" HITRUST Archives - LuxSci

Posts Tagged ‘HITRUST’

The HIPAA Safe Harbor Bill has Passed the Senate

Tuesday, December 22nd, 2020

The HIPAA Safe Harbor bill has passed the Senate without amendment and with unanimous consent. Known formally as H.R. 7898, the HIPAA Safe Harbor Bill amends the HITECH Act to direct the Department of Health and Human Services (HHS) to recognize organizations that follow security best practices, such as those that have HITRUST CSF Certifications.

HIPAA Safe Harbor Bill

It’s hoped that allowing HHS to take these cybersecurity practices into account when determining its rulings will encourage companies to adopt suitable security measures and certifications, while also reducing unfair punishments for those that had appropriate mitigation tactics in place.

What Is the HIPAA Safe Harbor Bill?

The HIPAA Safe Harbor bill grants HHS new considerations when auditing covered entities and business associates in situations that may result in fines. The changes incentivize organizations to adopt security best practices, because they will not face heightened scrutiny from regulators or need to be burdened by additional proof of compliance measures.

More specifically, the legislation amends the HITECH Act to require HHS to take on new considerations when determining enforcement actions or other regulatory compliance activities. The HIPAA Safe Harbor bill’s changes mean that HHS will have to consider whether business associates or covered entities have met recognized security standards in these situations.

Under the new bill, HHS will have to take an organization’s cybersecurity into account when calculating fines that result from data breaches and other security incidents. If the organization is recognized to have followed ‘recognized security practices’ for more than the past 12 months, then fines may be mitigated.

The bill also allows HHS to reduce the extent and length of its audits once it has determined that a provider meets cybersecurity best practice requirements. A history of following these requirements may also mitigate the remedies needed after violations of the HIPAA Security Rule.

The HIPAA Safe Harbor bill’s changes mean that organizations with HITRUST CSF Certifications can meet their compliance obligations under HIPAA’s Security Rule. The HIPAA Safe Harbor bill’s recognition of companies with HITRUST CSF Certifications should also serve to encourage other entities to proactively demonstrate their compliance.

The bill also recognizes the security standards, guidelines and practices developed by NIST and other similar authorities. The HIPAA Safe Harbor legislation’s incentives for covered entities and business associates aim to improve overall protections for health data.

The HIPAA Safe Harbor Bill: LuxSci Is HITRUST CSF Certified

The core of LuxSci’s business relies on high levels of security and compliance, so we are proud to be HITRUST CSF Certified. Our systems and services have been independently verified to conform with the HITRUST CSF Assurance Program. This includes security controls for Massachusetts Privacy Law, the GDPR and HIPAA.

The certification covers all of our services at the time of the assessment, from our secure web forms to our email and web hosting. It covers our systems at the time as well, such as firewalls, load balancers, email servers, backup servers and more.

The comprehensive nature of the HITRUST CSF Certification program, along with LuxSci’s constant commitment to the best in security and compliance, ensure that our clients are always in trusted hands.

LuxSci Achieves HITRUST CSF Certification

Thursday, October 22nd, 2020

LuxSci announces today that it has achieved the HITRUST CSF Certification, the gold standard and most widely adopted security framework in the healthcare industry.

LuxSci Achieves HITRUST CSF Certification

What is HITRUST CSF Certification and why should it matter?

Today, we are very proud to announce that LuxSci has achieved the HITRUST CSF Certification, the gold standard and most widely adopted security framework in the healthcare industry. The full fleet of LuxSci services, including Secure High Volume Email Sending, Secure Marketing, Secure Email Hosting, Secure Connector for Microsoft 365 and Google Workspace, Secure Forms, Secure Texting, and Secure Web Hosting, were audited by our third-party assessor, Security Compliance Associates, and have earned Certified status for HIPAA and GDPR under HITRUST.

Read the rest of this post »

Secure & Compliant Remote Work: Coronavirus & Working from Home

Thursday, April 16th, 2020

 

Less than a month ago, a secure and compliant remote work policy may have been far from the minds of many in company leadership. Now that the coronavirus pandemic is steaming ahead, our personal and work lives have been flipped upside down and we are all struggling to make the necessary adjustments.

