Rechercher dans les flux d'actualités



Filtrer par auteur :
     |     
Rechercher un terme :


  AlienVault Monthly Product Roundup October / November 2018
At AWS re:Invent recently, I spoke to several booth visitors who asked, “What’s new with AlienVault?” It was exciting to talk through some of the improvements we’ve made over the last year and see their eyes widen as the list went on. As our customers know, we regularly introduce new features to USM Anywhere and USM Central to help teams detect and respond to the latest threats. You can keep up with our regular product releases by reading the release notes in the AlienVault Product Forum. Let’s take a look at the highlights from our October and November releases: Mac OS Support for the AlienVault Agent In July, we announced the addition of endpoint detection and response (EDR) capabilities to USM Anywhere, enabled by the AlienVault Agent. The AlienVault Agent is an osquery-based endpoint agent that provides system-level security, including file integrity monitoring and host intrusion detection (HIDS). Over the last few months, we’ve listened carefully to customer input to guide our continued improvement of the AlienVault Agent, leading us to improve filtering rules for better control over data consumption and make a number of additional enhancements. In November, we addressed a top customer request with the addition of Mac OS support for the AlienVault Agent. Now, USM Anywhere customers can use the AlienVault Agent for continuous threat detection and file integrity monitoring (FIM) on their Linux, Windows, and Mac hosts. AlienVault Agent Queries as Response Actions USM Anywhere accelerates incident response with the ability to orchestrate response actions directly from an alarm. With just a few clicks, you can take an immediate, one-time action or create a rule to make sure that action happens automatically going forward. (Check out examples of automated incident response in action in this blog post.) To enhance your ability to respond swiftly and efficiently to potential threats, we’ve added a new response action to trigger AlienVault Agent queries. Like our other response actions, you can find this option directly from the detail view of an alarm or as part of an orchestration rule. Launch AlienVault Agent Queries from Agents Page In addition to the response action listed above, you can now trigger AlienVault Agent queries from the Agents page by clicking the “Run Agent Query” button. You can run queries against a single asset or all assets that have the AlienVault Agent installed. Asset Group Enhancements for the AlienVault Agent Asset Groups help USM Anywhere users group similar assets for specific purposes. For example, you might want to assign assets to the PCI DSS  asset group to keep track of the assets in scope of your CDE. We’ve added a new “Assets with Agents” dynamic asset group containing all assets that have the AlienVault Agent deployed. We’ve also expanded asset group functionality by adding the ability to assign AlienVault Agent profiles to asset groups. You can do this by selecting the “Assign Agent Profile” option from the Actions menu for a specific asset group. Improved Ability to View Suppressed Alarms We’ve improved the filtering options available on the Alarms page to support the display of only suppressed alarms. This change has no effect the default Alarms view, which does not include suppressed alarms. Certificate Upload for TLS-Encrypted Syslog In addition to the digital certificate provided through USM Anywhere, customers can now upload their own server certificate and CA certificate to enable the SSL connection for TLS-encrypted syslog transport. Certificates can be uploaded from a new Settings tab in the Syslog App configuration page located at Data

