(629) 895-1984

Speak with a Representative

Edit Template

Membership Results in Better Security and Compliance

Chosen by savvy, respected business leaders

Speak with a Representative

Edit Template
  • Reduce Risk
  • Increase Security
  • Improve Compliance

You should have more confidence in your ability to protect your sensitive data

By partnering with the NHCSA, healthcare organizations can benefit from the following resources:

  • A comprehensive oversight program that covers all aspects of data protection, including governance, risk management, compliance, incident response, and education.

  • Access to experienced healthcare security and compliance professionals who can offer guidance, best practices, and support for data protection initiatives.

  • A robust GRC platform that automates and simplifies the data protection processes, such as policy management, risk assessment, compliance reporting, and audit preparation.

  • Risk and vulnerability management resources that help identify and mitigate the threats and weaknesses that affect the data protection posture of healthcare organizations.

  • Membership in a network of peers and experts who can share insights, experiences, and solutions for data protection challenges.

How the NHCSA brings it all together

Security & Compliance Professionals

Partner with experts in security and compliance for valuable insights and access to knowledge beyond your own.

Management

Improving management and resource utilization is critical for business success.

Oversight

Improve oversight to avoid missing requirements.

GRC & SOC

Access to industry-leading resources like GRM management and SOC capabilities.

Network of Peers

Connect with like-minded peers to discuss common challenges and needs.

Real Life Results

Healthcare compliance is critical for healthcare providers to ensure they deliver quality care while minimizing risks and legal issues. Failing to comply with state and federal regulations can result in severe consequences, including hefty fines, penalties, and even criminal charges. At NHCSA, we understand the significance of compliance in healthcare and provide expert assistance and support to help healthcare providers achieve compliance and avoid costly legal actions.

Get Started with the NHCSA Today

Step 1

Schedule a Call

Start with a professional conversation to gain a thorough understanding of your needs and provide the necessary assistance.

Speak with a Representative

Edit Template

Step 2

Setup a Self Assessment

The NHCSA provides a professional self-assessment based on your preferred framework, allowing you to gain insight into your current standing.

Step 3

Get Better Security & Compliance

Membership in the NHCSA is committed to assisting you in enhancing compliance and safeguarding your patients’ data in a professional manner.

Recent News Posts

The NHCSA No Longer Considers SOC2 and HITRUST Certification Suitable Evidence that Security Standards are Being Met

