A hospital group was looking for outside assistance after suffering a very public HIPAA data breach, and subsequently realizing they were not meeting the compliance regulations for PCI DSS 3.1.
Our Threat Mitigation Team met with their internal IT staff and determined that while a recent HIPAA audit had provided them with steps for remediation, there was a lack of time for the internal team to oversee the remediation project, and C-level concern that the timeline to fix the issues would not be met. Further, it was unclear if the Cardholder Data Environment for PCI compliance had been accurately confirmed after many network changes.
The client had several key objectives for this project:
- Confirm current scope of the PCI Cardholder Data Environment
- Create a Prioritized Approach plan for remediation
- Provide ongoing support for project management and remediation assistance
A PCI DSS Gap Assessment confirmed the current Cardholder Data Environment and the specific areas where compliance was not being met. This allowed for creation of a prioritized list of items that require remediation which could then be assigned to the hospital’s various internal teams based on the expertise or systems involved.
Through an ongoing Security and Compliance Advisory service with Foresite, the client’s staff is able to outsource oversight of the projects and have access to resources with specific expertise that they don’t have a full-time need for, but are required for aspects of the remediation, such as Payment Card Industry Qualified Security Assessors (PCI QSA), firewall security specialists, and Healthcare Information Security and Privacy Practitioner (HCISPP).
The flexible nature of the Advisory agreement means that resources can be both scheduled for specific projects and also utilized as needed for:
- HIPAA/PCI Consulting & Remediation
- Penetration testing and vulnerability scans
- Assistance with completing compliance documentation
- 3rd party vendor or solution evaluations
- Outsourced Security Operations team Incident Response
