20+ YEARS OF INDUSTRY EXPERIENCE ENSURING COMPLIANCE WITH SECURITY WHILE PROTECTING SENSITIVE DATA

Our team of certified experts have the tools and capabilities to protect your systems in many different areas of industry.

FINANCIAL

The financial sector has been one of the hardest hit industries when it comes to cyber attacks and data breaches. That being said, financial companies should not just strive towards being compliant, but focus on increasing their level of security to reasonable and appropriate levels. The overall burden of becoming compliant can be very time consuming and expensive if financial companies try to go at it alone. Read More

The key to addressing the many regulations set forth by the different regulatory bodies is to bring in a team of cyber experts that has the knowledge and expertise from both a technical and non-technical perspective. Implementing an information security program that addresses administrative, physical and technical safeguards will reduce your risk and protect your organization from regulatory fines, legal, financial and reputational losses.

The Gramm-Leach-Bliley Act (GLBA) which is enforced by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB) outlines the measures that must be taken by financial firms which are both reasonable and appropriate. The Office of Compliance Inspections and Examinations (OCIE) of the Securities and Exchange Commission (SEC) conducts examinations of registered entities to promote compliance, prevent fraud, identify risk and inform policy. In 2014, OCIE began publishing risk alerts pertaining to a series of cyber examinations that will identify cybersecurity risks and assess cybersecurity preparedness in the financial industry. In order to understand a financial firm’s cybersecurity preparedness, the examinations focus on the following areas:

Governance and Risk Assessment – Examiners will assess if firms are periodically evaluating cybersecurity risks that they may be facing and what controls have been put in place to address these risks. Click here to find out more information on our Threat Hunting Service…..

Access Rights and Controls – Examiners may review how firms control access to their systems. This includes a review of controls associated with remote access, logins and passwords, network segmentation and the type of authentication and authorization methods being utilized. Click here to find out more information on our Threat Monitoring service….

Data Loss Prevention – Examiners may assess how firms monitor the volume of content transferred by employees or third parties outside of their firm. They may also assess how firms monitor unauthorized data transfers. Click here to find out more information on our Threat Monitoring service….

Training – Examiners may review the type of training provided to employees as it pertains to their job functions. Examiners may also focus on how training is designed to encourage responsible employee behavior and also what procedures are in place for reporting suspicious activity or responding to cyber incidents. Click here to find out more information on our Threat Training service…..

Incident Response – Examiners may assess whether firms have established policies, procedures, assigned roles, assessed system vulnerabilities and developed plans to address future events. Click here to find out more information on our Threat Monitoring service…..

https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

HEALTHCARE

In 2016, the healthcare industry suffered an estimated $6.2 Billion in data breaches. The healthcare sector is being targeted by cybercriminals because of the treasure trove of sensitive data available, the high resale value in the underground black market and most organizations security practices are often less sophisticated than other industries. Healthcare identity information is at least ten times more valuable than financial data alone and can be used to to set up fraudulent lines of credit, medical insurance fraud, or obtaining pricey medical care for another person. Also, the implementation of new technology increased the difficulty of attacks in the financial sector has motivated cyber attackers to began to target healthcare companies, ranging from local doctor’s offices to major health insurers. Read More

Hacking, including phishing, ransomware/malware and skimming, were the leading causes of data breaches in the first half of 2017, with ransomware accounting for 72% of healthcare malware attacks. A recent U.S Government report indicates that more than 4,000 ransomware attacks have occurred every day since the beginning of 2016, a 300% increase from the year prior–surging from the 22nd most common type of malware to the 5th most common, in just two years.* The likelihood of a successful crypto-ransomware attack against the healthcare sector is significantly higher than other sectors, due to the lack of a mature information security programing and less than desirable security measures that are in place. This surge of ransomware attacks has prompted the FBI to issue a news alert to the media, hospitals and healthcare providers. There are certain measures known to be effective to prevent the introduction of ransomware and to recover from a ransomware attack.

In order to help health care entities better understand and respond to the threat of ransomware, OCR released new HIPAA guidance to prevent, detect, contain and respond to these threats. Since ransomware can compromise the integrity and availability of electronic protected health information, the guidance makes clear that a ransomware attack usually results in a “breach” of healthcare information under the HIPAA Breach Notification Rule. Under the rule, entities experiencing a breach of unsecure PHI must notify individuals whose information is involved in the breach.

The HIPAA Security Rule requires implementation of security measures that can help prevent the introductions of malware, including ransomware. Some of these require security measures include:
• implementing a security management process, which includes conducting a risk analysis to identify threats and vulnerabilities to electronic protected health information (ePHI) and implementing security measures to mitigate or remediate those identified risks;
• implementing procedures to guard against and detect malicious software;
• training users on malicious software protection so they can assist in detecting malicious software and know how to report such detections; and
• implementing access controls to limit access to ePHI to only those persons or software programs requiring access

OCR HIPAA Audit Program Ramps Up in 2016
The President’s fiscal year budget request proposal for 2016 included $83.8 billion for the Department of Health & Human Services (HHS) and $43 million was slated for the Office for Civil Rights (OCR) HIPAA audit program. The OCR will focus on administering and enforcing the HIPAA Privacy, Security, and Breach Notification Rules. The OCR will also focus on corrective action plans while imposing civil monetary fines for violations of the HIPAA Rules.

On March 21, 2016, OCR announced its Phase 2 Audit Program. Since Phase 1 focused more on the larger organizations, this will no longer be the case for Phase 2. OCR is well aware of the fact that smaller organizations are not HIPAA compliant, so Phase 2 will cover a larger more diverse pool of healthcare organizations.