Rethinking Security Compliance in Today’s Threat Landscape In an era characterized by increasingly sophisticated and pervasive security threats, the National Healthcare Security Alliance (NHCSA) has significant concerns regarding the suitability of SOC2 and HITRUST certifications as effective solutions for demonstrating adherence to security standards. Although both the SOC2 standard and HITRUST framework are robust and comprehensive in their design, the NHCSA contends that the current methodologies employed by assessors and auditors are inadequate in accurately addressing companies’ actual adherence to these standards.  Furthermore, it is the NHCSA’s position that due to the lack of experience and expertise of auditors and assessors under the current methodology.  Studies have shown that many auditors and assessors currently performing SOC2 and HITRUST audits lack the experience and ability to perform hands-on audit tasks.  This leads to an ever-increasing environment where the SOC2 and HITRUST certifications have taken on more of a document review designed to “convince” an auditor without real-world experience than an actual audit by experienced professionals. The Issue with Current Assessment Methods The NHCSA’s primary contention lies not with the SOC2 and HITRUST standards themselves, but, as stated, with the methodologies used in their certification processes. Presently, these certifications rely heavily on assessors and auditors reviewing documentation provided by client companies. While necessary, this documentation review process often results in an extremely limited assessment of the company’s true compliance with security standards. Documentation, though essential, is inherently limited in scope. It provides a snapshot of policies and procedures but does not capture the dynamic nature of their implementation. This method overlooks the practical challenges and nuances involved in maintaining robust security practices. Consequently, there is an increasing recognition that current assessment methods must evolve to address these limitations effectively. Document Review vs. Actual Compliance One of the major drawbacks of relying solely on documentation review is that it does not necessarily reflect the real-world implementation and effectiveness of security controls. Documents can be meticulously crafted to show compliance on paper, but this does not always translate to actual practice. In many instances, there is a significant disconnect between the documented policies and procedures and their practical application within an organization. The gap between documented policies and real-world practices can lead to a false sense of security. Organizations may believe they are compliant based on their documentation, but without verifying the actual implementation, they remain vulnerable to breaches. This discrepancy underscores the need for more rigorous and comprehensive assessment techniques that go beyond mere paperwork. Impact on Data and Privacy Breaches The NHCSA has observed that reliance on a limited document review process has contributed to a substantial increase in data and privacy breaches. When auditors base their assessments solely on the information provided by the client, critical gaps and vulnerabilities may go unnoticed. These overlooked areas can become entry points for cyber attackers, leading to significant breaches that compromise sensitive data and privacy. The consequences of such breaches are far-reaching. They can result in financial losses, legal repercussions, and reputational damage. For healthcare organizations, the stakes are even higher, as breaches can jeopardize patient confidentiality and trust. Therefore, it is imperative to adopt assessment methods that provide a more accurate and comprehensive evaluation of security practices. The Need for Enhanced Assessment Techniques To address these concerns, the NHCSA advocates for a more comprehensive and hands-on approach to security assessments. This would involve not only reviewing documentation but also conducting thorough hands-on audits, technical testing, and continuous monitoring of security practices. By incorporating these techniques, assessors can gain a more accurate and holistic understanding of a company’s security posture. Enhanced assessment techniques offer several advantages. They provide deeper insights into the effectiveness of security controls and help identify discrepancies between documented policies and actual practices. These methods also enable assessors to uncover hidden vulnerabilities and recommend actionable improvements, thereby strengthening the organization’s overall security posture. Hands-on audits Hands-on audits allow assessors to audit the practical implementation of security controls within the organization. This approach provides insights into the effectiveness of these controls and helps identify any discrepancies between documented policies and actual practices. Additionally, it enables assessors to engage directly with staff, gaining a deeper understanding of the security culture and awareness within the company. During hands-on audits, assessors can conduct interviews, inspect physical security measures, and observe operational procedures. This hands-on approach offers a more realistic assessment of the organization’s security practices, ensuring that documented policies are being effectively implemented and adhered to. For example, during an hands-on audit, assessors can inspect access control procedures to ensure they are functioning properly and being implemented consistently. They can also observe how sensitive information is stored and handled, checking for compliance with data protection policies. These evaluations provide a comprehensive view of the organization’s security environment and help identify areas for improvement. Moreover, hands-on audits foster a culture of accountability within the organization. Employees are more likely to adhere to security protocols when they know their actions are going to be observed and evaluated. This proactive approach helps create a security-conscious workforce that understands the importance of maintaining robust security practices. Technical Testing Technical testing, such as penetration testing and vulnerability scanning, is essential for identifying weaknesses that may not be evident through documentation alone. These tests simulate real-world attacks, providing a clear picture of the organization’s resilience against potential threats. By incorporating technical testing performed by the assessor into the assessment process, assessors can uncover hidden vulnerabilities and recommend actionable improvements. The current SOC2 and HITRUST standards for certification and control rely on evidence from third parties and self-assessments of these controls.  The NHCSA believes most organizations take precautionary and preventative actions within their capabilities. The main concern is whether they are trained and equipped to perform these tasks.  Additionally, evidence has shown that under the current methodology for these certifications, the auditors themselves are not sufficiently qualified to interpret the findings of this type of testing let alone perform the tests. Independent technical testing by trained auditors would provide valuable insights

Read More »

The FTC Consumer Rights Act: Protecting Patients from Healthcare Providers Not Adhering to HIPAA

