CrowdStrike Falcon Independently Validated for HIPAA Compliance

crowdstrike-globeThe CrowdStrike Falcon Platform has been independently validated to meet compliance with the Health Insurance Portability and Accountability Act (HIPAA), according to an announcement made today.

The validation was provided in a report by Coalfire, an independent assessor for HIPAA, HITRUST, PCI, FedRAMP and other compliance standards across the financial, government, industry, and healthcare industries.

HIPAA is an act passed in 1996. Title II of HIPAA provides regulations and guidelines for maintaining the security and privacy of individually identifiable health information. According to this independent report, “the CrowdStrike Falcon platform capabilities in detection and responding to threats, and associated collection of activities makes CrowdStrike a suitable solution for addressing a number of key technical requirements in the HIPAA Security and Privacy Rules.”

According to a press release from CrowdStrike, Coalfire has determined that CrowdStrike Falcon addresses eight requirements, namely:

45 CFR 164.306(A)

  • Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity or business associate creates, receives, maintains, or transmits.
  • Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.
  • Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart Eof this part; and
  • Ensure compliance with this subpart by its workforce.

45 CFR 164.308(a)(1)(ii)(B)

  • Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with § 164.306(a): Security Standards, Administrative Safeguards

45 CFR 164.308(a)(1)(ii)(D)

  • Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports.

45 CFR 164.308(a)(5)(ii)(B)

  • Implement procedures for guarding against, detecting, and reporting malicious software.

45 CFR 164.308(a)(5)(ii)(C)

  • Implement procedures for monitoring login attempts and reporting discrepancies.

45 CFR 164.308(a)(6)(ii)

  • Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity or business associate; and document security incidents and their outcomes.

45 CFR 164.312(b)

  • Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

45 CFR 164.404(b)

  • A covered entity shall, following the discovery of a breach of unsecured protected health information, notify each individual whose unsecured protected health information has been, or is reasonably believed by the covered entity to have been, accessed, acquired, used, or disclosed as a result of such breach.
  • Breaches treated as discovered.

 

Jeff Edwards
Follow Jeff

Leave a Reply

Your email address will not be published. Required fields are marked *