Organizations will be contacted via email to fill out pre-audit questionnaire and once that information is collected, OCR will select organizations to for the actual audit program. If you get selected for an audit, it will most likely be a desk audit and you will be required to upload specified documents within 10 business days.

For Covered Entities
Covered entities should do a self-evaluation to determine if they have the right policies and procedures in place, if they have performed a comprehensive risk assessment as required by the HIPAA Security Rule, if they have performed security awareness training for their employees, if they have an incident response plan in place that incorporates both administrative and technical safeguards and whether they have business associate agreements in place with their business associates.

Security Rule Requirements for Risk Analysis and Risk Management
The Security Management Process standard of the Security Rule requires covered entities to “implement policies and procedures to prevent, detect, contain, and correct security violations.” The Security Management Process standard has four required implementation specifications. Two of the implementation specifications are Risk Analysis and Risk Management. Risk analysis and risk management are important to covered entities since these processes will “form the foundation upon which an entity’s necessary security activities are built”

Risk Analysis
One of the most important and required steps that a covered entity must take is a risk analysis. A covered entity is required to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. The Department of Health and Human Services (HHS) states that a risk analysis should be an ongoing process at an organization and should be part of their security management processes. The risk analysis affects the implementation of all of the safeguards (Administrative, Physical, and Technical) contained in the Security Rule.
• Evaluate the likelihood and impact of potential risks to e-PHI
• Implement appropriate security measures to address the risks identified in the risk analysis
• Document the chosen security measures and, where required, the rationale for adopting those measures; and
• Maintain continuous, reasonable, and appropriate security protections.

Risk analysis should be an ongoing process, in which a covered entity regularly reviews its records to track access to e-PHI and detect security incidents, periodically evaluates the effectiveness of security measures put in place, and regularly reevaluates potential risks to e-PHI.

Risk Management
The second most important step and required implementation specification under the HIPAA Security Rule is developing a risk management plan. Under the risk management plan, covered entities are required to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level in order to comply with the general requirements of the Security Rule.” Since the number of new vulnerabilities and threats continue to grow each and every day, it’s important for covered entities to adjust their cyber defenses to address the increasing risks. The purpose of a risk management plan is to provide structure for the covered entity’s evaluation, prioritization, and implementation of risk-reducing security measures. For the risk management plan to be successful, key members of the covered entity’s workforce, including senior management and other key decision makers, must be involved. The results from the risk analysis process will provide these key workforce members with the information needed to make risk prioritization and mitigation decisions.

Risk management is an ongoing process that requires covered entities to continually evaluate and maintain their security measures. Compliance with the Security Rule requires financial resources, management commitment, and the workforce involvement. The risk management plan will guide the covered entity’s actual implementation of security measures to reduce risks to ePHI to reasonable and appropriate levels.

Cybersafe Solutions’ Threat Hunting, Threat Monitoring, Threat Training and Threat Policies not only meets the requirements set forth by the Department of Health and Human Services, but will prepare your organization to successfully pass the upcoming HIPAA audits. Click here to visit our Contact Us page to take the next step towards achieving compliance while also securing your organization’s most sensitive data and systems.

INSURANCE • RETAIL • MEDIA • ENTERTAINMENT & MORE…

Industry expertise and information coming soon.

WHY CYBERSAFE?

Cybersafe’s team of cyber experts have developed and implemented hundreds of Written Information Security Programs
(WISP’s) in both the public and private sectors. One of the key components of an Information Security Program is
establishing an Information Security Policy that reflects the organization’s objectives as it pertains to security.

Prior to establishing an Information Security Policy, it’s critical we find out how management views security. While many security policies share common themes, we understand that each organization is unique and must develop its own set of policies customized to its distinct way of conducting business. It is important that an organization’s security policies always reflect actual practice to which everyone agrees and complies. Our team takes a holistic approach to implementing an Information Security Program that includes policies and procedures to protect the confidentiality, integrity and availability of an organizations’ sensitive data. The failure to protect all three of these aspects could result in legal liability, regulatory fines, loss of business and customer trust.

CYBERSAFE SOLUTIONS CUSTOMIZED TO YOUR NEEDS

Cybersafe employs customized solutions that offer clients a cost-effective security plan that’s right for your organization.
Protect your critical business information and place full-time cybersecurity management responsibility on the shoulders of
Cybersafe, taking the day-to-day cybersecurity burden off your IT staff by monitoring your network 24/7/365.

Don’t Wait Until A Threat Becomes an Attack

To learn how Cybersafe Solutions can help keep your organization secure, contact us.

I thought our environment was secure because we had firewalls and antivirus. It wasn’t until after we started using Cybersafe’s Threat Monitoring platform did we realize we were making assumptions. We can now sleep at night knowing our environment is being watched with the added benefit that we’re also compliant with SEC regulations and guidelines.

Joe M.Financial Advisory Firm

We were looking to hire an outside firm to perform a HIPAA Risk Assessment for our healthcare organization. Their Threat Hunting Service provided not only a comprehensive risk assessment of our environment, but they also detected and disrupted a cyber attack during the assessment. That one attack was convincing enough to sign up for their continuous monitoring service. Go with a trusted security advisor like Cybersafe. You will be happy that you did.

Len N.Healthcare Organization

Your Threat Hunting Service well exceeded our expectations. We were amazed by the number of findings and security deficiencies discovered during the engagement. Their prioritized cybersecurity roadmap allowed our IT team to quickly address our issues in a timely fashion while significantly reducing our exposure.

Tom F.Financial Advisory Firm