Coppell, Texas, December 21, 2016
Because protecting our clients’ information is of paramount importance to Onsite Health Diagnostics, we go above and beyond the requirements of HIPAA/HITECH, hiring outside firms each year to test our systems and processes to ensure they are secure. In 2016, we hired two of the best in their respective genres.
Meditology Services, a consulting firm focusing entirely on Healthcare IT Risk Management & Consulting, was hired to test our software applications and overall information security. This year they performed both an Ethical Hacking Assessment & Information Security Risk Assessment.
AARC-360, a firm of Certified Public Accountants and Advisors registered with the PCAOB, provide the best Assurance, Advisory, Risk and Compliance services around. In 2016, they once again performed our SOC 2 Type II Data Privacy & Security Audit.
We, OHD, who are appreciative of the efforts of our IT team and compliance committee members, are proud to provide the findings below.
Ethical Hacking Assessment
The Ethical Hacking Assessment was performed to identify exploitable security vulnerabilities and insufficiently configured security controls to determine the likelihood that an uninformed outsider could obtain unauthorized access to the OHD Scheduler Application, which contains the PHI of its clients.
Conclusion: “The assessment did not identify any vulnerabilities or security weaknesses that could be exploited on the OHD Scheduler Application and external interface. Although this report is primarily focused on security weaknesses, several positive security controls within the OHD environment were similarly identified. OHD was found to be well above the average when compared to other healthcare industry peers.” (They bolded the text, not us.)
Information Security Risk Assessment
The goal of the Information Security Risk Assessment was to conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by OHD in accordance with 164.308(a)(1)(ii)(A) of the HIPAA Security Rule.
Conclusion: “Overall, OHD has a low likelihood of incurring a breach and risks low exposure to regulatory scrutiny due to insufficient security documentation and security controls. OHD ranks above average with industry benchmarks, and stacks up higher compared to other organizations of similar size and complexity.” (They bolded the text, not us.)
SOC 2 Type II Data Privacy & Security Audit
A SOC 2 examination is performed in accordance with AT Section 101, Attest Engagements (AICPA, Professional Standards.) A Type II report not only includes the service organization’s system description, but also includes detailed testing of the design and operating effectiveness of the service organization’s controls.
Conclusion: Request a copy of the SOC 2 Summary Report
With Yahoo, Quest Diagnostics, Cisco, Oracle all being hit in the second half of 2016, we take away 2 things:
- Even the best efforts may not be good enough.
- Given the threats, our clients deserve our best efforts anyway.