An ecfirst Case Study:
An ecfirst Case Study: Lunarline & HIPAA Compliance
TABLE OF CONTENTS
EXECUTIVE SUMMARY ... 3
SECURITY OPERATIONS CENTER (SOC) ... 3
LUNARLINE ... 3
What is Lunarline? ... 3
Why Lunarline? ... 3
Lunarline Security ... 4
Features ... 4
Privacy Services ... 5
Key Capabilities ... 5
HIPAA Compliance ... 6
HIPAA Security Rule Compliance ... 6
HSCR Benefits ... 6
HSCR Features ... 6
Enterprise Compliance Console for HIPAA ... 7
HEALTHCARE SECURITY SERVICES- HSS ... 8
What is HSS? ... 8
Why HSS? ... 8
Compliance Solutions ... 8
Physical security ... 10
INETU ... 11
What is INeTU? ... 11
Why INetU? ... 11
Features ... 11
Compliance & Audits ... 14
HIPAA Compliance Dashboard ... 14
HIPAA Compliance Security Services ... 14
An ecfirst Case Study: Lunarline & HIPAA Compliance
EXECUTIVE SUMMARY
Security Operations Center (SOC)
A security operations center (SOC) is a centralized unit in an organization that deals with security issues, on an organizational and technical level. A SOC within a building or facility is a central location from where staff supervises the site, using data processing technology.
Lunarline
What is Lunarline?
Lunarline builds Security Operations Center (SOC) Solutions. Its services concentrate on ensuring cyber security and privacy challenges.
Lunarline has been the driving force behind some of the most successful SOC and NSOC operations in both the government and private sector.
Why Lunarline?
Lunarline’s SOC solutions: Enterprise Governance and Cyber Security Protection Support (Full Incident Lifecycle)
24X7X365 Enterprise Managed Security Services Provider (MSSP) delivering Vulnerability Assessment Service, Incident response, centralized
management of antivirus measures and Security Log Management Service Enterprise-wide Network Visibility and Discovery Service
Securing networks and critical systems with real-time countermeasures Customer-Specific Real-Time Dashboards, Cyber Specific Threat, and Risk
Scoring Dashboards with integration experience over 3000 types of structured and unstructured data types
Secure installation, configuration, provision, and maintenance of NSOC Systems and Assets
Monitoring, Analysis, Detection, and Defense of Organization Assets and Systems
SOC / Monitoring / Log / Operational / Security / Privacy Architecture Development
Full Incident Response Lifecycle and Forensics Support to include fly-away teams
Integration of existing SOC investments into a Continuous Security Monitoring Capability
Support of external Business Partner Monitoring (Trust but Verify Service) Advanced Persistent Threat (APT) and Insider Threat Monitoring, Forensic
An ecfirst Case Study: Lunarline & HIPAA Compliance
Independent Verification and Validation (IV&V) and Pen Testing Services Development of custom security and compliance monitoring solutions
(Government, Healthcare, Financial, Insurance, and Critical Infrastructure) Privacy Breach Response and Data Loss Prevention (DLP) Services
Basic and Advanced Cyber Security Awareness Training (online and hands-on) to include incident response testing support
SOC Program Management and expert technical staff augmentation for surge operations to support installation and configuration of firewalls, intrusion prevention systems, malware detection devices, SSL VPNs, anti-virus, end-point devices, and security assessment software
Lunarline Security
Lunarline is a Department of Veterans Affairs (VA)-certified Service-Disabled Veteran-Owned Small Business (SDVOSB) with an award winning and successful track record of providing cyber security solutions and support
throughout the Federal Government and selected commercial communities. It is focused solely on cyber security, information assurance (IA), and privacy
disciplines. Its cyber security service coverage and delivery is ISO and CMMi certified to ensure consistent quality, pricing, and on-time delivery, but more importantly its service coverage areas are managed by trained and certified domain experts.