While the Health Insurance Portability and Accountability Act (HIPAA) has long been the gold standard for safeguarding patient privacy, it may come as a surprise to many that the Department of Health and Human Services (HHS) Office of Consumer Rights (OCR) is not the only organization with jurisdiction. The Federal Trade Commission (FTC) has taken on the pivotal role of protecting consumer privacy across many sectors. Under the Consumer Rights Act, the FTC is empowered to enforce patient privacy regulations. This means that false claims that anyone if a healthcare provider falsely claims they are adhering to HIPAA requirements for the protection of patients’ privacy and security, they can be ,  or related entity is not subject to HIPAA’s stringent regulations, they are still held accountable for maintaining patients’ privacy and security. The FTC’s authority under the Consumer Rights Act extends to a wide range of healthcare entities, including mobile health apps, wearable devices, health-related websites, and personal health records. By encompassing these areas, the FTC ensures that all aspects of healthcare are covered, prioritizing patient privacy above all else. One of the key ways the FTC protects patients’ privacy is through its enforcement actions. When a healthcare entity violates patient privacy or fails to adhere to privacy standards, the FTC steps in. The agency has the power to bring legal action against such entities and impose significant penalties if necessary. This serves as a strong deterrent for healthcare providers, compelling them to uphold privacy standards and prioritize patient trust. Moreover, the FTC actively works to educate both healthcare providers and consumers regarding patient privacy rights. Through guidelines, workshops, and publications, the agency promotes awareness and understanding of privacy regulations. By educating healthcare providers, the FTC empowers them to proactively protect patient privacy and avoid costly violations. Equally important, the agency educates consumers on their rights, ensuring they are well-informed and able to assert those rights. In addition to enforcement and education, the FTC engages in collaborative efforts to foster privacy protection within the healthcare industry. The agency partners with other government bodies, healthcare associations, and privacy experts to exchange information, share best practices, and develop industry-wide standards. This collaborative approach not only enhances privacy measures but also furthers innovation and bestows patients with greater confidence in the healthcare system as a whole. The significance of the FTC’s efforts to protect patients’ privacy cannot be understated. In a world where the digital landscape is rapidly evolving, the agency’s enforcement actions, educational initiatives, and collaborative efforts provide a strong foundation for patient privacy. By leveraging its authority under the Consumer Rights Act, the FTC ensures that healthcare providers and related entities are held to the highest privacy standards, regardless of whether they fall under HIPAA’s jurisdiction. However, it is important to note that the FTC’s role in protecting patient privacy is not meant to replace HIPAA or diminish its importance. HIPAA remains a vital and comprehensive framework for privacy protection in the healthcare industry. The FTC’s jurisdiction, on the other hand, encompasses entities outside the scope of HIPAA, fortifying patient privacy rights across the entirety of the healthcare landscape. In conclusion, the FTC stands as a stalwart defender of patient privacy in the healthcare industry, safeguarding individuals’ personal health information and empowering them with legal protection. Through its enforcement actions, educational initiatives, and collaborative efforts, the agency ensures that healthcare providers and related entities adhere to strict privacy standards, regardless of their exclusion from HIPAA. By doing so, the FTC plays a vital role in preserving patient trust and privacy in the digital age.

Read More »

Keenan & Associates Data Breach Affects More Than 1.5 Million Individuals

Keenan & Associates, a prominent insurance broker headquartered in Torrance, CA, recently made headlines with news of a major data breach. The company reported the cybersecurity incident to the Maine Attorney General, revealing that a staggering 1,509,616 individuals were impacted. This breach has significant implications not only for the affected individuals but also for the reputation of Keenan & Associates and the broader insurance industry. As part of Assured Partners NL, one of the largest brokerage firms in the United States, Keenan & Associates serves clients from various sectors, including healthcare, education, and the public sector. This vast client base, coupled with the scale of the breach, underscores the urgent need for heightened cybersecurity measures across industries. The breach at Keenan & Associates poses a significant threat to the privacy and security of the affected individuals. Personal information, such as names, addresses, social security numbers, and medical records, may have been compromised. Such sensitive data falling into the wrong hands can lead to identity theft, financial fraud, and other malicious activities. The potential consequences for the affected individuals cannot be underestimated. Furthermore, this breach raises serious concerns about the capabilities and safeguarding of customer data within the insurance industry. Insurance brokers are entrusted with extensive amounts of personal and often confidential information, necessitating robust security protocols. The fact that a firm of Keenan & Associates’ stature was breached underscores the sophistication and persistence of cybercriminals. It also highlights the pressing need for stronger cybersecurity practices across the industry. In response to the breach, Keenan & Associates has taken immediate actions to mitigate its impact. The company is notifying affected individuals and offering credit monitoring and identity theft protection services. Additionally, Keenan & Associates has engaged a leading cybersecurity firm to investigate the incident further and enhance its security measures to prevent future breaches. The aftermath of this breach serves as a stark reminder to organizations across industries about the importance of prioritizing cybersecurity. Investing in effective prevention and response protocols is crucial to safeguarding customer data and protecting against emerging threats. This incident should serve as a wake-up call for firms that have not yet taken comprehensive steps to fortify their cybersecurity frameworks. Moreover, regulators and industry bodies must play an active role in ensuring the security of customer data. An incident of this magnitude should prompt a thorough examination of existing regulations and guidelines in the insurance sector and could potentially lead to stricter standards and increased oversight. While the Keenan & Associates data breach is a concerning and regrettable event, it presents an opportunity for the insurance industry to reassess its cybersecurity practices. By adopting stronger security measures, enhancing staff training, and leveraging advanced technologies, insurance brokers can better protect customer data and instill confidence in the industry as a whole. In conclusion, the data breach at Keenan & Associates has far-reaching implications for more than 1.5 million individuals and raises serious concerns about the security of customer data within the insurance industry. But it also signifies an opportunity for organizations and regulators to reevaluate and reinforce cybersecurity practices. As the digital landscape continues to evolve, prioritizing data security is an ongoing commitment that every organization should embrace to protect against future breaches and safeguard the privacy and trust of its customers.

