No Spreadsheets Needed: Manage HIPAA in SecurityMetrics’ Health Network Portal

Protect your network, save time on HIPAA, and maintain your reputation.

HIPAA management for large networks

Data security and HIPAA compliance are more important than ever for the healthcare sector. From large health networks to small-town medical practices, protected health information (PHI) remains a high-value target for attackers. Health organizations were hit hard in 2017—the healthcare industry experienced 23.7% of total data breaches that year. This trend of cyber-attacks and data theft in healthcare seems like it’s here to stay, but complying with HIPAA requirements will go a long way to protect your system from attackers.

If you’re a HIPAA manager, IT Director, or CISO responsible for network-wide HIPAA compliance at your organization, you know that the vulnerabilities of individual members can affect your network as a whole. But, overseeing your network while managing the compliance of each member often amounts to a series of messy, tedious tasks—especially if your main tracking tools are spreadsheets and emails.

All-in-one network HIPAA management solution

We designed the SecurityMetrics Health Network Portal to be an efficient, organizational portal with tools that facilitate HIPAA management, monitoring, reporting, and tracking. No spreadsheets needed. Plus, HIPAA communications and documentation can be kept on one central platform.

Learn more about the SecurityMetrics Health Network Portal here.

Overview dashboard

The network HIPAA compliance journey begins at the overview dashboard. From this main screen, you can see compliance progress across your network, assign tasks, view scan results and risk summaries, and prepare compliance reports for C-level executives or auditors.

SEE ALSO: How Brightsquid Increased Business with HIPAA Compliance

Member Summary

Member summaryView progress based on member or location. The member summary tool shows you in real time how individuals’ compliance progress affects the network. You can see which members make the network safer and which ones increase risk. Monitor members’ HIPAA compliance by viewing each of their:

  • Breach protection checklist
  • Risk analysis
  • Risk management plan
  • Vulnerability scanning
  • Policies and procedures


Risk Summary

The overall security of your network is made up of many members’ tasks and efforts. Our risk summary tool calculates a risk level based on the combined data of every member in your network. This lets you see where you’re at and helps determine what your HIPAA goals might be.

SEE ALSO: Health Network Portal Data Sheet

Business associate overview

Covered entities must maintain a signed up-to-date business associate agreement (BAA) for each business associate they work with. Managing these contracts and tracking down business associates is made simple with the business associate overview tool. You can see at a glance how many business associates you work with and pinpoint which ones have yet to sign BAAs.

SEE ALSO: Business Associate Agreements 101

HIPAA tools for every stage and every day

Wherever you are in your HIPAA network compliance journey, the Health Network Portal is an everyday, easy-to-use solution that provides visibility and multi-level views for busy HIPAA managers and compliance officers.

The Health Network Portal guides network-wide compliance efforts and directs attention to potential security gaps, weak spots, and vulnerabilities, which otherwise would have been missed. It’s intended to not only for daily HIPAA management but also to provide reporting resources for meetings, audits, and documentation purposes.

Think the Health Network Portal might be a good fit for your organization? Speak to a specialist or request a quote for your network here.


Our most common questions about the General Data Protection Regulation. 

Ben Christensen
If you’re like most business owners, you’re probably wondering if and how the new EU General Data Protection Regulation (GDPR) applies to you. We’ve received many questions about this new security mandate, and here are answers to our most frequently asked GDPR questions.

What is GDPR?

GDPR stands for General Data Protection Regulation. It was designed to harmonize data privacy laws across Europe, protect and empower all EU citizens with data privacy, and to reshape the way organizations across the region approach data privacy. This mandate replaces the 1995 EU Data Protection Directive and was finally approved by EU parliament on April 14, 2016 after four years of preparation and debate. It went into effect 20 days after its publication in the EU Official Journal—in May of 2016—and will be directly applicable in all member states two years after this date (i.e., May 25, 2018).

When will GDPR come into effect?

