See Resources


Qualys Solutions for IT Security & Compliance

Qualys' continuous security approach to IT security and compliance enables organizations of all sizes to successfully achieve both vulnerability management and policy compliance initiatives cohesively, while reducing costs and streamlining operations. Using an innovative Software as a Service (SaaS) approach, the Qualys® Security and Compliance Suite combines Qualys' industry leading vulnerability management service with a comprehensive IT compliance solution.

Related Links

Any healthcare organization that stores, processes or transmits personal health information (PHI) is required to comply with the Health Insurance Portability and Accountability Act and safeguard all protected data. The related HITECH Act mandates securing a new regime of electronic health records (EHR) — and prescribes stiff penalties for organizations that fail to do so. Compliance entails deployment of security controls and processes to fulfill the laws. This page provides background information about security for HIPAA and HITECH and describes how solutions from Qualys help businesses to be compliant.


HIPAA is U.S. Public Law 104-191 — the Health Insurance Portability and Accountability Act of 1996. Congress created the Act to improve health care enabled by the nation's health plans and providers. HIPAA mandates standards-based implementations of security controls by all health care organizations that create, store or transmit electronic protected health information. The HIPAA Security Rule governs protection of PHI. Organizations must certify their security programs via self-certification or by a private accreditation entity. Non-compliance can trigger various civil penalties, including fines and/or imprisonment.

HITECH is the Health Information Technology for Economic and Clinical Health Act, which brings additional compliance standards to healthcare organizations. It is directly related to HIPAA, and was part of the American Recovery and Reinvestment Act of 2009. HITECH requires healthcare organizations to apply "meaningful use" of security technology to ensure the confidentiality, integrity, and availability of protected data. Detailed requirements for HIPAA and HITECH are managed by Department of Health and Human Services (HHS).

Why HIPAA / HITECH Matters to Your Organization

People expect healthcare organizations to keep their personal health information confidential and safe from data breaches and other exploits. Healthcare organizations will also have self-interest at heart because penalties for non-compliance with HIPAA / HITECH can be substantial. In cases of "willful neglect," a HITECH penalty can be at least $50K per violation up to a total of $1.5 million in a calendar year. Other breach-related costs will be incurred for discovery and containment, investigation of the incident, remediation expenses, attorney and legal fees, loss of customer confidence, lost sales and revenue, brand degradation, and so on. Compliance is a serious responsibility on many levels.

Considerations for a HIPAA / HITECH Security Compliance Program

Security is a crucial part of HIPAA / HITECH. The Department of Health and Human Services states, "[It] is important to recognize that security is not a one time project, but rather an ongoing, dynamic process." HIPAA therefore requires security-related processes, many of which are often best implemented with automated technology. HIPAA regulations do not mandate particular security technologies. Instead, they specify a set of principles for guiding technology choices — principles that mirror those underpinning the on demand Qualys vulnerability management and policy compliance solutions.

Your organization's compliance program should address two issues: (1) selecting and deploying security controls that meet HIPAA / HITECH requirements, and (2) providing a way to regularly audit the status of those controls to ensure continuous protection of PHI and EHR, and ongoing compliance. Providing an independent assessor with audit-quality documentation of these steps and your security measures simplifies compliance audits.

How Qualys' Solutions Help Businesses Meet HIPAA / HITECH Requirements

Qualys' solutions enable immediate compliance with key HIPAA security regulations by allowing subscribers to automatically discover and manage all devices and applications on the network, identify and remediate network security vulnerabilities, measure and manage overall security exposure and risk, and ensure compliance with internal and external policies for HIPAA.

In particular, the Qualys Security and Compliance Suite meets key security technology auditing requirements detailed in the Department's "Health Insurance Reform: Security Standards," Final Rule 45 CFR Part 164.308. Qualys fulfills key Administrative Safeguards for evaluation, security management, security incident procedures, training, and security assurance requirements of business associate contracts. The following is a summary of how these requirements are met by solutions in the Qualys IT Security and Compliance Suite.

HIPAA / HITECH Requirements     Qualys Capabilities
Security Management Process
  • 164.308(a)(1)
  • 164.308(a)(1)(ii)
  • 164.308(a)(1)(ii)(A)
  • 164.308(a)(1)(ii)(D)
Qualys' Vulnerability Management and Policy Compliance solutions underpin security management with a complete, automated system for security audits and IT compliance management.
Information Access Management
  • 164.308(a)(4)
  • 164.308(a)(4)(ii)(A)
  • 164.308(a)(4)(ii)(B)
Audits user access to systems and databases containing PHI.
Security Awareness and Training
  • 164.308(a)(5)
  • 164.308(a)(5)(ii)(B)
  • 164.308(a)(5)(ii)(C)
  • 164.308(a)(5)(ii)(D)
Security and configuration data revealed by Qualys reporting capabilities help staff and management their network security posture and how to further protect it against emerging threats.
Security Incident Procedures
  • 164.308(a)(6)
Security and configuration audit assessments provide hard data for conceiving, implementing, and managing security policies.
  • 164.308(a)(6)
Automatically and regularly tests and documents security capabilities and configuration settings before and after installation and maintenance of networks, systems, or applications.
Workstation Security
  • 164.310(c)
Qualys automatically and regularly tests and documents security capabilities and configuration settings before and after installation and maintenance of networks, systems, or applications.
Device and Media Controls
  • 164.310(d)(2)(i)
  • 164.310(d)(2)(iv)
Tests and documents configuration settings automatically before and after installation and maintenance of networks, systems, or applications.
Access Control
  • 164.312(a)(1)
Audits user access to systems and databases containing PHI.
Audit Control
  • 164.312(b)
Automatically and regularly tests and documents configuration settings before and after installation and maintenance of networks, systems, or applications.
  • 164.312(c)(1)
  • 164.312(c)(2)
Audits user access to systems and databases containing PHI.
Transmission Security
  • 164.312(e)
  • 164.312(e)(1)
Audits transmission settings on systems, thus validating secure transmission of PHI.
Email or call us at +1 800 745 4355 or try our Global Contacts
Subscription Packages
Qualys Solutions
Qualys Community
Free Trial & Tools
Popular Topics