Is FireEye Helix HIPAA compliant?

HIPAA (the Health Insurance Portability and Accountability Act of 1996) is U.S. legislation created to improve healthcare standards. Covered entities and their business associates must be HIPAA compliant to protect the rights and privacy of patients and their protected health information (PHI). We know the  HIPAA industry is vast and that it is important to properly detect possible data breaches to ensure HIPAA compliance.

SEE ALSO:  HIPAA compliant email

This is especially true with the recent move toward remote working and the increase in cyberattacks against healthcare. Today, we will determine if FireEye Helix is HIPAA compliant or not.

About FireEye Helix

FireEye is a cybersecurity company with headquarters in Milpitas, California that provides hardware, software, and services to detect and prevent cyberattacks. FireEye Helix is just one of FireEye’s solutions. FireEye Helix is a SaaS (Software as a Service) security operations platform available with any FireEye subscription. It utilizes SIEM (security information and event management) technology to provide real-time analysis of threats. Moreover, the platform can integrate with FireEye and non-FireEye tools to conduct primary functions, such as alert management, search analysis, investigations, and reporting. Organizations and their security teams can take control of all cyber incidences through its easy-to-use interface. FireEye Helix correlates and centralizes cyber data so that organizations can take care of threats and minimize their impact.

FireEye Helix and the business associate agreement

A major part of HIPAA compliance is ensuring a business associate will sign a business associate agreement (BAA). A business associate is a person or entity that performs certain functions or activities that involves the use or disclosure of PHI. In this instance, FireEye is a business associate of a healthcare organization if it scans or protects any documents or devices that contain electronic PHI (ePHI).

RELATED: Is a name PHI?

Generally, the HIPAA Privacy Rule allows healthcare providers to disclose PHI if they receive assurance that the information is protected through a signed BAA. The FireEye website includes a Healthcare Security web page that explores the importance of protecting PHI but does not mention a FireEye BAA. A fact sheet about FireEye Endpoint Security and HIPAA compliance mentions the importance of a BAA but does not state FireEye will sign one. There is no other mention on the FireEye website.

FireEye and data security

The FireEye Healthcare Security web page states, “FireEye security solutions combine proprietary technology with threat intelligence and extensive experience to identify cyber attackers, their plans and their methodology.” FireEye’s products detect and investigate cyber risks while defending the most important threat vectors: network, endpoint, and email. They do this through malware protection, user access controls, a strong firewall, and real-time detectors. Finally, FireEye has undergone a self-assessment and confirmed its compliance with NIST SP 800-171 controls. HIPAA is not mentioned on its Certifications and Compliance web page.

Is FireEye Helix HIPAA compliant?

The BAA is a key component of HIPAA compliance, and we could not find any public information asserting that FireEye will sign a BAA.

RELATED: Your cybersecurity strategy is probably lacking

Conclusion: We cannot determine if FireEye Helix can be HIPAA compliant or not.

Paubox Email Suite for guaranteed HIPAA compliance

Paubox Email Suite, our HITRUST CSF certified solution, provides needed email security (i.e., HIPAA compliant email) and guarantees a signed Paubox BAA.

RELATED: Why healthcare providers should use HIPAA compliant email

Paubox Email Suite works on all devices, and emails can be sent directly from existing email platforms such as Google Workspace or Microsoft 365. Furthermore, Paubox’s email security solution utilizes strong zero-step email encryption so that your communication constantly remains safe and secure. Our Plus and Premium plans come with proactive inbound tools like Zero Trust Email and ExecProtect, which block advanced email threats including display name spoofing.