The effective date for the EU GDPR is May 25, 2018.

Who does the GDPR apply to? Does it apply worldwide or just to the EU community?

The GDPR applies to any organization (operating in or out of the EU) that processes any personal data, also called personally identifiable information (PII), of EU citizens—whether that organization is a cloud-storage service, university, hospital, merchant, etc.

Does the GDPR apply to organizations outside of the EU that have EU citizens inputting data into their database or website?

Yes. Even if the data subject from the EU inputs their own information, the GDPR requirements still apply.

Are payment card details (such as cardholder names and addresses) protected under GDPR?

Yes. Personal data includes things like name, address, email, IP address, etc.—data that can directly or indirectly identify a person. Even the magnetic card stripe (also known as track data) contains the cardholder’s name.

SEE ALSO: GDPR 101 Part 1: Should I Be Worried?

If I’m already PCI compliant, does that cover GDPR?

No, but there are data security controls that will cross over. The GDPR scope will likely be much larger than PCI DSS requirements, as it includes all personal data, not just payment card details.

How does the GDPR impact small businesses? Especially for those with minimal credit card transactions.

There may be some requirements of the GDPR--for instance keeping “records of processing activities” (Article 30)--that will not apply to organizations with less than 250 employees. However, there are stipulations to rules like these, and to be safe, you should consult a data security and compliance expert.

What are the possible penalties for noncompliance with GDPR requirements?

Organizations can be fined up to 4% of annual global turnover (aka revenue) or €20 Million—whichever is greater—for violation of GDPR. These are the maximum fines that can be imposed for the most serious infringements, like insufficient customer consent to process data or violation of the core “Privacy by Design” concepts.

According to article 28, there is a tiered approach to fines. A company can be fined 2% of annual global turnover for not having their records in order, 2% for not notifying the supervising authority and data subject about a breach, and 2% for not conducting an impact assessment.

It is important to note that these fines apply to both controllers and processors, and data 'clouds' will not be exempt from GDPR enforcement.

As a result of Brexit, does the UK (and its citizens) still have to follow the GDPR? If the UK doesn't have to follow the GDPR, how will UK-based organizations be impacted by the GDPR?

Since the GDPR applies to the personal data of all EU citizens, businesses in the UK who process EU citizen data post-Brexit would still need to follow its mandates whether or not the UK retains GDPR after Brexit is complete. UK Prime Minister Theresa May announced that the process for the UK to leave the EU would begin on March 29, 2017 and is expected to take at least two years. The effective data for GDPR is May 25, 2018, which means there will be an overlapping window of time when the UK is a member of the EU and the GDPR is in force.

What is the “Right to Erasure” and how will it impact organizations that are required to keep information for a certain amount of time (e.g., HIPAA requirements)?

The “Right to Erasure” is one of the individual rights named in the GDPR. It states that data subjects can request that their personal data be deleted. There are legal and legitimate reasons that organizations could be allowed to keep data beyond retention periods—even if a data subject exercises their right to erasure. For example, an organization may be required to hold records for the IRS, HIPAA requirements, PCI requirements, or legal cases. In these cases, the organization would obviously need a legal basis for keeping such data. It’s best to consult with legal counsel to understand your business’s unique position.

What other individuals’ rights are set forth in the GDPR?

SEE ALSO: GDPR Articles 12-23

How long does a controller have to notify their supervisory authority about a data breach?

Supervisory authorities must be told within 72 hours of when the controller becomes aware of a data breach—where feasible, and unless the controller can demonstrate that the breach is unlikely to result in risk to the rights of the data subject. Controllers may also give reasons for delay, if applicable.

How do we retrospectively gain consent from customers that we already market to on our existing database? 