Le 2018-12-17


  Things I Hearted this Year 2018
It’s hard to believe the whole year has gone past and I’ve been hearting things nearly every week since it began. I’d like to sum up 2018, so I started to look through all the posts from every week and I realised it was a mammoth task. There have been 40 “Things I hearted” blog posts this year, each with an average of 10 stories. And that doesn’t include the dozens of other stories that didn’t make the cut every week. Suffice to say, it’s been a very busy year as far as information security is concerned. Which could mean that business is very good. Or it could just mean that business is as usual, we’re just getting better at covering the stories. In YouTube fashion, I decided to do a video rewind of some of the notable stories of the year (minus Will Smith and the big budget) Conspiracy videos aside, let’s have a recap of an assortment of stories that were hearted over the course of the year. January 12th Edition Toy Firm VTech Fined Over Data Breach VTech, the ‘smart’ toy manufacturer has been fined $650,000 by the FTC after exposing the data of millions of parents and children. Troy Hunt brought up the issue back in November 2015 and it made for a chilling read. Not only was the website not secure, but the data was not encrypted in transit or at rest. Hopefully, this kind of crackdown on weak ‘smart’ devices will continue until we see some changes. Not that I enjoy seeing companies being fined, but it doesn’t seem like many manufacturers are paying much attention to security. FTC fines VTech toy firm over data breach | SC Magazine FTC Fines IoT Toy Vendor VTech for Privacy Breach | eWeek After breach exposing millions of parents and kids, toymaker VTech handed a $650K fine by FTC | Techcrunch March 9th Edition SAML, SSO Many Vulnerabilities SAML-based single sign on systems have some vulnerabilities that allow attackers with authenticated access to trick SAML systems into authenticating as different users without knowledge of the victims’ password. Sounds like a lot of fun. Duo Finds SAML Vulnerabilities Affecting Multiple Implementations | DUO March 30th Edition Investigating Lateral Movement Paths with ATA Even when you do your best to protect your sensitive users, and your admins have complex passwords that they change frequently, their machines are hardened, and their data is stored securely, attackers can still use lateral movement paths to access sensitive accounts. In lateral movement attacks, the attacker takes advantage of instances when sensitive users log into a machine where a non-sensitive user has local rights. Attackers can then move laterally, accessing the less sensitive user and then moving across the computer to gain credentials for the sensitive user. Investigating lateral movement paths with ATA | Microsoft May 18th Edition Hacking the Hackers A hacker has breached Securus, the company that helps cops track phones across the US. You'd think that if you were a company that collected all sorts of phone data, and location tracking, and work with law enforcement, you'd be a bit more careful in how you store the data. Last week, the New York Times reported that Securus obtains phone location data from major telcos, such as AT&T, Sprint, T-Mobile, and Verizon, and then makes this available to its customers. The system by which Securus obtains the data is typically used by marketers, but Securus provides a product for law enforcement to track phones in the US nationwide with little legal oversight, the report adds. In one case, a former sheriff of Mississippi County, Mo., used the Securus service to track other law enforcement official’s phones, according to court records. Hacker breaches securus, the company that helps cops track phones across the US | Motherboard Service meant to monitor inmates' calls could track you, too. | NYTimes June 1st Edition Your Data Looking at your data this week, Brian Krebs flips the lid on why your location data is no longer private. "The past month has seen one blockbuster revelation after another about how our mobile phone and broadband providers have been leaking highly sensitive customer information, including real-time location data and customer account details. In the wake of these consumer privacy debacles, many are left wondering who’s responsible for policing these industries? How exactly did we get to this point? What prospects are there for changes to address this national privacy crisis at the legislative and regulatory levels?" Why Is Your Location Data No Longer Private? | Krebs On Security But wait, there's a plot twist. Tired of all these companies profiting off your data? Well, maybe you can try what this guy did and make some money yourself by directly selling your data. This Guy Is Selling All His Facebook Data on eBay | Motherboard July 6th Edition 10 Things To Know Before Getting Into Cybersecurity You may know Kevin Beaumont as @GossiTheDog on twitter. He won the 2018 EU blogger awards for best tweeter. But apparently, he's a man of more talents than just twits, he also blogs, and has put together a good list of 10 things you should know if you're considering getting into cybersecurity.   10 things to know before getting into cyber security| Double Pulsar Related, if you're looking to break into security, then you'll want to know which locations offer the best salaries (US-based). Cybersecurity spotlight 2018: Where are the highest paying jobs? | Indeed Blog August 31st Edition Probably The Best Tech Keynote in the World I’ll be honest, up until a couple of weeks ago, I hadn’t heard of James Mickens who is a professor at Harvard University. I watched his keynote presentation at Usenix, and haven’t been this entertained and captivated by a technology talk in … well, never. It’s well worth carving out 50 minutes out of your day to watch his keynote entitled, Q: Why Do Keynote Speakers Keep Suggesting That Improving Security Is Possible? A: Because Keynote Speakers Make Bad Life Decisions and Are Poor Role Models October 5th Edition Bupa Fined £175k International health insurance business Bupa has been fined £175,000 after a staffer tried to sell more than half a million customers' personal information on the dark web. The miscreant was able to access Bupa's CRM system SWAN, which holds records on 1.5 million people, generate and send bulk data reports on 547,000 Bupa Global customers to his personal email account. The information – which included names, dates of birth, email addresses, nationalities and administrative info on the policy, but not medical details – was then found for sale on AlphaBay Market before it was shut down last year. Health insurer Bupa fined £175k after staffer tried to sell customer data on dark web souk | The Register November 30th Edition The $1M SIM Swap A 21-year-old has been accused of SIM-swapping the mobile number of a Silicon Valley executive in order to steal roughly $1 million in cryptocurrency. SIM-swapping 21-year-old scores $1 million by hijacking a phone | ZDNet       

