Healthcare

Kivu is a nationally recognized cyber security leader for the healthcare industry.

Kivu has a depth of practical experience providing pre-emptive risk assessments for and responding to cyber incidents among healthcare organizations and their business associates. We have provided the forensic analysis in dozens of healthcare data breaches, including some of the largest in the US. Our healthcare cases have ranged from major hospital breaches, which made national headlines, to inadvertent disclosure of sensitive data by small business associates.

Kivu works with covered entities and business associates to determine if a breach has occurred, identify the source or vector of the attack, and determine the extent of potentially compromised data. In many cases, Kivu’s forensic analysis has proven that Personal Health Information (PHI) was not compromised, or that the amount of PHI affected was significantly less than feared. In such cases, our clients have avoided unnecessary notification costs and public relations damage.

We are experienced with the unique technical and legal challenges of the healthcare industry

Our clients span the healthcare ecosystem, including: large hospitals, specialty medical practices, third party billing providers, online/Cloud/SAAS business associates, non-profits, pharmaceutical companies, and research institutions. Our analysts are experienced with the technology most likely to be the center of healthcare data incidents, such as: electronic patient record systems, niche patient tracking systems, and data storage systems, often connected to medical and diagnostic devices.

Kivu is experienced with the unique technical, and legal challenges facing HIPAA covered entities. We have successfully investigated different causes of lost or stolen PHI, including laptop theft, improper subcontractor data handling, network hacking, and employee misconduct.

HIPAA risk assessment services

Kivu can conduct an accurate and thorough analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of PHI. Once the risk analysis is complete, Kivu will guide the covered entity in carrying out “reasonable and appropriate” steps to reduce identified risks to reasonable and appropriate levels.

Handling a Huge Healthcare Breach

Kivu was the primary responder to the largest healthcare data breach on the West Coast. Our analysts were onsite within 24 hours of the initial call, and our analysis was instrumental in determining that the extent of the breach was significantly greater than had originally been determined by the client’s in-house IT department. Kivu carried out significant onsite and remote forensic analysis and review of unstructured PHI data to accurately determine the exact number of patients affected and the types of PHI. Kivu also worked closely with the notification/call center vendor in a highly publicized public notification of more than 500,000 patients in multiple states. Kivu provided forensic analysis to the initial breach coach, and the subsequent litigation counsel as a non-disclosed expert.

Brazillan Botnet Breach

A major US hospital determined that malware resided on a server containing significant PHI records. Within 12 hours of retention, Kivu was onsite and forensically collected the malware. Kivu determined that the malware was part of a botnet used by Brazilian criminals operating bank fraud, which was not designed to collect or exfiltrate data stored on the actual host server. In addition, detailed forensic analysis of the server’s deleted areas showed no evidence that data had been collected or exfiltrated by the malware. To confirm Kivu’s findings, Kivu also carried out a discrete Internet investigation of the Brazilian criminal gang behind the malware and determined that they had no history of stealing PII/ PHI, or being involved in identify fraud.

Remote Forensics Reduced Costs

A community medical clinic in a rural location suffered a break-in, where thieves stole 4+ years of server backups stored on multiple unencrypted hard drives. Although police recovered the drives within 72 hours, the clinic needed to prove that PHI data had not been accessed in order to avoid a costly mandated notification. Not only was Kivu able to prove forensically that the data had not been accessed, it accomplished this by using remote analysis tools, avoiding the need to send personnel onsite, thereby reducing the total cost of services by 50%.

Kivu is a nationally recognized cyber security leader for the healthcare industry.

We are experienced with the unique technical and legal challenges of the healthcare industry

HIPAA risk assessment services

Examples of our Work

Handling a Huge Healthcare Breach

Brazillan Botnet Breach

Remote Forensics Reduced Costs

Our Newsletters Will Keep You In The Loop

SERVICES

CLIENT RESOURCES

LEGAL

GET IN TOUCH