Conditions for consent to use data are strengthened overall by the GDPR, and personal data used for marketing purposes must be approved beforehand by the customer in the form of an “opt-in” program. While each business and its operations are different, some may be wondering about old contacts, business cards, or mailing lists with data obtained before GDPR. Depending on your business model, there could be a few ways you might be able to address this problem, however remember that you will need to clear any solutions with legal counsel:

  • If you have active customers that put data into a system you control (such as a web-based system) and they visit that system regularly, it seems reasonable to place some sort of consent-flag in a database that could then be set the next time they login to the system. But the concept of collecting consent of active visitors after the fact could work.

  • If you own and store a large database/collection of personal data (collected pre-GDPR), this could be more difficult to deal with. You may want to consult a legal expert in that case.  

Please explain how you advise a US merchant to comply with both SAQ-D and the GDPR standards, specifically the logging requirements of SAQ-D that seem to contradict the “Right to Erasure.”

PCI DSS explicitly requires logging—which is a good thing when it comes to maintaining security, detecting attacks, etc. If you’re in the PCI realm, you should continue to use logging and thorough log management. The “right to erasure” may be a tricky GDPR requirement and tone we feel will need more legal definition and precedence to be established. However, if you foresee this being an issue for your company, you should seek corporate legal counsel.

Does SecurityMetrics offer help with GDPR for small-to-medium businesses?

Yes. SecurityMetrics GDPR Defense is a new product designed to help small-to-medium businesses secure personal data and get on the path to GDPR compliance.

GDPR Defense contains the following tools to help fulfill certain GDPR requirements while also providing a central location to track, maintain, train, and report on those efforts:

  • SecurityMetrics PIIscan: Scans systems and devices for unencrypted PII. Provides file path so users can easily locate, and then delete or encrypt, sensitive data.
  • GDPR Checklist: Defines and breaks down individual GDPR requirements into simple “how to implement” steps. Checklist tracks completion dates of items and then displays that information on the GDPR Implementation Report.
  • Secure Cloud Storage: Provides secure central location for policies and procedures as well as internal data mapping documents. GDPR requires organizations to maintain policies and procedures about encryption, data retention, and data breach response. It also requires knowledge of sensitive data locations.
  • GDPR Implementation Report: Shows evidence of efforts to reach compliance in the event of an audit or data breach. Report displays percentage of implementation completed as well as progress over time.

What can large organizations do to comply with GDPR?

If you’re part of a large organization and need help with GDPR, learn more about our consulting here. 

If you have more questions about GDPR, or would like a PCI audit or HIPAA audit, please contact us.

Ben Christensen (CISA, QSA) has worked in the IT sector for over 19 years. He currently performs security assessments for merchants and service providers looking to become PCI compliant. He is also leading SecurityMetrics' GDPR efforts in developing product offerings and documentation. 

2018 PANscan Results: Storage of Credit Card Data on the Rise

See how much unencrypted card data PANscan® found on business networks in 2017. 

Storage of unencrypted PAN on networks is up

Primary account numbers (PAN) are the 14-, 15-, or 16-digit credit card numbers used to identify individual cards. If merchants unknowingly store unencrypted PAN on their networks, they may pose a big risk to their business.

Manually searching for PAN can get tedious and overwhelming, but tools like PANscan® are designed to search quickly and efficiently in the background without slowing down day-to-day operations.

Since 2010, SecurityMetrics PANscan® has discovered over 1.6 billion unencrypted primary account numbers. Our 2018 PANscan study compiles results from PANscan® users in 2017. We found that  credit card data storage is up since last year and has been steadily climbing for the last few years. Remember that these results come only from users of our PANscan® tool--merchants who are already security-minded. This could mean that as a whole, businesses that handle credit card data are faring worse.

Download the 2018 PANscan® Data Analysis Infographic here.

The 2018 PANscan® study

We found that in 2017, PANscan® searched 337,118 GBs of data and found over 114 million unencrypted card numbers as well as over 4.5 million track data (i.e., magnetic card stripe data). Sixty-nine percent of users stored unencrypted PAN, and 7% stored unencrypted track data.