Le 2018-12-14


  The REAL 2019 Cyber Security Predictions
It’s December, which means it’s time to get those 2019 cyber predictions going. While there are many well-informed, and some not-so-well informed opinions out there, I’ve dug through the cyber underground, I’ve climbed data mountains, and delved to the depths of the dark web to seek out what is really happening. Having spilt coffee, redbull, and tears, I am proud to present the soft underbelly of the cyber security industry, and what the future will hold. You’re welcome. Jayson Street will be exposed as a secret agent charged with obtaining DNA samples of as many hackers as possible. Close inspection will reveal Jayson stealing a strand of hair every time he offers an “awkward hug”. Having been outed, he will go on to start a podcast called, “The word on the Street” HaveIBeenPwned will be purchased by FireEye. Troy Hunt will take the money and move to New Zealand where he’ll setup another website called “YesYouArePwned” with Kim dot com. Bug Bounty and vulnerability disclosure pioneer Katie Moussouris will have no less than 10 instances a month of bug bounties being mansplained to her. At least 2 a month will try to prove her wrong by citing papers, without realising she authored them. Richard Bejtlich will tell the world how it’s actually Papua New Guinea that is responsible for the majority of APT’s. He’ll admit that China was initially blamed as an internal joke that went a bit too far. Jeff Moss will look in disgust at what he has created. In a fit of rage he’ll punch the ground, pull his hair yelling, “I’ve created a monster!” and cancel DEF CON. This will create a domino effect as all other conferences will come collapsing, leaving no security conferences active by the end of the year. SwiftOnSecurity is unmasked as being The Grugq who would have gotten away with it, if it weren’t for those meddling kids. Stuck in traffic YouTuber Wolf Goerlich will finally take a different route into work and realise traffic ain’t all that bad. As a result YouTube suspends his account, declaring the title misleading. Which is a polite way of saying ‘fake news’. Investigative journalist Brian Krebs may unofficially be many companies' IDS, but in 2019 he’ll take it to new heights while launching his own subscription-only service called B-KIDS (Brian Krebs IDS)  which companies can use to get the heads up if they’re going to be outed. Reunions will become common, as professionals grow bored of corporate life. L0pht Hacking Industries will furiously lobby the US government, while over in Europe the Eurotrash Security podcast will regroup and take the show on the road once again. Marcus Hutchins reveals he was never really arrested by the FBI. Claims he just wanted a bit of “me time” and thought this would be the best way. (ISC)2 will cease offering the CISSP certification, stating that there is now a global surplus of security professionals and the number needs to be reduced. Independent analyst Kelly Shortridge reveals the magic that goes into magic quadrants, waves and other analyst firms methodologies. Confidence in analyst firms will take a dip as a result. Kelly will then sell the rights to the movie, The Big Short(ridge) Award-winning blogger and podcaster Graham Cluley will go through the whole of 2019 without winning a single award. Mega breaches will have reached the tipping point and GDPR will have been found ineffective. In a last ditch effort, companies that offer affected customers a year's credit monitoring will no longer be deemed sufficient. Rather companies will be forced to create whole new identities for affected individuals, complete with backstories, like witness protection programs do. Finally, world governments will see the error of their ways and stop trying to backdoor crypto. Have a happy 2019 folks!       