Read More »

71% of Ransomware Attack Victims Refuse to Pay the Ransom

In recent years, ransomware attacks have become increasingly prevalent and more sophisticated. These malicious acts involve cybercriminals encrypting a victim’s files or, in some cases, stealing sensitive data and demanding a ransom in exchange for their safe return. However, a surprising and encouraging trend has emerged – an increasing number of victims are refusing to pay the ransom. According to recent research, a staggering 71% of ransomware attack victims are standing firm and refusing to give in to the demands of cybercriminals. This significant shift in behavior can be attributed to a variety of factors, including better preparedness, lack of trust in attackers, and stricter regulations. One of the primary reasons for the decline in ransom payments is the improved level of preparedness among potential victims. Organizations have recognized the importance of backing up sensitive data and storing it securely in an air-gapped system. This precautionary measure ensures that even if their primary systems are compromised, they can retrieve their data without bowing to the cybercriminals’ demands. A backup strategy is only effective, however, if it is implemented correctly. It is crucial for organizations to review and test their backup systems regularly to ensure that they are working as intended. Without proper testing, companies may find themselves unable to access their backup data when faced with a ransomware attack, leading to a potential increase in ransom payments. Another factor contributing to the decline in ransom payments is the lack of trust in ransomware groups. Victims have become increasingly skeptical of these cybercriminals’ promises, particularly when it comes to deleting stolen data. Paying the ransom does not guarantee the eradication of compromised information, leading to potential leaks or the sale of sensitive data on the dark web. Organized criminal groups have been known to exploit victims who pay the ransom by initiating further extortion attempts or launching subsequent attacks. Moreover, a significant development in the fight against ransomware has been the law enforcement crackdown. Authorities worldwide have been actively targeting these cybercriminals and disrupting their operations. In certain regions, paying a ransom has even been deemed illegal. This strong stance indicates a shift toward holding cybercriminals accountable for their actions, which ultimately discourages victims from giving in to their demands. As the number of victims who refuse to pay the ransom continues to increase, the impact is twofold. On one hand, each unyielding individual or organization weakens the profitability of ransomware attacks. Cybercriminals depend on ransom payments for their financial gains, and a decline in these payments greatly diminishes their incentives to conduct such attacks. On the other hand, the refusal to pay the ransom encourages cybercriminals to adapt and seek alternative methods to generate revenue. This may result in a rise in more sophisticated forms of cybercrime, such as data breaches or targeted attacks aimed at stealing sensitive information for immediate monetization. Therefore, while the decline in ransom payments is undoubtedly positive, it is essential for organizations to remain vigilant and continue investing in robust cybersecurity measures to counter evolving threats. In conclusion, the significant increase in ransomware attack victims refusing to pay the ransom is a positive trend in the fight against cybercrime. Factors such as better preparedness, lack of trust in cybercriminals, and the enforcement of stricter regulations have contributed to this decline. However, organizations must remain proactive in their cybersecurity efforts to deter cybercriminals from exploring alternative avenues. By implementing strong backup and recovery strategies, fostering a cybersecurity-conscious culture, and collaborating with law enforcement agencies, individuals and organizations can tilt the odds in their favor and minimize the impact of ransomware attacks.

Read More »

Overcome the Biggest IT
Challenges and Responsibilities

REDUCE RISK | INCREASE SECURITY | IMPROVE COMPLIANCE

Speak with a Representative

Edit Template

Boost Your Security and Compliance With Us

Speak with a Representative

Edit Template

Company

Home

About Us

Solutions

Contact

Features

Templates

Process

Portals

Dynamic Policy & Procedure Creation

Reports

Dashboard

Policies

Primary

Specialty

Supporting

Standards

AICPA SOC 2

HIPAA

CMMC 2.0

Cyber Fundamentals

FTC Safeguards

GDPR

NIST SP 800-171

PCI-DSS

NY DFS

Frameworks

CIS CSC v8

Cyber Essentials

Cyber Insurance

NIST CSF

All Standards

©2024 National Healthcare Security Alliance. All right reserved.