Many businesses have closed their offices and have employees working from home, which is a great compromise for keeping operations ongoing and allowing people to retain their incomes.

However, the sudden move to working from home is a big jump for many companies and their employees, particularly if an existing remote work policy isn’t in place. Organizations need to tread carefully, because, with certain exceptions such as telehealth, coronavirus doesn’t change their security and compliance obligations.

This is especially critical for organizations that process electronic protected health information (ePHI) and for employees that deal with valuable or sensitive data. If the appropriate precautions aren’t taken, companies could breach regulations like HIPAA or PCI DSS, and face the significant penalties that come with violations. 

They may also have their sensitive data stolen by cybercriminals or leaked through negligence, which could lead to all kinds of problems, ranging from the theft of intellectual property to blackmail.

How Can Organizations Establish a Secure & Compliant Remote Work Policy

Even in these difficult times, a secure and compliant remote work policy needs to be designed carefully. This will ensure that it meets the requirements of the company and its employees, as well as any legal obligations and the needs of customers and clients.

To address each of these needs, all of these stakeholders should be involved in the process. It’s critical to get legal advice, as well as engage security experts, to make sure that the policy and technical measures are adequate for your company’s unique circumstances.

A secure and compliant remote work policy should include:

 

  • Who is covered, when, and in which situations.
  • What the organization’s responsibilities and obligations are.
  • What the employee’s responsibilities and obligations are.
  • What hardware and software must be used, and in what configurations.
  • What security and privacy measures should be in place.
  • How reliability and availability will be ensured.

 

Companies may still have certain legal obligations for their remote workers, so a secure and compliant remote work policy needs to take these into account. For example, the company may still need to take measures to ensure that laws such as the Fair Labor Standards Act are followed, and that employees are working in a safe environment. 

Once your company has developed its remote work policy, it should have each of its employees sign it, so that they are aware of the expectations and committed to following them.

What Security Measures Do Companies Need as Part of Their Remote Work Policies?

The particular measures will vary from situation to situation, depending on a company’s setup, the regulations it is subject to, the data assets it has, as well as how it transmits and stores valuable or sensitive information.

Some measures for remote work, found in the HITRUST and other security guidelines, include:

 

  • All data should be encrypted when it is transmitted over public networks. FIPS-approved ciphers should be implemented in any of the security protocols used.
  • Wireless access points should be encrypted with AES WPA2 as a minimum security standard.
  • Emails and other digital messages should be protected from end-to-end and sensitive information should never be sent without encryption.
  • Faxes should only be used for protected information if more secure alternatives are not possible.
  • Employees should use VPNs to connect to corporate systems, and all traffic should flow through the VPN. Any access should be remotely logged and monitored. Unauthorized connections should be monitored and reviewed quarterly at a minimum, and appropriate actions should be taken after the review process.
  • Effective authorization systems need to be in place for privileged connections and for access to sensitive business information. Remote administration sessions should have heightened security measures in place.
  • The authentication process for remote devices should include additional measures on top of passwords, such as the verification of IP or MAC addresses.
  • Employee use of portable storage devices should be strictly controlled and the information should be encrypted. 
  • Any data transfers outside of controlled areas require approval and the details need to be recorded. Cryptographic measures need to be in place to protect the integrity and confidentiality of data when it is transferred.
  • Sensitive or valuable data should not be available to unauthorized individuals or left unattended. This includes leaving the information out on desks, on printers, or viewable by others on computer monitors.
  • External services (such as new SaaS vendors) should not be used to store or transmit information without prior approval.
  • Controls and training should be in place if personal devices are allowed to be used in the workplace.

Solutions for Secure & Compliant Remote Work

In the wake of the rapid spread of coronavirus and the significant changes it has brought, many companies are scrambling to provide secure and compliant remote work solutions to their employees.

This poses a significant challenge, because when new systems are implemented abruptly, it can easily lead to mistakes. If these errors involve data leaks or compliance violations, they can have huge long term consequences for businesses.