Le 2018-12-13


  New AlienVault and AT&T Cybersecurity Consulting Solution for Cyber Risk and Compliance Management
Let’s face it, managing cyber risk and compliance is hard. Many organizations struggle to gain the visibility needed to truly understand their overall cyber risks. They also struggle to maintain that visibility as they take on digital business transformation and new cloud computing initiatives. It’s no easy task for organizations to continually align their security priorities to changes in the regulatory landscape, their IT environment, and an always-shifting threat landscape, especially for organizations with limited IT resources. That’s why we are excited to announce a new solution to help organizations of any size to help reduce their cyber risks and simplify their journey to work toward compliance. Together, AT&T Cybersecurity Consulting and AlienVault, an AT&T Company, are bringing together the people, process, and technology in one unified solution to help organizations improve cyber risk and compliance management. In doing so, we’re making it simple and fast for organizations to consolidate their requirements and to accelerate their security and compliance goals. Download the solution brief to learn more. “Managing cyber risk and compliance requires an ongoing review of your IT assets and data, security practices, and personnel — and no single security tool provides that holistic visibility,” said Russell Spitler, SVP of Product for AlienVault, an AT&T company, “With a unified solution from AT&T Cybersecurity Consulting and AlienVault, we can help organizations to reduce the complexity and cost of having to juggle multiple products and vendors.” This solution addresses many of the most challenging aspects of meaningful risk reduction (i.e. you are actually making progress in reducing risks, not simply “managing risks,”) and maintaining continuous compliance. The solution includes: risk assessment, scanning and remediation vulnerability assessment, employee cybersecurity awareness training,  continuous network monitoring for the latest threats, and reporting for compliance as well as for internal policy. It is ideal for organizations that are getting started with or want to accelerate their efforts for PCI DSS or HIPAA, but also for non-compliance organizations that are looking to evaluate and improve their cyber risk posture quickly and efficiently. Unlike other solutions for cyber risk and compliance that are often oversized and do not adapt to an organization’s existing security model, AlienVault and AT&T Cybersecurity Consulting offer flexible options that allow any organization to tailor-fit a solution to their unique environment, business goals, and budget. The solutions include: Risk-based Cyber Posture Assessment led by AT&T Cybersecurity Consultants ASV-provided External Vulnerability Scanning Services from AT&T Consulting Services AlienVault USM Anywhere - a unified platform for threat detection and response AT&T Cybersecurity IQ Training - cybersecurity user training and assessments For more details on the products and services included in this solution, read the solution brief here > Following AT&T Business’ acquisition of AlienVault in August, this offering is the first to combine the phenomenal threat detection and incident response capabilities of AlienVault USM Anywhere and AlienVault Labs Threat Intelligence with the world-class expertise of AT&T Cybersecurity Consulting. “It’s no secret that cybercrime has become its own industry, giving criminals access to a battery of tools for targeting victims,” said Marcus Bragg, Chief Operating Officer of AlienVault. “For the IT and security professionals who are defending against this, point solutions are no longer enough. They need all the support they can get, and that means people, process, and technology — access to security experts who can share their knowledge and experience, recommendations for best practices, and a unified platform that ties everything together, including the most up-to-date threat intelligence for threat detection and response. That’s what the future looks like in our fight against cybercrime.”   This solution is available from AlienVault and AT&T Business, so new and current customers can easily purchase the solution that works for them. To learn more about this and other cybersecurity solutions from AlienVault and AT&T, contact us to get started. To learn more about the offering, download the solution brief.       

