Compliance & Remediation Consulting

healthcare

Sox-GBLA-OCC & Remediation

Created in response to the accounting scandals that occurred at major corporations in 2001 and 2002, SOX requires that publicly-traded companies ensure their internal business processes are properly monitored and managed. This includes having an outside auditor certify the accuracy of financial statements and conducting an annual assessment of internal controls relating to the security of critical data, particularly financial information.

SOX include several major provisions, but two specifically stipulate that public companies ensure their business processes are maintained within an adequate internal control structure. Section 302 of the Act mandates a set of internal procedures designed to ensure accurate financial disclosure. Under Section 404 of the Act, management is required to produce an adequate internal control report as part of each annual Exchange Act report. The outside auditors must confirm management's internal control assessment.

Because financial reporting processes are driven by IT systems, it’s necessary that IT plays a vital role in internal control and ensures the security, accuracy and reliability of these systems to manage and report financial data. The Securities and Exchange Commission (SEC) has identified five areas that need to be addressed to meet SOX internal control requirements and support compliance, two of which are risk assessment and monitoring. Risk assessment involves understanding the areas of risk affecting the completeness and validity of financial reports by examining how the company's systems are being used. Monitoring entails scheduling regular internal audits by IT personnel and audits performed by personnel outside the organization.

Gramm-Leech Bliley Act (GLBA) ComplianceHow ABMCG Helps

The GLBA became fully effective on July 1, 2001. The law applies to banks, brokerage firms, tax preparation companies, insurance companies, consumer credit reporting agencies and a wide variety of other financial services firms. Violations of the GLBA may result in a fine of up to $100,000 dollars and 5 years in jail. The primary focus of the GLBA is the protection of customer’s personal financial information.

Regulated organizations must insure the security and confidentiality of customer records and information and the law requires that access to all customer records be meticulously controlled to prevent substantial harm or inconvenience to customers.

Complying With the Office of the Comptroller of the Currency Advisory Letter (OCC)How ABMCG Helps

On June 14, 2004 the OCC Advisory sent out a letter highlighting issues regarding Electronic Record Keeping in light of the E-SIGN Act. 15 USC 7001. The letter addressed key issues posed by electronic record keeping systems. The OCC Advisory letter stated that banks should implement an electronic record retention system to allow litigation, audits, bank supervision, and compliance with laws & regulations. Systems should also prevent external access by third parties, and provide back-up, internal controls, record destruction, and record retention.

How ABMCG Helps

If your company is publicly-traded, ABMCG can assist you with achieving SOX/GLBA/OCC IT security compliance by scanning the enterprise to locate areas of risk in your systems and networks and monitoring your environment. A comprehensive risk assessment report is provided detailing any areas of risk discovered, along with outlined steps for remediation.


PCI Compliance & Remediation


The threat to personal and financial information is more profound than ever, and the number one target for criminal activity is financial institutions. Financial institutions are compelled to take measures to protect customer and financial data against hacking attacks.

If your organization stores, processes or transmits credit card information, then you need to be PCI DSS compliant.

Theft of credit card information is on the rise, leaving businesses faced with mounting legal, remediation, and recovery costs. As a result, all entities that handle credit cardholder information are being challenged to adopt more effective data protection measures.

PCI Compliance

The Payment Card Industry (PCI) Data security Standard (DSS) was created to confront the rising threat to credit cardholder personal information. The PCI DSS consists of the PCI Compliance Principles and Requirements for securing credit cardholder data in both hardcopy and electronic formats. The PCI DSS has been adopted by companies in the credit card industry as the global standard for the protection of customer information. The PCI Security Standards Council (SSC) owns, develops, maintains and distributes the PCI DSS, in addition to providing oversight for the Approved Scanning Vendor program that certifies companies as Approved Scanning Vendors (ASV).

Who needs to be PCI compliant?

As a global standard, the PCI DSS applies to any entity worldwide that stores, processes or transmits credit Cardholder data. This includes financial institutions, merchants and service providers in all payment channels.

Penalties for non-compliance

Entities that fail to comply with the PCI standards can be fined up to $500,000 for each instance of non-compliance, in addition to having their ability to process credit card transactions revoked. Even with these penalties as a deterrent, those handling payment cardholder data are finding it challenging to meet their PCI standard without outside help from security experts with experience in helping similar organizations to complete the PCI compliance audit process.

How We Can Help

Our PCI Compliance Solutions meet the data security standards required to achieve PCI compliance while also providing sound vulnerability management practices as part of a comprehensive security program designed to Protect your credit cardholder data from intruders.

We help you comply with PCI DSS Requirements through:

  • PCI DSS Compliance Risk and Readiness Assessments
  • Network Vulnerability Assessments and Penetration Testing
  • PCI Quarterly Scan

HITECH and HIPAA Compliance

Healthcare service providers have become key targets of identity theft crime due to the depth of personal, demographic, and financial information collected on patients. At ABMCG we understand security-related processes and the risks associated with electronic protected health information (ePHI).

