment– the only SaaS compliance management solution that includes live auditor assistance, making it a fast and easy way to achieve HIPAA compliance.

The most reliable ways on demonstrating HIPAA compliance is by using the HITRUST CSF to perform a certification or by using the AICPA Trust Services Criteria to perform a SOC 2+HIPAA Attestation.

Healthcare organizations should also complete an organization-level Enterprise Risk Assessment. This assessment identifies all the critical assets of the organization, determines the threats to those assets, and ranks the risks based on the probability and impact of an asset being compromised. It’s a key step in identifying threats and implementing controls to mitigate risk.

Another great, proactive way to protect data and mitigate risk is to conduct a penetration test. These tests simulate a network attack and illustrate how your organization would respond. It’s a great way to identify gaps in your security infrastructure and fix them before a bad actor takes advantage.

How Organizations Can Act Now

Throughout 2022, threat actors will likely still view healthcare cyberattacks as a worthy endeavor — especially small and mid-sized providers and their associates. To minimize the risk of healthcare cyberattacks, organizations should look to pursue relevant audits and adhere to compliance standards, partner with organizations who can assist during incidents, and bolster internal resources via key hires or the development of a dedicated security committee.

Source: A-lign

#hipaa compliance #hipaa #cyber updates #cloud services #cybersecurity #it security #digital transformation #cybersecurity services

0 notes

aligncompliance · 2 years

Text

HITRUST Updates Scoring Rubric in Support of i1 Assessment

In January of 2022, HITRUST released an advisory for their updated Control Maturity Scoring Rubric, which was immediately enforced for the i1 assessment. For any organization undergoing the r2 assessment, the new rubric was enforced on May 1, 2022. This updated rubric assists assessed entities and their external assessors in assessment scoring to ensure they are implementing maturities at an appropriate level.

Scoring Rubric Key Changes

The scoring rubric has been updated by HITRUST to provide a more streamlined approach. Designed as a reference aid, this has frequently become a tool that organizations use to determine their scores across the various levels of control maturity.

Key changes to the HITRUST Control Maturity Scoring Rubric include:

A reduction in the tiers for Policy and Procedures maturity levels from five to three. Please note the levels of coverage remain the same, ranking from ‘very low’ to ‘very high’. The new tiers are as follows:

Tier 0 = No documented Policy and/or Procedure

Tier 1 = Undocumented Policy and/or Procedure

Tier 2 = Fully documented Policy and/or Procedure

Organizations will now have to address the illustrative procedures for all of the control requirements and policy statements. Previously, organizations only addressed the requirements they met. They will now need to go a step further and look at illustrative procedures within the policy and procedure documents to address all elements for that requirement.

The addition of evaluative elements into the rubric. Organizations are now required to address evaluative elements in the policy document and in the procedure document for every requirement for the policy maturity and procedure maturity.

In addition to these key changes, HITRUST also made minor adjustments to the scoring rubric.

HITRUST reformatted the guidance for supporting documentation to qualify as a measure by clarifying the metrics and adding context.

The timeframe table was revised to note if the information refers to r2 or i1 as previously there was no delineation.

The addition of the current Bridge Certificate timing guidance into the rubric and sampling guidance as a visual.

Although guidance was not modified, several sections were removed from the timeframe table in order to streamline the presentation of key timeframes.

HITRUST added and updated links on the rubric where additional guidance can be located.

How Organizations Can Prepare

To ensure organizations aren’t caught off-guard it’s important that they continuously ensure that the controls that could impact their compliance score have been properly implemented. A-LIGN can conduct a HITRUST Gap Assessment to help organizations benchmark the implementation of their controls to the updated scoring rubric to ensure certification will be achieved or maintained. In addition, A-LIGN can help identify any gaps and recommend new controls that will need to be implemented.

A-LIGN is one of only a few globally recognized cybersecurity and privacy compliance providers that offer a single-provider approach for organizations. A-LIGN is a HITRUST CSF Assessor firm, Qualified Security Assessor Company, Accredited ISO 27001 and ISO 22301 Certification Body, Accredited FedRAMP 3PAO and licensed CPA firm.

Source: A-lign

#cybersecurity #it security #cybersecurity services #i1 Assessment #HITRUST #cyber updates

0 notes

aligncompliance · 2 years

Text

Five Steps to Take to Enhance Your Cybersecurity Posture

It can be easy to overlook the actions your organization should avoid doing when priorities are focused on the things your organization must do to ensure HIPAA compliance. For that reason, we identified five things, largely assumptions, to avoid doing to maintain the integrity of your cyber security defenses.