In 2016, 67% of PANscan users stored unencrypted PAN, which means credit card data storage is up 2 points since then (a 2.98% increase). Only five percent of these businesses stored track data in 2016, which means there's been a 40% increase. The PCI DSS requires that merchants never store track data, for any reason (Requirement 3.2).

Where did PANscan® find card data?

There are several common places PAN data hides. Whether it’s due to poor process or misconfigured software, unencrypted credit card numbers on a network can be traced to:

  • Error logs
  • Accounting departments 
  • Sales departments
  • Marketing departments
  • Customer service representatives
  • Administrative assistants
Learn more about PANscan®.

Protecting Customers’ Credit Card Data

Keeping unencrypted data on systems is a security risk but it can also be difficult to avoid. Like we mentioned, PAN data can come from departments like marketing, accounting, sales—but it can also be unintentionally stored due to bad handling process.

Here are seven tips to find and secure credit card data:

  • Interview Employees: Find out who has access to what card data and how each department interacts with it.
  • Create a card-flow diagram: Map out where card data enters, leaves, is stored, and interacts with/in your system.
  • Use a data discovery tool: As previously mentioned, a well-designed software tool can make a world of difference. PANscan® is designed to run light, work fast, and avoid false positives. 
  • Remove or encrypt data: Protect customers’ credit card numbers by properly removing, deleting, destroying, or encrypting them. 
  • Consider data storage: Rethink whether you really need to store credit card data in any form on your systems. 
  • Limit access to data: Only those who absolutely need to access card data for their job should be able to.
  • Segment your network: Separate your card data environment from other systems, using firewalls or other methods. This way you can reduce the potential for data leakage to unauthorized areas. 

For more information about PCI compliance, a PCI audit, or data security, contact us here.

2018 HIPAA Guide: Highlights for Business Associates

A reference for business associates using the SecurityMetrics HIPAA Guide at their organizations. 

We released the SecurityMetrics 2018 Guide to HIPAA Compliance on November 30, 2017.

Business associates (BA) and small entities will benefit from this desk-side HIPAA reference, especially since they may have limited resources and are often self-taught.

Our HIPAA Guide was created to help business associates with some of the more challenging aspects of HIPAA compliance like the minimum necessary rule, secure data deletion, business associate agreements, and network segmentation.

If you’re a BA and in charge of HIPAA, you can use the following page numbers and HIPAA Guide highlights to help guide you through your more common HIPAA concerns and challenges.

Common business associate concerns (PP. 11-12)

Reminder: a BA is a person or entity that performs certain functions that involve the use or disclosure of PHI (e.g., IT provider). Business associates can be from legal, actuarial, consulting, data aggregation, management, administrative, accreditation, and/or financial organizations. Some possible business associate functions include:
  • Claims processing or administration
  • Data analysis, processing, or administration 
  • Utilization review
  • Quality assurance
  • Billing
  • Benefit management
  • Practice management
  • Repricing
These are some of the most basic questions business associates face when getting HIPAA compliant:
  • Do Business Associates have to be HIPAA compliant?
When it comes to responsibility, if your organization is considered a business associate, you may think you’re exempt from HIPAA compliance, especially if you don’t consider yourself a part of the healthcare industry. However, the HHS requires any business associates that create, receive, transmit, and/or maintain protected health information (PHI) in any way must be HIPAA compliant.
  • Are Business Associates responsible for patient data? 
Business associates are legally bound to protect PHI. You must comply with all data security requirements in HIPAA and follow the Security and Breach Notification Rules (unless contractually obligated to follow the Privacy Rule). You are required to protect PHI just as a covered entity would: by means of network segmentation, secure data destruction, etc.


Minimum necessary requirement (P. 100-102)

A large portion of the Privacy Rule is based on the minimum necessary requirement, which states that only those who need to see or access PHI to do their jobs should get to see or access it.

