HIPAA/PCI compliance service launched


Redspin, a provider of penetration testing and IT security assessments, has launched a new service that helps healthcare providers jointly address important HIPAA and PCI DSS security compliance requirements in a more efficient manner.

The new Redspin service combines a HIPAA security risk analysis and PCI DSS 3.0 gap analysis into a single scope of work. The shared assessment streamlines the process by leveraging the common elements in data collection, data analysis and policy reviews of HIPAA and PCI DSS 3.0.

The result is a comprehensive report of findings with remediation recommendations that can be addressed holistically and with no duplication of effort. Redspin's new service bolsters its healthcare clients' security posture in this regard while also saving them time and money.

"Over the past few years, healthcare organizations have been very focused on HIPAA's privacy and security rules," said Daniel Berger, Redspin's president and CEO. "Yet along with the enormous increase in electronic health records, there has also been a steady rise in payment card transactions at hospitals and clinics. Health providers need to ensure that they have adequate safeguards in place not only to safeguard PHI but also to protect their patients' credit card data."

Although the PCI DSS 3.0 standard went into effect on January 1, 2014, participating organizations have a full year to review the new requirements and ensure that their security programs are updated accordingly. Many of the changes in PCI DSS 3.0 are significant such as: increased point-of-sale device security, mitigation of payment card risk introduced by third parties such as cloud providers and payment processors, and updated guidance on penetration testing requirements.

The scope of work of Redspin's combined HIPAA Security Risk Analysis and PCI DSS 3.0 enables HIPAA covered entities to meet and maintain HIPAA compliance while also gaining an understanding of any gaps that may exist before PCI DSS 3.0 is enforced. "Rather than two discreet projects," said Berger, "there is real value to a coordinated and shared assessment. A good example is the new requirement for demonstrative evidence on the demarcation or segmentation of the cardholder data. When we scan networks for potential exposure of PHI, we often find credit card numbers as well."

Redspin, HIPAA, PCI DSS, Daniel Berger