1 Do not think the responsibility of protecting data can be outsourced or minimize the risk of third parties. Using a third-party service provider, like a cloud the provider or managed service provider, will not exempt you from implementing necessary monitoring controls or, at a minimum, performing a third-party risk assessment

2 Do not assume employees and contractors know company policies; you should formally train them and have them acknowledge their understanding of said policies and procedures in writing.

3 Do not allow BYOD (Bring Your Own Device) within your organization without having a plan for employees to follow. And never combine public data with confidential data.

4 Do not consider your job done once you design and implement security and privacy controls. Technology is continuously evolving, and threat actors become smarter by the second.

5 Do not assume business partners and regulators will accept an internal audit the report, or your company’s policies and procedures, as sufficient deliverables to address their risk evaluation. Most stakeholders require an independent third-party assessment or certification.

Source: A-lign

#cybersecurity services #it security #cloud services #cybersecurity #cyber updates #digital transformation

0 notes

aligncompliance · 2 years

Text

Creating Your Data Migration Roadmap

The next wave of data migrations will involve companies moving applications that literally run their business, not only to enable scalability and business agility, but also remain competitive. A poorly executed migration can lead to outages, data loss, wasted time and money, and even the loss of jobs.

Here are some best practices to help achieve the migration results you want and build a strategic foundation for future migration opportunities.

Current State: Start Here The first consideration should be a current state assessment of your technology environment. A current state assessment is the most important step of the migration process because it provides critical insight into the IT assets across your entire infrastructure, including the following:

The hardware currently utilized to support your applications and workloads Any obsolete, end-of-life, or legacy applications or devices Virtual servers and current and unknown software The dependencies for each application and workload, and where they are hosted The applications and workloads that are candidates for migration

When successfully migrating to the cloud, a new data center or new infrastructure, it’s important to know how applications function today, in their current state. As you look toward your migration objectives, focus on three important requirements: (1) what is your physical infrastructure (physical inventory), (2) where are your applications/workloads hosted, and (3) are there any network dependencies (logical discovery) and what criticality level is the application (criticality level)?

Gathering these streams of information will provide the answers for what you need to do with your applications when you migrate.

Future State: Create Impact Across the Business You have established what your current state is; now, it’s time to plan out where you’re going. Carrying over the “why” of your migration, how does your future state strategy solve your current state problems?

Plan out where your applications will reside based on best-fit and project scope. Will you focus on migrating workloads to the cloud? Perhaps a more user-friendly platform? Are you migrating “as-is” or will new servers and infrastructure be deployed? The architecture of your future state will be a critical point of reference in the migration process—it needs to be done right. A poorly-designed or absent future state plan can derail the entire migration or create roadblocks throughout your entire organization. Don’t skip this step. Know where you’re going!

The Plan: Design Your Roadmap With a solid current state and a defined end state, the next step is to assess readiness and the migration approach. “Readiness” checks assess the current state and whether the application can be easily migrated to the end state without remediation. Understanding any technical impediment to migration is critical to understand and mitigate at this stage. The readiness states of your applications and the end state strategy will define the migration approach.

It is time to build your migration plan, confirm your migration tooling and start detailed dependency tracking. This means mapping out your KPI’s, migration waves and resource plan. In addition, you'll need to build the appropriate applications, infrastructure and support requirements needed to move to the target destination, which can be a public and private cloud, colocation or managed service.

Depending on the size and scope of your migration strategy, consider outsourcing or partnering with a Migration expert who will take both your current and future state into consideration and leverage a trusted process.

The Migration: Put the Plan into Action With everything in place and your plan laid out in front of you, it’s time to commence migrations. In taking the time to plan the process carefully, you have laid the foundation for smoother, lower-risk migrations. Depending on the complexities of your organization or business processes—including factors like file path mapping, user credentials, and hardware configurations—migrations can involve huge changes and critically specific details, so a thorough approach is a key to success. It’s also essential to test comprehensively before going live.

Migration can be a complicated operation, but it doesn’t have to be intimidating. By breaking down each step, practicing due diligence, and understanding the process, you’ll be on your way to a future state in no time.

Source: a-lign.com

#cybersecurity #cybersecurity services #it security #secure cloud #data migration #data security

0 notes

aligncompliance · 2 years

Text

3 Tips to Prepare for FedRAMP Authorization

This blog post is a recap of our Demystifying FedRAMP webinar, hosted alongside our partners at Anitian. View the full webinar recording here.

FedRAMP (The Federal Risk Authorization Management Program) was established in 2011 as a way to accelerate the adoption of cloud solutions, and increase confidence in the security of those cloud solutions, across the Federal government.

FedRAMP is an authorization program versus a certification program, meaning that businesses go through a rigorous security review process and are then granted an Authority to Operate (ATO) and listed in the FedRAMP Marketplace. The Marketplace is a comprehensive list of cloud products and services that are approved to work with federal agencies.