BAs often think their covered entity holds the sole responsibility of deciding how much data they receive. This is simply not the case. Both business associates and covered entities have a minimum necessary responsibility under HIPAA.

BAs should only accept and use the minimum amount of data necessary. Even they can face fines from HHS if they accept or demand more data than is necessary from covered entities. As a business associate, if you receive too much data from a covered entity, you are responsible for letting the covered entity know.

Check out page 102 of the HIPAA guide to learn about instances when the minimum necessary rule does not apply.

Permanently destroy or delete PHI (PP. 21, 26-27, 105)

The first step to managing/deleting old data is deciding how long you need to keep it. Many states have requirements about the amount of time that you must keep patient data. This can apply to uses and disclosures and even the patient record. Entities commonly maintain data for a minimum of a decade. If a patient has passed away, there will be additional requirements for data retention that must also be considered.

The second step is to understand how to permanently destroy or delete data. Most people understand that physical sensitive data should be destroyed permanently by shredding, burning, or pulping.

But when it comes to electronic data, merely deleting or moving sensitive information to the Trash or Recycle Bin on your computer will not permanently remove it. Your computer won’t be able to find that file, but it still exists.

The HHS has determined that for electronic PHI, overriding or clearing (i.e., using software or hardware products to overwrite media with non-sensitive data) is the best way to securely delete sensitive patient data on systems still in use.

When thinking about how to permanently delete files from your network, don’t forget about any archived data, including:
  • Time Machine backups
  • Cloud backups
  • External hard drive backups
  • CD or DVD backups
  • Email backups 
  • FTP backups
  • Server backups 
  • Mirror backups 
  • Offsite backups
If media is magnetic (e.g., tapes, hard drives), it should be degaussed or demagnetized.

But if you don’t plan to use the media again, it’s highly recommended to physically destroy it. Some third-party organizations have industrial-sized shredders to dispose of larger hardware.

Business associate agreements (PP. 110-113)

The HIPAA Final Omnibus Rule requires covered entities to implement or update a business associate agreement (BAA) when a BA creates, receives, maintains, and/or transmits electronic patient data.

In these new or revised BAAs, covered entities, business associates, and subcontractors agree to share responsibility for patient data protection and breach notification. Here are a few examples of what should be included in your business associate agreement:
  • A minimum necessary policy 
  • Business associate’s permitted use of PHI
  • Prohibited use of PHI 
  • Covered entity’s responsibility
  • Appropriate safeguards to protect PHI
  • Breach reporting guidelines
  • Contract termination provisions
Covered entities typically will not work with you if you refuse to sign a BAA or to comply with HIPAA regulations. You should know what is in the BAA you sign, and what exactly you’re liable for when it comes to protection of PHI.

SEE ALSO: Business Associate Agreements 101

Network segmentation (PP. 12, 46-47)

Business associates often set up large flat networks, where everything inside the network can connect to everything else. You may have one firewall at the edge of your network, but that’s it. Generally, the more places that have access to patient information, the higher the chances for a HIPAA violation or data breach.

Network segmentation can be achieved through use of specific firewalls and the sectioning off of systems that contain or receive PHI from the rest of the network.

Network segmentation is especially useful for you if you need to protect PHI. If done properly, it can greatly reduce time, energy, money, and potential liability related to HIPAA.

SEE ALSO: PIIscan Searches Systems for Unencrypted Data

HIPAA applies to business associates

Even though as a business associate, you may not deal with patients and their data in the same exact way as covered entities, you are still required to comply with HIPAA rules and regulations.

The SecurityMetrics 2018 HIPAA Guide provides plenty of guidance specifically for business associates to help you keep data safe and move towards HIPAA compliance. Our ultimate goal is to empower individuals at organizations to protect patient data. We want to provide resources that educate employees at all levels about HIPAA rules and regulations.

Have questions about data securityHIPAA compliance, or interested in a HIPAA audit? Contact us.