Le 2018-12-12


  A HIPAA Compliance Checklist
Five steps to ensuring the protection of patient data and ongoing risk management. Maintaining security and compliance with HIPAA, the Health Insurance Portability and Accountability Act, is growing ever more challenging. The networks that house protected health information (PHI or ePHI) are becoming larger and more complex — especially as organizations move data to the cloud. At the same time, security professionals are faced with an evolving threat landscape of increasingly sophisticated threat actors and methods of attack. For example, 2018 threat intelligence research by AlienVault Labs reports a rise in the number of targeted ransomware attacks in the healthcare sector. These attacks are often backed by organized criminals who see opportunities for making money from health care providers and other similar entities who must protect and keep assets, systems, and networks continuously operating. One such criminal group operating the SamSam ransomware is thought to have earned more than $5 million dollars by manually compromising critical healthcare networks. And, according to AlienVault Labs, the methods used by SamSam are more akin to a targeted attack than typical opportunistic ransomware. To help address these security challenges and ensure adherence to compliance mandates, security and IT professionals should consider how people, processes, and technology can be used together to create a holistic IT security compliance program that simplifies preparation, auditing and reporting, as well as ongoing security risk management and breach monitoring and response. Here’s a five-step HIPAA compliance checklist to get started. Certification and Ongoing HIPAA Compliance HIPAA sets the standard for protecting sensitive patient data. Any entity that deals with protected health information must ensure that all the required physical, network, and process security measures are in place and followed. In 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act was adopted to promote the “meaningful use of health information technology” and address the privacy and security concerns associated with the electronic transmission of health information. Although there is no standard or implementation specification that requires a covered entity to “certify” compliance, the evaluation standard § 164.308(a)(8) requires covered entities to perform ongoing technical and non-technical evaluations that establish the extent to which their security policies and procedures meet the security requirements. Evaluations can be performed and documented internally or by an external organization that provides evaluation or “certification” services. However, HITECH requires the HHS Office for Civil Rights (OCR) to conduct periodic audits of covered entities and business associates for compliance with the HIPAA Privacy, Security, and Breach Notification Rules. Step 1: Start with a comprehensive risk assessment and gap analysis Your compliance strategy should start with a solid foundation, which is why the first step in your journey to HIPAA compliance should be a readiness assessment that includes a comprehensive risk and compliance analysis of your electronic health record (EHR) environment. This assessment is often best done by a third party with expertise in healthcare security and compliance, as HIPAA regulations can be confusing and cumbersome. Using a third party with the necessary expertise will ensure you don’t miss or misunderstand the required regulations, and it will save you time as they will likely have a HIPAA checklist to reference.  Your consultant can perform an initial evaluation of your entire security program to determine its adherence to HIPAA regulations and the level of readiness to proceed with the “certification” process. It’s worth noting that the OCR does not actually “certify” HIPAA compliance (see side bar), however there are organizations outside of the OCR that do provide “certification” services, and many organizations take advantage of these certification services to prove compliance. As a result of the evaluation, your consultant should provide a comprehensive report that may include such things as: Your organization’s current security and compliance posture compared to the requirements established by the OCR Audit Protocol (including the HIPAA Privacy Rule, Security Rule and the Breach Notification Rule). Prioritized recommendations for risk remediation. A road map outlining the steps and initiatives to achieve compliance and “certification”. According to the OCR, organizations that have aligned their security programs to the National Institute for Standards and Technology (NIST) Cybersecurity Framework may find it helpful as a starting place to identify potential gaps in their compliance with the HIPAA Security Rule. Addressing these gaps can bolster compliance with the Security Rule and improve the organization’s ability to secure ePHI and other critical information and business processes. Read how NIST “maps” to the HIPAA Security Rule in the HIPAA Security Rule Crosswalk to NIST Cybersecurity Framework. Step 2: Remediate identified risks and address compliance gaps Once you’ve identified your organization’s risks, take immediate steps to address the gaps within your security program. Again, a consultant who has practical experience in healthcare security will be very useful in providing strategic guidance, as well as advice on risk mitigation. Many organizations use the same consultant who performed their initial risk assessment. Your consultant may develop specific programs, policies, standards, and procedures, as well as support or help implement key security practices and controls. For example, they may assist in prioritizing vulnerabilities and make recommendations for remediation in your EHR environment. Or, they may provide pre-packaged employee security awareness training that meets HIPAA guidelines, such as educating employees on security risks and running them through attack scenarios. Make use of security technology to help you more quickly address the gaps in your compliance program — and consider platforms versus point solutions, giving you the ability to address multiple issues at once. Also, look for solutions that address both on-premises and multi-cloud environments as HIPAA regulations apply to both (see Guidance on HIPAA & Cloud Computing).  