Features
Lunarline develops a custom tailored FedRAMP solution. It has conducted over 500 successful Security Assessments and Authorizations, using the same standards required by FedRAMP. It offer a suite of training, services and products to streamline FedRAMP compliance and automate continuous monitoring.
Training: It provides FedRAMP and security compliance training, tailored to customer's unique requirements and technology. It teaches them how to tailor controls, prepare documentation, identify and fix problems, and survive an assessment.
Services: It provides a comprehensive suite of services designed to implement a tailored, efficient, lasting compliance program.
Products: Its automated continuous monitoring products provide real-time insight into enterprise compliance posture.
An ecfirst Case Study: Lunarline & HIPAA Compliance
Privacy Services
Lunarline provides Privacy Professional Services such as a robust range of professional and technical services to assist customer in protecting personally identifiable information (PII) or Personal Data; protected health information (PHI); electronic health records (EHR); protected financial information; sensitive or special categories of data; and intellectual property (IP). Lunarline provides training on Privacy Training and Education
It provides Privacy Services like:
U.S. Privacy Services (Public and Private Sectors) Global Privacy Services
Vendor and Cloud Privacy Assessments Mobile and Online Marketing Privacy Services Data Breach Response Services
Key Capabilities
Lunarline SOC helps organization to face the challenges of the modern cyber world. As a Managed Security Service Provider (MSSP), Lunarline integrates data from customer organization's IT and security tools into its comprehensive monitoring and correlation solution, housed safely in its secure, accredited facility. On a 24x7x365 basis, its SOC team analyzes this data to shed light on their network's darkest corners and keep a watchful eye on their enterprise security posture.
Its MSSP support includes: Enterprise risk management Secure asset management
Incident response and cyber forensics
Advanced Persistent Threat detection and response Cyber threat intelligence
Continuous monitoring
Compliance posture reporting Data Loss Prevention
Privacy breach response Insider Threat Detection Business partner monitoring
An ecfirst Case Study: Lunarline & HIPAA Compliance
Lunarline's approach consolidates and analyzes data from across the organization's network, capturing critical intelligence and providing real-time insight into enterprise risk. With custom dashboards and push button reporting - backed by Lunarline's expert cyber analysts - its SOC provides customers and their team with the situational awareness necessary to navigate an increasingly dangerous cyber world.
Lunarline's MSSP support includes an Intrusion Detection System (IDS) and a Security Incident Event Manager (SIEM), both based on industry leading technology.
HIPAA Compliance
HIPAA Security Rule Compliance
Lunarline provides the software called HIPAA Security Rule Compliance Reporter (HSCR) that deploys state of the art enterprise risk management technology to allow customer to meet the HIPAA Security Rule requirements for hospitals and their business associates. The software supports SCAP
vulnerability scan data uploads and direct input or uploads of syslog data from perimeter security devices. Policy inputs include HIPAA specific questions and enhanced reporting. The HSCR console enables the monitoring of the HIPAA security rule compliance status of each business associate. The console allows for hospital access to real-time display of the HIPAA security rule compliance status of all active business associates as described in NIST 800-66.
HSCR Benefits
Compliance limits liability
Annual subscription based program Protects data
Auditable reports
Uses approved NIST methods
Automates time consuming processes Automates extraction of syslog data
HSCR Features
Roadmap to full HIPAA compliance
Continuously updated using Federal standards Software as a Service (SaaS)
An ecfirst Case Study: Lunarline & HIPAA Compliance
Encrypted Storage of input data Encrypted PDF Reports
Supports SCAP vulnerability scan import Supports IPS/AV upload
Enterprise Compliance Console for HIPAA
This is the enterprise management compliance package. It includes a console that allows hospitals or distributed health care enterprises to access and to view the HIPAA security rule compliance status of all of their business associates. The console allows the hospital to review and display the HIPAA security rule
compliance status of each or all active business associates that have been configured and authorized access.
An ecfirst Case Study: HSS & HIPAA Compliance
Healthcare Security Services- HSS
What is HSS?
HSS Inc., one of America’s leading outsourcing companies. They provide
personalized, technical, and professional service programs to enhance the value of their customers business.
