Benefits Insights, Winter 2017
-- Anthony Garza, FCE VP Information Technology
HIPAA has been a great start to protecting personal healthcare information. However, as technology evolves, so do cyber threats and how we defend against them. New security frameworks have been developed to better address the complex issues revolving around the protection of personal healthcare information in modern computing environments. FCE is embracing these newer standards within all our Information Technology policies and procedures.
FCE continues to perform SAS-70 audits as we have over the past ten years, and we also continue to perform the SOC-1 audit annually. However, our primary driver for achieving the highest level of data security over the next year will be to obtain HITRUST certification. This initiative is already underway, and we have engaged the services of a certified independent auditing firm to help accomplish this goal. The HITRUST security framework melds together practical system requirements from several commonly accepted security frameworks, such as HIPAA, PCI, NIST, and COBIT, to more specifically protect healthcare organizations.
We have also augmented our IT team with a dedicated Data Security Specialist. Mr. Cedric Lacy is recently retired from the U.S. Air Force, where he spent the last ten years with the Cryptologic Systems Division and NATO Information Assurance Test Centre conducting data security audits and assessments to the standards required by the Department of Defense and National Security Agency.
We also have contracted the services of an independent security assessment company – Digital Defense, Inc. They conduct periodic vulnerability assessments and then work in close collaboration with our internal network team to identify and close potential threat targets. Additionally, they perform our annual penetration test in which they actively attempt to hack our systems from an external location.
Additional security-related projects over the next few months include introducing multi-factor, token-based authentication, increased encryption use for internal data, a more robust data loss prevention program, enhanced user training, and an upgraded network intrusion detection system.
FCE is committed to the protection of the sensitive data entrusted to us and continues to dedicate all resources necessary to ensure the complete confidence and trust of our clients.