To minimize these risks, the best option is to use well-established and specialized solutions like LuxSci’s many offerings. All of our products are designed from the ground up to be secure and comply with various sets of regulations, as well as to optimize our users’ workflows, convenience and efficiency.

These services include our secure and HIPAA-compliant email service, as well as tools like SecureText and Secure Video. The rise of coronavirus may have been an unexpected interruption, but adopting LuxSci’s safe and carefully designed tools can help to prevent further threats from harming your business in these difficult times.

LuxSci Pursuing HITRUST Certification

Thursday, January 30th, 2020

Update: As of June 7th, 2020, LuxSci’s services are HITRUST CSF certified for HIPAA, GDPR, and Massachusetts Privacy Law.  See: Announcement of HITRUST CSF Certification.

LuxSci is working toward its HITRUST certification as part of our constant efforts to meet the highest levels of security and compliance. The threat landscape and regulatory environment are ever-evolving, and LuxSci is on track to be HITRUST CSF Level 3 certified (for HIPAA and GDPR, among other things) by the third quarter of 2020.

While LuxSci already follows the best practices in a variety of areas, the HITRUST certification is an industry-standard, ongoing, evolving, independent third-party review that shows just how committed we are to providing secure and compliant solutions and which enables anyone to really trust that LuxSci is doing all the right things.

HITRUST is an association that was formerly known as the Health Information Trust Alliance. A group of organizations came together in 2007 to develop the HITRUST Common Security Framework (CSF). The HITRUST CSF includes elements of a variety of different standards such as:

  • HIPAA
  • ISO/IEC 27000-series
  • NIST 800-53
  • PCI-DSS

How Does the HITRUST Certification Help?

By establishing a framework that encompasses many other important sets of regulations, the HITRUST certification makes it easier to provably meet all of the different requirements in a streamlined manner.

The framework is especially critical for organizations in the healthcare field and those that process electronic protected health information (ePHI), but it is also useful for security and compliance in other situations, such as GDPR.

The HITRUST certification is beneficial for any organization that deals with sensitive, valuable or highly regulated data, whether it creates it, transfers it, or processes it in any other way.  This is because the HITRUST CSF certification not only makes it easier to manage risk and compliance, but it also demonstrates to other parties that these critical areas are being properly taken care of.

All of LuxSci’s central services fall within the HITRUST umbrella and will be HITRUST certified. These services include:

  • Secure email hosting
  • Secure email marketing
  • Secure high volume email sending
  • Secure web site hosting
  • Secure form processing

Once LuxSci finishes the HITRUST certification process, its clients can be even more confident that they have chosen a provider that places security first and that LuxSci is committed to staying on top of all of the HIPAA security requirements.  

HITRUST is not a “one and done” process, it is a process that requires yearly refinements, yearly third party reviews, and yearly recertification.

A HITRUST certification proves both that you have all of the needed policies and procedures for compliance (hundreds of them) and that you have properly implemented and are following these policies and procedures.  HITRUST requires organizations to actively prove they are doing the right thing.  It’s not simple. It takes a lot of work and attention and buy in from all levels of an organization.  This is what makes HITRUST so valuable.

LuxSci’s Existing Certifications

LuxSci is 100 percent HIPAA-compliant and undergoes yearly internal and external HIPAA audits, penetration tests, and other internal and external reviews to ensure it continues to go above and beyond the regulations.

On top of this LuxSci maintains a TRUSTe Privacy Certification.  This is a yearly third-party review of LuxSci’s privacy policies and procedures (kind of like a mini-HITRUST for privacy) to ensure that our privacy policies meet industry best practices.  This certification enables LuxSci to keep our US-EU Privacy Shield status.

These certifications ensure that your business can be confident in LuxSci’s services. They let you know that one of the most trusted service providers in the industry is guiding your organization through the security and compliance minefield.

The HITRUST certification is simply another step in our constant effort to ensure that we provide the highest degree of security and compliance in all of LuxSci’s services.

LUXSCI