HSS offers highly regarded programs in: Healthcare Security
Aviation and Government Services Security Security Systems Integration
Medical Equipment Management More Health Care Services
Why HSS?
HSS provides Cost-efficiency
Proven security processes and best practices Full range of security programs and services Long-term commitment to your success Rigorous screening and hiring methods Extensive regulatory compliance expertise
Skilled, trained healthcare security officers: experienced, reliable, responsible World class customer service
Technology-driven rapid response operational support
Compliance Solutions
HSS Healthcare Security Compliance Solutions
HSS is a leader in helping customers meet the many challenges of healthcare security compliance.
The Joint Commission (TJC)
HSS is a nationally recognized leader in applying TJC compliance strategies to customer security programs. HSS takes responsibility for planning all TJC Environment of Care requirements related to security. The Annual Effectiveness Review that HSS prepare for customers every year is considered a “best
An ecfirst Case Study: HSS & HIPAA Compliance
Health Insurance Portability and Accountability Act (HIPAA)
HSS help customer ensure protection of your patients’ health information as stipulated by HIPAA, the Privacy Act of 1974, and their facility’s patient privacy requirements.
Security Operations Center (SOC)
The HSS Security Operations Center (SOC), which exclusively supports HSS security, serves as the centralized monitoring and dispatch center for healthcare facilities nationwide. The key benefits of centralizing responsibility for all of customer facility’s security-related telephone calls, alarm monitoring, emergency communications, and radio dispatching with HSS include:
Accelerate officer response time. Expedite information sharing.
Facilitate staff and visitor contact with security. Reduce dispatch costs.
Significant Savings
HSS has been able to cut costs 66% or more by moving customers’ dedicated security dispatch to HSS security—and maintain or improve the quality and timeliness of response.
Advanced Communications Technology
HSS continually upgrade their technology to ensure they operate at the highest level of reliability and availability.
HSS’s Nextel communications system has three independent forms of
communication—cell phones, radios, and text messaging. If one, or even two, of these fail, the SOC can continue to provide critical communication to customer’s security officers and responders.
HSS has a Level 5 Emergency Access priority, which is the level just below the President, military, Congress, and first responders. This enhances their ability to communicate in an emergency or disaster.
HSS use an uninterruptible power supply and generator back-up power for all SOC radio, phone system, and electrical circuits so they are able to maintain communication during emergencies, disasters, or power failures.
All phone calls and radio transmissions are digitally recorded, which provides the documentation customer need for definitive complaint resolution and effective dispatcher training. Redundant servers ensure that calls are safely retained for future retrieval as needed.
An ecfirst Case Study: HSS & HIPAA Compliance
Physical security
Physical security is the heart of healthcare security. There simply is no substitute for the professional expertise and human touch of security officers at customer facility. But, given cuts in Medicare and Medicaid funding, hospitals need to ensure they are operating efficiently and cost-effectively. Supplementing physical security with carefully selected and properly applied electronic security is playing an increasingly important role in safeguarding the nation’s healthcare facilities for several reasons:
Technology brings new efficiencies to security programs that can lower cost. HSS Security Incident Management Software (SIMS) facilitates greater
understanding of security incidents and provides faster, customized customer reporting. Officers use their mobile handheld devices to file incident reports, access information such as facility orders and “BOLOs” more quickly, and test security equipment and automatically log results.
Video surveillance and analytics monitoring of parking lots and grounds supplements external patrols and extends the security presence beyond facility doors.
Integrated Physical and Electronic Security
HSS Systems Integration can do it all from expert design and engineering to installation, monitoring, maintenance, and repair. They’ll set up systems so that they are easy to use—and make sure customer’s staffs are comfortable using them. With HSS as their physical security services provider, they’ll ensure that technology effectively supports their security personnel.
An ecfirst Case Study: INeTU & HIPAA Compliance
INeTU
What is INeTU?