Prior to undergoing the FedRAMP authorization process, there are a few key things that organizations should keep in mind to prepare for FedRAMP success.

1. Executive Buy-in and Cooperation is Key

Federal agencies spent nearly $11 billion on the cloud in FY 2021, which spells huge opportunities for cloud service providers. But the journey to FedRAMP authorization is long. It involves many evidence requests, as well as lots of writing-heavy work to document policies and procedures. Before undertaking all of this work, it’s essential to get executive buy-in on the importance of FedRAMP authorization. Which, despite the monetary opportunities present in the federal market, isn’t always easy.

In our extensive experience helping organizations earn FedRAMP authorization, we’ve seen many expensive and time-consuming delays stem from misalignment over priorities within the overall corporate environment. This misalignment makes a long process even longer and will only cause your organization to miss out on opportunities to expand within the government sector.

2. Consider Automated Solutions

If management is hesitant to give buy-in on FedRAMP because of the numerous evidence requests and documentation requirements, consider a software solution that can automate and streamline tedious tasks and make the process significantly easier.

Anitian’s SecureCloud for Compliance Automation platform and A-LIGN’s audit automation and compliance management software, A-SCEND, helps to streamline compliance process. SecureCloud automates the documentation process with template libraries and reference architectures, as well as track progress toward FedRAMP authorization to help teams stay on track. A-SCEND centralizes evidence collection, standardizes compliance requests across multiple security frameworks, consolidates audits, and more.

With automated software solutions, organizations also benefit from a “enter once, populate everywhere” system, removing the need to upload the same documents and information to multiple places during the FedRAMP preparation and evidence gathering phase. This is hugely beneficial, as there are hundreds of pieces of evidence that must be reviewed in a typical FedRAMP authorization.

Both tools are also auditor-assisted, with real humans who can answer any questions you have and help you use the tools to their full potential.

3. Don’t Overlook the Benefits of Control Inheritance

Control inheritance is extremely useful on the road to FedRAMP authorization. Essentially, control inheritance is when your business automatically inherits certain security controls from an underlying infrastructure provider that is already FedRAMP authorized. A great example would be hosting your product on top of AWS or Azure Government — both of which are already FedRAMP certified.

If FedRAMP authorization is in your future, make sure to consider the benefits of control inheritance.

Get Started With A-LIGN

The experts at A-LIGN can assist you every step of the way toward FedRAMP authorization. We can help with implementing appropriate controls, completing a FedRAMP Readiness Assessment Report (RAR), and ensuring you meet FedRAMP requirements by using Federal Information Process Standard (FIPS) Models for low, moderate, or high-impact organizations.

#secure cloud #cybersecurity #IT security #Programming #cybersecurity services

0 notes

aligncompliance · 2 years

Text

Legal Changes Expected to Transform the Financial Services Industry

In the past six months, we’ve seen many changes in the government and legal landscape, including the war in Ukraine, abolishment of federal laws, transformation of government regulations, threats of cyberwar and much more.

It’s important for financial institutions to take a proactive approach to their cybersecurity. Earning compliance certifications, taking preventative measures like penetration tests and vulnerability scans, and continuous monitoring are crucial to all institutions, regardless of size. It’s important to understand how your IT systems would hold up in a real-world attack scenario, which is quite valuable given the current global threat environment.

Let’s dive into PCI DSS to learn how the recent framework changes will aid financial institutions in best navigating the duration of 2022 and why penetration testing will further secure your customers data.

PCI DSS 4.0 redesigns requirements to better clarify security intent

On March 31, 2022, the PCI Standards Security Council (PCI SSC) updated the PCI Data Security Standard (PCI DSS), which is the information security standard used by retailers and financial organizations to protect sensitive cardholder data.

Hundreds of pages longer than the previous version, the new standard is considered a major update and is a significant revision of PCI DSS v3.2.1. Moving forward, organizations can expect most requirements to have some level of alteration — from changes to requirement number, location, and wording, to new requirements and testing procedures.

PCI DSS v4.0 maintains its core structure of 12 PCI DSS requirement sections. However, it features significant changes to the requirement layout and in many cases to the wording itself. Some requirements were relocated to new sections to better suit its purpose and objective. You will also find requirements that have been redesigned to better clarify its security intent and provide additional guidance on how security controls should be implemented.

PCI DSS v4.0 and PCI DSS v3.2.1 standards will both be valid standards available to organizations until March 31, 2024. After which, only PCI DSS v4.0 assessments will be allowed. Also, most new requirements (which include others not listed above) will be a best practice until 2025.

