HIPAA and HITECH indicates that covered entities are required to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or vulnerabilities to the security of EPHI. Based upon this requirement, Aspiryon assists organizations with the development and implementation of sound security programs that creates a foundation for the protection of PHI, PII and other sensitive data types.
Aspiryon has developed and implemented several information security programs for private sector and government agencies based upon FISMA, HIPAA, FFIEC and other requirements. Our experience with the development and implementation of these programs help ensure that your organization meets requirements, protects your patients, customers and your organization and reduces liability.
What is security program development?
Security program development entails some of the following tasks:
- Initial Assessment
- An initial assessment is conducted to gage where the organization at with the implementation and maturity of the existing security program
- Planning
- When an existing security program exists an assessment report will be utilized to determine what needs to be addressed and prioritization are assigned.
- If a program does not exist planning is conducted based upon business factors and need
- Policy
- Create or modify policy based upon requirements
- Obtain feedback and approval
- Policy issuance, adoption and education
- System Identification
- Identify systems, boundaries and data types
- Categorization
- Categorize systems based upon business need and other factors
- Control Documentation and Implementation
- Document system security controls and implement controls to protect systems according to requirements
- Supporting Program Development
- Assist other groups with developing process, procedures and systems to meet requirements
These are just a few steps involved with developing a security program.