The INetU is a hosting solutions and services company. It follows Customer Centric Approach at providing hosting services, it also includes assistance in designing, implementing, proactively monitoring and supporting the customer’s environment as well as assisting with security, compliance, disaster recovery and performance plans.
The INetU data centers are designed and managed with security and compliance in mind and that tie directly to customer’s goal as a healthcare organization. They undergo independent audits; retain SOC3 and TRUSTe certification while
practicing end-to-end security and compliance controls for their facilities, networks, servers and software.
The INetU Healthcare Solution Includes: Security Operations Center (SOC) HIPAA Compliance Security Services HIPAA Compliance Dashboard
Healthcare application support expertise
Why INetU?
INetU has over 17 years of experience hosting HIPAA compliant healthcare applications and have invested considerably to help their clients comply with all facets of the healthcare industry when it comes to application hosting.
With INetU cloud environment, healthcare organizations can more quickly ensure HIPAA compliance without having to outlay huge capital investments in
technology and manpower. Trained experts at INetU can act as trusted advisors to customer operations.
Features
Security Operations Center (SOC)
INetU supply the expertise as well as the compliance capabilities. INetU has formed a SOC made up of a team of experts in security to engineer, implement and maintain the security services around the clock.
Sensitive data and complex hosting often go hand in hand. Hence INetU is involved in security and compliance hosting and a team of experts (CISSPs, CISAs) to engineer, implement and maintain their security services around the clock, ready to respond at a moment’s notice.
An ecfirst Case Study: INeTU & HIPAA Compliance
Security As A Service
Set it and forget it is not the right approach, but sadly it is the norm for security among Cloud hosters. The INetU SOC team keeps an eye on security so customers only have to worry about the security of their code and nothing else when they sign up for the INetU Security Suite. The SOC is the brains behind the tools that are keeping their sites secure. Experienced security experts review the SIEM logs and let them know if there is anything to be concerned about, they keep an eye on any anomalies detected by their IPS/IDS and Application Traffic Firewall. When they implement File Integrity Monitoring, these experts are the ones who respond to any concerning alerts.
INetU Security Suite Managed By The security operations center
(SOC)
The INetU Managed Security Suite gives the protection that customer needs while helping them meet compliance and regulatory requirements such as PCI and HIPAA.
INetU’s Security Suite works across all types of environments including
Dedicated Servers, Private Clouds, our Public Cloud, and even Hybrid Clouds. Customers have just one suite of products and one portal to manage them through no matter how complex their environment is.
The Security Suite is designed to be used together to provide multiple layers of defense against attackers. This is a concept known as "Defense in Depth" - even if an attacker manages to get through one layer; there are still several more layers of defense to keep their data and applications safe.
Application Traffic Firewall
INetU Security Operations Center is watching for any signs of unusual activity on your protected site. In addition, Imperva's Application Defense Center (ADC) is constantly researching new attacks and vulnerabilities on the Internet and working to improve the WAF's ability to protect customers from them.
INetU’s Application Traffic Firewall solution meets the requirements set forth in PCI DSS Section 6.6 and is a component of the implied requirement of Security Best Practices under HIPAA 164.306(a).
Dual Factor Authentication.
Dual Factor Authentication takes one step further and requires customer to enter a code from a physical device in their possession in order to access their
systems and Client Center at INetU. INetU’s dual factor authentication service is available as either a USB key or an app for customer’s smartphone so that all users can take advantage of this important security enhancement.
An ecfirst Case Study: INeTU & HIPAA Compliance
INetU’s dual factor authentication meets the requirements set forth in PCI DSS Section 8.3 and is a component of the requirements of HIPAA §164.312(d).
Log Monitoring & Review
With INetU, log monitoring and review collects detailed log information from the servers and devices in customer environment. These logs can be essential for detecting attempted security breaches, misused accounts, and even non-security related problems. INetU’s SIEM solution meets the requirements set forth in PCI DSS section 10.6 and is a component of the requirements of HIPAA.