The PCI SSC is still working to release supporting documents to assessor companies and provide training to all assessors before they can perform any PCI DSS v4.0 assessment.

Information Security teams can’t let their guard down, even a little

Microsoft identified and issued fixes for 55 different zero-day vulnerabilities in June 2022. Whenever there’s a large security update from a major vendor, we always see an uptick in pen test projects. Pen testing is a critical part of a financial institution’s security posture, but it’s not a silver bullet. All too often, we find unpatched systems, security misconfigurations, and other infrastructure-level errors that should be caught well before an attacker exploits them. With the escalating threats we are seeing so far this year, IT security teams need to be extra diligent in the remainder of 2022.

Now is the time to prepare

Working in the financial services industry means that your institution will need to closely follow compliance framework changes, practice continuous monitoring and strictly adhere to regulations. This oftentimes results in institutions wasting valuable time and resources conducting audits in an inefficient manner. A-SCEND, A-LIGNs compliance management and audit automation software, deduplicates efforts and helps your institution to streamline the audit process. This SaaS platform allows users to upload evidence and reuse across multiple efforts, transforming the audit process into a well-planned initiative.

Original Source: https://www.a-lign.com/articles/blog-legal-changes-expected-to-transform-financial-services-industry

#cybersecurity #cybersecurity insurance market #IT security #social engineering #Information security

0 notes

aligncompliance · 2 years

Text

Zero Trust: An Essential Cybersecurity Strategy

Zero trust is an idea that has been gaining traction in the world of cybersecurity over the past few years. It is a key component of President Biden’s Executive Order (EO) on Improving the Nation’s Cybersecurity (issued in May 2021) and it is a trend that Gartner has been tracking closely. The analyst firm predicts that spending on zero trust solutions will grow from $820 million this year to $1.674 billion by 2025.

But what is zero trust? And, what makes it an effective solution to mitigate cybersecurity threats? Zero trust is an IT security model that focuses on restricting information access within an organization to only those who need it. The premise of zero trust is to assume that threat actors are present both inside and outside an organization — therefore no users or machines are trusted by default.

In our 2022 Compliance Benchmark Report, we surveyed more than 700 cybersecurity, IT, quality assurance, internal audit, finance, and other professionals about their compliance programs. Here’s what we learned about how organizations are thinking about zero trust strategies.

Zero Trust Priorities Vary Between Industries

While over half of our survey respondents (58%) agree or strongly agree that zero trust is a strategy they must implement in the next 12 months, 29% said they are not sure what they think about its level of importance.

Priorities vary between industries, with IT services (68%), manufacturing (65%), and technology (64%) companies providing the highest amount of agree/strongly agree answers. On the other end of the spectrum, finance (49%) and professional services (47%) had the lowest amount of agree/strongly agree responses.

It’s important to note that public sector organizations who hope to do business with the federal government — regardless of their industry — must prioritize zero trust as mandated by the EO previously mentioned. As we approach one full year since that EO has been in place, we’ll likely see more industries prioritize zero trust in the year to come.

Larger Companies Are Quicker to Adopt Zero Trust

Responses also varied by company size. Our survey found that 73% of organizations with $50M – $1B in annual revenue agree/strongly agree about the need to adopt a zero-trust security strategy. For companies with less than $5M in revenue, that percentage dropped significantly to 45%. These numbers indicate that larger companies believe they are a top target for cybersecurity attacks and are taking the initiative to plan ahead and protect systems and information.

Other Cybersecurity Initiatives Remain Top of Mind

Despite lower adoption of zero trust strategies among certain industries and smaller companies, many organizations across industries still noted they would complete other cybersecurity initiatives to mitigate threats. Vulnerability scans were the most popular initiative, noted as a priority by 52% of our survey respondents, followed by penetration tests (48%) and creating business continuity and disaster recovery (BCDR) plans (42%).

Interestingly ISO 22301 certifications — a renowned standard for BCDR planning — were a particularly high priority for IT services organizations and manufacturing companies.

A Strategic Approach to Implementing a Zero-Trust Architecture

Implementing a zero-trust architecture within any organization can feel like a daunting feat without the right preparation. To make this process more manageable, the experts at A-LIGN recommend a step-by-step approach.

Before you get started, it’s important to troubleshoot possible scenarios that may occur during the implementation process. From there, plan and implement zero trust in ‘zones’ throughout your organization’s infrastructure whenever possible. This strategy will allow you to keep key business operations up and running while mitigating the chance of downtime across too many areas of your business all at once.

Original Source: https://www.a-lign.com/articles/zero-trust-cybersecurity-strategy-benchmark-report

#cybersecurity #cloud services #cybersecurity strategy #cybersecurity architecture #it services

1 note · View note