For example, look for such use cases as the automation of asset discovery and the ability to categorize those assets into HIPAA groups for easy management and reporting. Those same solutions may also perform vulnerability assessments, automate the prioritization of vulnerabilities for mitigation, and integrate with ticketing solutions to ensure the most critical are being remediated while overall risks are mitigated. Step 3: Take advantage of automated compliance reporting The evaluation standard of HIPAA requires covered entities to perform and document ongoing technical and non-technical evaluations to establish the extent to which their security policies and procedures meet the security requirements. Simplify and speed this process by taking advantage of automated compliance reporting. Look for solutions with predefined report templates for HIPAA, as well as other key regulations such as PCI DSS, NIST CSF, and ISO 27001. Consider ease-of-use, such as being able to define groups of assets — for example, a HIPAA group that includes sensitive assets connected to patient data or protected data. How easy it is to view, export, and customize the reports? What percentage of regulation coverage is included in predefined reporting? Most solutions do not cover all the requirements defined by the HIPAA Audit Protocol, but they will give you a jump on your HIPAA checklist. Many security management platforms also include additional predefined event reports, such as reports by data source and data source type, helping to make daily compliance monitoring and reporting activities more efficient. Also, look for an intuitive and flexible interface that allows you to quickly search and analyze your security data, as well as the ability to create and save custom views and export them as executive-ready reports. Finally, solutions that provide centralized visibility of your cloud and on-premises assets, vulnerabilities, threats, and log data from firewalls and other security tools are key to giving you the most complete and contextual data set for maintaining and documenting continuous compliance. Step 4: Implement Monitoring and Breach Notification Protocols The Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and business associates to provide notifications if they experience a breach that involves unsecured protected health information. Security management platforms can help to simplify and automate monitoring for breaches on your network, ensuring you are able to more quickly detect and contain a breach, as well as provide the required notifications. As more organizations in healthcare are migrating data and applications to the cloud, make sure the technology you’re choosing offers advanced threat detection across both on-premises and multi-cloud environments. Simplify compliance management by choosing a solution that combines an array of essential security capabilities in one platform. These may include, but are not limited to: asset discovery, vulnerability assessment, intrusion detection, behavioral monitoring, endpoint detection and response, SIEM event correlation, file integrity monitoring (FIM), and log management. By combining these use cases in a single dashboard, you are better able to quickly identify, analyze, and respond to emerging threats that target your EHR environment. Intelligence it key to threat detection and incident response, so consider vendors who have in-house research teams as well as access to external threat intelligence communities and other sources that can provide insight into the latest global threats and vulnerabilities — and in particular, those that are specific to healthcare. However, intelligence without context will create lot of distracting “noise” for your team. So, check that the solution goes beyond just providing intelligence to incorporating it directly into your dashboard, including providing recommendations on how to respond to identified threats. With this intelligence and guidance at your fingertips, you can react quickly to the latest tactics, techniques, and procedures used by threat actors. And, you are assured of an always-up-to-date and optimally performing security monitoring solution. Need more info on how to respond to a breach? See the HHS Quick Response Checklist. Step 5: Continuously evaluate and manage risk Whether you are managing ongoing HIPAA compliance internally or are using an external organization, avoid last-minute scrambling for annual evaluations and audits by employing a year-round risk management program. Such a program requires having real-time visibility of your environment, including system component installations, changes in network topology, firewall information, and product upgrades. Use a unified platform to gain this visibility and enable monitoring in a central location (opposed to various point solutions). Here are a few examples of where a platform would be helpful for continuous risk and compliance management: Manage assets and risks Examples: Use automated asset discovery for on-premises and cloud environments and then create asset groups such as business critical assets or HIPAA assets for ongoing monitoring, management and reporting. Identify systems with known vulnerabilities and use correlation rules to detect threats. Monitor access control; data security; information protection, processes and procedures; and protective technology Examples: Monitor for successful and failed logon events to assets. Monitor for communications with known malicious IP addresses or use file integrity monitoring (FIM) to detect, assess and report on changes to system binaries, and content locations. Schedule vulnerability scans, automate assessments, and plan for mitigation. Review events and detected incidents. Detect anomalies and events; and ensure continuous security monitoring and detection processes Examples: Aggregate events from across on-premises and multi-cloud environments. Classify threats based on their risk level. Monitor for stolen credentials, malware-based compromises such as communication to a known command and control (C&C) server, anomalous user and admin activities, file integrity, and vulnerabilities. Automate event and incident analysis; mitigation Example: Automate forensics tasks to be executed in response to a detected threat and simplify forensics investigations with filters, search and reporting capabilities for event and log data. Automate actions to contain threats, such as isolating systems from the network. Automated reporting Use out-of-the box reporting to document that you’ve made an accurate assessment of the risks and vulnerabilities to the confidentiality, integrity and availability of all electronic PHI — and to quickly show the status of technical controls that align to HIPAA or other regulations. Maintaining adherence to HIPAA is no small feat considering the dozens of criteria that are considered in the HIPAA Audit Checklist. Attempting to manage your compliance program manually and without the help of expert healthcare security consultants will not only take up massive amounts of time, it could result in your team missing an essential component of the regulation, or worse yet, enduring a breach that compromises patient data or takes down the network. However, with the right mix of people, processes and technology, it’s not an impossible to stay on top of compliance management while ensuring your network is secure and patient data protected year-round. HIPAA Regulations HIPAA Privacy Rule: This Rule set national standards for the protection of individually identifiable health information by three types of covered entities: health plans, healthcare clearinghouses, and health care providers who conduct the standard healthcare transactions electronically.  HIPAA Security Rule: This Rule sets national standards for protecting the confidentiality, integrity, and availability of electronic protected health information. The Privacy Rule is located at 45 CFR Part 160 and Subparts A and E of Part 164 (e-PHI). HIPAA Breach and Notification Rule: The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires HIPAA covered entities and their business associates to provide notification following a breach of unsecured protected health information.       

Le 2018-12-11


admin