File Integrity Monitoring
File Integrity Monitoring (FIM) ensures that customer know if critical system or application files are replaced or modified. It's an extra layer of defense to ensure that they know quickly if their system has been compromised. INetU’s FIM solution meets the requirements set forth in PCI DSS section 11.5.
Firewalls & VPNs
Every solution at INetU is protected by a firewall with SSL VPN capability to allow remote users to administer servers seamlessly while protecting their environment by locking down remote access to authorized individuals.
INetU’s firewall solution meets the requirements set forth in PCI DSS sections 1.1.3, 1.14, and 1.3.6. It's also a component of the implied requirement of Security Best Practices under HIPAA 164.306(a).
Intrusion Detection System (IDS) / Intrusion Prevention System (IPS)
An Intrusion Detection System watches the traffic coming in and out of customer environment for signs of an attack, notifying both customer and INetU the
moment it sees anything out of the ordinary. An Intrusion Prevention System takes that one step further and stops the potential attack in its tracks.
INetU’s IDS/IPS solution meets the requirements set forth in PCI DSS Section 11.4.
Vulnerability Scanning
INetU provide two types of vulnerability scanning - internal and external. External vulnerability scanning attempts to find weaknesses from the public internet. Internal vulnerability scanning looks for potential weaknesses from inside
customer firewall to ensure that everything is secure even if an attacker manages to find a way into their environment.
An ecfirst Case Study: INeTU & HIPAA Compliance
INetU’s vulnerability scanning solution meets the requirements set forth in PCI DSS Sections 11.2.1, 11.2.2, and 11.2.3.
Compliance & Audits
INetU’s SOC is experienced in working with auditors to make sure they get the information they need to be comfortable that customer project is hosted in a secure and reliable environment. They have their SOC3 in Security, SSAE 16 Type II, PCI DSS Level 1 Certification and more across four global data centers.
HIPAA Compliance Dashboard
The INetU HIPAA Compliance Solution includes the HIPAA Compliance Dashboard. The dashboard provides high level and detailed views of the
required HIPAA activities and procedures. Customers and their assigned INetU SOC can work together to assess their HIPAA compliance status for each item in the dashboard, understand any areas of non-compliance and address them as needed.
HIPAA
Compliance
Security Services
INetU provides these basic capabilities and more all of which should be
considered as part of customer compliant environment to ensure a secure HIPAA compliant cloud infrastructure:
Network Firewall
Web Application Firewall (WAF)
Intrusion Prevention System (IPS) and Intrusion Detection System (IDS) Device Hardening
Virus Protection
File Integrity Monitoring (FIM)
Security Information and Event Monitoring (SIEM) Offsite Database Backup
Database Backup Encryption External Vulnerability Scanning Internal Vulnerability Scanning Dual Factor System Authentication Multi-Factor Facility Authentication
An ecfirst Case Study: INeTU & HIPAA Compliance
Bottom-line Checklist
Features/Capabilities Lunarline iNetU HSS
FedRAMP Yes No No
HIPAA Compliance Yes Yes Yes
An ecfirst Case Study: INeTU & HIPAA Compliance
REFERENCES
http://www.lunarline.com/SOC
http://www.lunarline.com/Managed-Security-Service-Provider
http://www.lunarline.com/sites/default/files/lunarline%20arra%20hitech%20hipaa%20white%20pap er%20v1%200.pdf
http://www.lunarline.com/whitepapers
http://hss-us.com/healthcare-security/
http://hss-us.com/healthcare-security/compliance-solutions/
http://hss-us.com/healthcare-security/security-dispatch-monitoring/ http://hss-us.com/healthcare-security/security-technology-solutions/
http://www.inetu.net/solutions/industry/healthcare
http://www.inetu.net/solutions/product/hipaa-compliance http://www.inetu.net/products/security-suite
http://www.inetu.net/solutions/industry/saas-and-software
An ecfirst Case Study: INeTU & HIPAA Compliance
Corporate Office
295 NE Venture Drive Waukee, IA 50263
Toll Free: 877.899.9974 x17 Phone: 515.987.4044 x17 Fax: 515.978.2323
