Vertical
Healthcare
Illumant leverages deep HIPAA Security expertise to help healthcare institutions, providers, payers, and business associates reduce the burden of compliance with the HIPAA Security Rule, the HITECH Act, and Meaningful Use — while improving real security to avoid penalties and breaches.
The healthcare problem
Hospitals, clinics, health plans, and business associates — collectively "covered entities" — have the unique challenge of making protected health information (ePHI) available to patients and clinicians as needed (health, billing, insurance) while protecting that data from theft and accidental disclosure. They do this in open and heavily-trafficked environments, with IT teams that are typically under-staffed and budget-constrained, under one of the strictest U.S. regulatory regimes.
Illumant's assessment and compliance services help healthcare organizations navigate these challenges to become compliant — and, at a very practical level, secure. We've helped numerous hospitals, clinics, medical practices, and healthcare-related companies assess their security posture, improve security, and comply with HIPAA, HITECH, and Meaningful Use requirements.
Summary of healthcare requirements
HIPAA Security Rule
Document compliance with required and addressable safeguards. HHS audits are on the rise. Penalties for non-compliance are material — and uncapped per category in the worst tier.
HITECH Act
Establish breach notification protocols. Even after compliance, the breach notification process is costly to deploy and damaging to reputation. Avoiding the breach in the first place is the priority.
Meaningful Use / Promoting Interoperability
Conduct a HIPAA Security Risk Assessment to evaluate threats to the confidentiality, integrity, and availability of ePHI. Adjust the security program accordingly. The Security Risk Analysis remains a core measure.
Breach avoidance
Compliance is the floor, not the ceiling. Vulnerability assessment and penetration testing identify and remediate the real-world weaknesses that lead to actual breaches.
Industry security & compliance challenges
Compliance is burdensome
IT departments are oversubscribed, undermanned, budget-constrained, and frequently uninformed about the specifics of evolving requirements. Illumant absorbs the burden.
Open, trafficked environments
Clinical environments are open by design — patients, families, vendors, contractors moving through. Physical and access controls have to work despite this, not against it.
ePHI everywhere
EHR/EMR, billing, scheduling, imaging (PACS), lab, voicemail, secure messaging — ePHI proliferates. We help you find it, then protect it.
Connected medical devices
Infusion pumps, imaging modalities, patient monitors — increasingly networked, often un-patchable, frequently running EOL operating systems. Special handling required.
Business associate sprawl
Cloud EHR, billing services, transcription, telehealth, analytics — every BA is a HIPAA risk surface. BAA management and BA technical due diligence matter.
Popular assessment services
PSA
Perimeter Security Assessment & Penetration Testing
External pen testing — internet-facing portals, telehealth, patient-facing apps.
CASA
Critical Asset Security Assessment
Crown-jewel testing of EHR/EMR, billing, scheduling, PACS imaging.
LANSA
LAN Security Assessment
Internal assume-breach testing of clinical and admin networks.
WASA
Web Application Security Assessment
Patient portals, telehealth platforms, mobile clinical apps.
SocEng
Social Engineering
Phishing campaigns tuned to clinical and administrative staff.
PhySA
Physical Security Assessment
Physical security review for facilities housing ePHI.
WSA
Wireless Security Assessment
Wireless review — guest, clinical, and biomed VLAN segmentation.
PPPA
Policies, Procedures and Practices Assessment
Policies & procedures alignment with HIPAA Security Rule.
Ready to start a conversation?
Talk to a senior consultant — we'll scope an engagement that fits your environment.