PIIscan: Find and Secure Unencrypted Personal Data

SecurityMetrics PIIscan Helps You Comply with Security Standards and Mandates. 

What is PII, and why do I need to find it?

Personally Identifiable Information (PII) is data kept by an organization which can be used to “distinguish or trace an individual’s identity,” according to NIST. For example, PII could include names, birth dates, birth places, mothers’ maiden names, or social security numbers. “Linked PII” is any information that is linkable to an individual, like educational, medical, employment, or financial information.

Storing these types of (unencrypted) information on your systems and devices can leave your organization open to fines and make you more vulnerable to data theft.

Organizations can manually search for PII on their systems and devices, but doing so is time-consuming, tedious, and expensive in terms of working hours.

Sensitive Data Discovery Tool: SecurityMetrics PIIscan

PIIscan was created to help organizations quickly find and secure unencrypted PII on their systems. The data discovery tool is now widely available and helps organizations and businesses of all sizes comply with data security mandates and standards in the US and EU. 

This scanner runs light, but performs a big job. According to Product Manager Kai Whitaker, “PIIscan is designed to be quick, small, and powerful. Organizations find value and increase their security through the effective scanning that PIIscan provides.”

SEE ALSO: SecurityMetrics Releases PIIscan

encryption, unencrypted data, data encryption, sensitive data discovery, sensitive data discovery tools Unencrypted PII hides in unexpected places

Of all the organizations that conducted first-time data discovery scans with SecurityMetrics PIIscan, 61% found unencrypted PII in their networks. Many times, this sensitive data shows up in accounting, marketing, or other unexpected areas or departments.

Caches of unencrypted PII are highly valuable to data thieves. PIIscan searches systems, hard drives, and attached storage devices for unencrypted sensitive data. If it does find unencrypted sensitive data, it provides you a path to the file location where the unencrypted information is found.


If you are fulfilling the requirements of security standards and mandates like the EU’s General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), or the Health Insurance Portability and Accountability Act (HIPAA), it’s important to know where PII is on your systems and whether it’s encrypted or not.

PIIscan searches not only for PII, but also for payment card data like primary account numbers and magnetic stripe track data. PIIscan finds the following information:

USA Social Security Numbers (SSN)
UK National Insurance Numbers (NINO)
Canada Social Insurance Numbers (SIN)
Australian Tax File Numbers (TFN)
Australian Business Numbers (ABN)
Primary account numbers (PAN)
Magnetic stripe track data
Protected Health Information (PHI)

SEE ALSO: GDPR 101 Part 1: Should I Be Worried?

More Tips to help you find and protect PII Data:

1. Monitor your PII data flow
To help find PII flows you might not immediately know about, create and regularly update a PII flow diagram that tracks the processes you go through as you receive, use, store, or transmit sensitive data.

This will help you see where PII enters and exits your organization.

 Here are some areas unprotected PII may be hiding:
  • Printers often store old jobs, which could include sensitive data
  • Error logs frequently contain sensitive numbers in plaintext during a failed authentication
  • Accounting and marketing departments may have email or paper forms with PII
  • Web browser cache may store PII inadvertently

2. Secure and Encrypt PII
When possible, avoid using and storing PII. You can also avoid storing sensitive data by using tokenization or outsourcing sensitive data handling to a third party.

But if you do need to keep data, make sure to find and encrypt PII. All electronic PII that is received, stored, handled, or transmitted in your systems and work devices must be encrypted. Industry best practice would be to use AES-128, AES-256, or better.

3. Segment Your Networks
While not all mandates require network segmentation, it’s considered security best practice to keep your networks that handle sensitive data like PII separate from your other networks.

Whether done physically or through firewall implementation, make sure systems that receive, store, handle, and transmit sensitive data are kept separate from each other. This can be done by regularly doing "segmentation checks.”

Learn more about sensitive data discovery tools or call us about a PCI audit or HIPAA audit at