HIPAA Compliance

The goal HIPAA is to ensure the integrity and confidentiality of health information, and to protect against security breaches and unauthorized use or disclosure of health information. Security provisions for the HIPAA compliance are designed to motivate healthcare service providers to adopt practices that reduce the risk of losing valuable patient information due to data theft from security breaches. To achieve HIPAA compliance, covered entities must demonstrate adherence to the security rule. The security rule mandates protection of all electronic Protected Health Information (PHI) created, received, maintained, or transmitted by any covered entity. PHI is individually identifiable health information, including items such as the patient’s name, address, e-mail address, birth date, Social security number, employee number, claim number and health plan beneficiary number. Covered entities must comply with three types of security safeguards: administrative, technical and physical. Specifically, sections §164.308 to §164.316 of the HIPAA security rule defines safeguards that must be used to protect confidential medical information.

HITECH Compliance

The goal of the HITECH Act is to improve patient confidence in the security of their data medical system, and improve the quality of patient care in the healthcare system by providing incentives for the adoption and ‘meaningful use’ of electronic health records (EHRs) shared over electronic health information exchange (HIE) networks. The new audit and enforcement requirements introduced by the HITECH Act are in response to the threat faced by healthcare services providers as more patient information moves into EHRs, online employee health benefit plan portals, and e-prescription kiosks accessible via the Internet.

Who needs to be HIPAA and HITECH compliant?

The U.S. Department of Health and Human Services (HHS) delegated HIPAA enforcement authority to the HHS Office of Civil Rights (OCR). The HITECH Act clarified that all health service entities, including business associates in the private sector, that accesses, maintains, retains, modifies, records, stores, destroys, or otherwise holds, uses, or discloses protected health information (PHI) is accountable to HHS for HIPAA and HITECH requirements for breach prevention activities, audits, notifications, and penalties for disclosures.

This includes:

  • Covered health care providers (hospitals, clinics, regional health services, individual medical practitioners) that conduct certain transactions in electronic form
  • Health care clearinghouses (including entities that help health care providers and health plans standardize their information)
  • Health plans (including insurers, HMOs, Medicaid, Medicare prescription drug card sponsors, flexible spending accounts, public health authority, in addition to employers, schools or universities that collect, store or transmit PHI to enroll employees or students in health plans)
  • Their business associates (including private sector vendors and third-party administrators)

Penalties for non-compliance

The HITECH Act permits state attorney general’s offices to pursue civil charges on behalf of victims, in addition to fines for HIPAA violators of up $50,000 fine for each violation, to a maximum of $1.5 million per year. The high fines levied on HIPAA violators reflect the importance of safeguarding protected health information. Faced with the looming threat of steep fines from failing to meet HIPAA data security requirements, the health service industry is seeking ways to become HIPAA compliant.

How We Can Help

We're here to help organizations that handle sensitive patient information achieve HIPAA compliance. Our solutions for healthcare services meet the Protected Health Information (PHI) safeguards required to achieve HIPAA compliance.

Here's how we'll prepare you for a HIPAA audit while providing sound vulnerability management practices that ensure that your entire infrastructure is protected from intruders:
  • Automating HIPAA audit requirements with pre-configured HIPAA compliance scanning and reporting for the broadest, deepest and most accurate vulnerability management solution
  • Providing both executive HIPAA summary reports for management and detailed HIPAA remediation plan
  • Performing internal scanning of your entire infrastructure in preparation for HIPAA audits by evaluating potential security risks to electronic PHI, including monitoring of system activity for vulnerability and patch status on devices with PHI
  • Performing external scanning to detect and fix any holes in your network perimeter

Our HIPAA Compliance Services staff also performs HIPAA risk assessment, and provides healthcare providers with documentation on their current security posture in accordance with HIPAA audit standards, including:
  • Defining policies and procedures to secure protected health information
  • Providing security experts to perform vulnerability scanning, penetration testing and a detailed audit of your networked environment to enable you to detect deficiencies more quickly and get recommendations for fixes that would prevent attacks.
  • Identifying protected health information (PHI) and unprotected health information
  • Providing remediation plan and report with detailed step-by-step instructions for vulnerability remediation to attain HIPAA Compliance
  • Providing Security Policy Review to evaluate all security policies and procedures, in addition to providing guidance on designing and implementing missing controls
  • ABMCG Security Awareness Training to provide staff with knowledge needed to secure PHI from electronic, physical and behavioral challenges that put data at risk.

Solution Portfolio: Download


Additional Information

If you would like additional information on Services/Industries Solutions or other ABMCG solutions or services, please contact us