Transcription
theygmapartnershipLLCAchieving HIPAA Security Standards complianceby implementing anISO/IEC 27000 series Information SecurityManagement System(white paper)v1 2005-12-04COPYRIGHTthe Zygma partnership LLC asserts ownership of all intellectual and copy rights in analytic materialpresented in this paper: the HIPAA is a publicly-promulgated US Federal Act and ISO/IEC hold thecopyright in the texts of ISO/IEC 17799 and 27001.DISCLAIMERthe Zygma partnership LLC has applied its best endeavours in the preparation of this paper which itfreely distributes for public edification but accepts no liability arising from its use or application by anyother parties, howsoever arising. Errors may have arisen in the transposition of text from referencesources and the analysis, whilst undertaken diligently and in good faith, may contain oversights oromissions, and in any event is subjective and performed in a general context, without regard to the needsof any specific entity or party. Those who choose to act upon any statements or claims presented in thispaper do so entirely at their own risk.Zygma regrets that it has to state a disclaimer but, sadly, it’s a pretty litigious society these days, so onedoes the risk analysis and works out one’s risk treatment plans (ISO/IEC 27001:2005 §4.2.1 d), e), f), g)). 2005 the Zygma partnership LLCPAGE 1 OF 15
HIPAA Security Standards compliance by implementing an ISMS - white paper v1 2005-12-04CONTENTS1.2.Scope & purpose . 3Background to referenced standards . 32.1.Health Insurance Portability and Accountability Act . 32.2.ISO information security management system series . 42.3.HIPAA Security Standards / ISMS inter-relationship . 53.Comparative assessment . 64.Findings and conclusions from the mapping . 65.How a certified ISMS benefits HIPAA Security Standards compliance . 76.Practical application. 87.Mapping of ISO/IEC 17799:2005 to HIPAA Security Standards clauses. 88.HIPAA Security Standards clauses against 17799 . 129.HIPAA Extended Controls Set . 1310.Linked reverse mapping (HIPAA to 17799 & ECS) . 1411.Implementing an ISMS to show HIPAA Security Standards compliance. 1512.Acknowledgements to Peer Reviewers. 15Annex A - References. 15 2005 the Zygma partnership LLCPAGE 2 OF 15
HIPAA Security Standards compliance by implementing an ISMS - white paper v1 2005-12-041. Scope & purposeThis paper has been prepared to provide thoseorganizations having an interest in compliancewith the US Health Insurance Portability andAccountability Act (HIPAA - 1996, revised2003) Security Standards1, especially those inthe business of handling ‘electronicallyprotected health information’2, with anunderstanding of the inter-relationship betweenthose Security Standards and the growing n Security Management Systems(ISMS).The paper shows how these ISMS standards canbe applied by a business to demonstrate itscompliance with the HIPAA whilst providingadditional benefits, such as broader assuranceacross the whole (or a well-defined sub-unit) ofanorganization’sinformationsecuritymanagement system and certified compliance ofthat system based upon an internationallyrecognized scheme which will be acknowledgedby business partners, investors, and customers.The paper relates to the latest versions of thereferred-to standards, as of the date of thepaper’s publication (see ‘References’).1CFR Title 45 – Public Welfare, Subtitle A Department of Health And Human Services, Part 164“SECURITY AND PRIVACY”, Subpart C, “SecurityStandards for the Protection of Electronic ProtectedHealth Information”.2The term ‘Electronic Protected Health Information’ is adefined term within CFR 45 Part 164 Sub-part C§ 160.103, deferring to CFR § 164.501 which definesProtected Health Information (PHI) as “individuallyidentifiable health information that is transmitted by, ormaintained in, electronic media or any other form ormedium. This information must relate to 1) the past,present, or future physical or mental health, or conditionof an individual; 2) provision of health care to anindividual; or 3) payment for the provision of health careto an individual. If the information identifies or providesa reasonable basis to believe it can be used to identify anindividual, it is considered individually identifiablehealth information”. 2005 the Zygma partnership LLC2. Background to referencedstandards2.1.Health Insurance Portability andAccountability ActThe US Health Insurance Portability andAccountability Act (HIPAA), passed in 1996,obligates healthcare organizations to “have inplace appropriate administrative, technical, andphysical safeguards to protect the privacy ofprotected health information” (ref. CMS,"HIPAA Administrative Simplification Privacy", § 164.530 (c)(1)).However, the HIPAA did not provide guidanceas to what measures and controls would be‘appropriate’andhencehealthcareorganizations have experienced difficulty indetermining how they could show compliance.In 2003 a revision to the HIPAA led to theaddition of a new Subpart, addressing securitystandards1.The Security Standards give substantialguidance to healthcare organizations, setting outclauses which require full compliance (theHIPAA does actually label these clauses as‘required’) and other clauses where the subjectorganization (the ‘covered entity’, in HIPAAparlance) has to exercise judgment as to how,and the extent to which, they comply with them(labeled by the HIPAA as being ‘addressable’).All the HIPAA Security Standards clauses areessentially mandatory (normative), althoughcompliance with those which are addressablemay in some cases be excluded if they can beshown to be inapplicable. Their inapplicabilityis for the subject organization to determine anddefend.The HIPAA sets out its Security Standards in§ 164.306 to ’318 inclusive: generally n specifications’. In some casesStandardsarestatedwithout relatedImplementation specifications.This paperassumes that stand-alone Standards clauses arealso ‘required’ (the HIPAA makes no explicitstatement in this regard).PAGE 3 OF 15
HIPAA Security Standards compliance by implementing an ISMS - white paper v1 2005-12-04Although the HIPAA sets out these standardsclauses, it should be noted that it neither offersnor requires any specific information securityframework within which they should bemanaged, nor a means for applying acommonly-accepted audit process which leadstocertificationoftheircompliance.Furthermore, it is appropriate that it does notaddress these issues, since it is a regulation.However, healthcare organizations which aresubject to the Act (or indeed those whichchoose to comply in order to provide third-partyservices to organizations which are coveredentities as defined by the Act) do need toaddress these issues and, for business efficiencyreasons, should to do so in a fashion whichintegrates with their existing managementsystems with minimal additional load,commensurate with providing the comfort (forthemselves as well as other parties) whichcomes from a high degree of assurance thatthey, as a covered entity, comply with theHIPAA.The ISO/IEC 27000 series ofInformation Security Management Systems(ISMS) standards provides them with such ameans.eventually be collected under the genericgrouping ISO/IEC 27000.At present there are two published standards inthis family: ISO/IEC 27001:2005 “Technology– Security techniques –Information securitymanagement requirements”, and ISO/IEC17799:2005 “Information Technology –Security techniques – Code of practice forinformation security management” (which willeventually be re-issued as ISO/IEC 27002).Other standards are being drafted and willsupport the ISMS model as defined by 27001.Both of these standards evolved in the UK andhave now been published as British Standardsfor an entire decade. In that time they havebeen acknowledged around the world as beingthe leading edge in information securitymanagement practices, and honed throughinternational feedback. Now they have gainedinternational status through publication by theInternational Standards Organization (ISO) andthe International Electro-technical Committee(IEC): 17799 in 2000, 27001 as recently asOctober 2005. Although these standards havebeen recognized in the USA by such bodies asCongress’ Joint Economics Committee4, anumber of States and significant businesses,take-up has been generally weak because of its‘foreign’ image.Today however theinternational standing of these standards isleading to them being more widely embraced inthe USA.The ANSI-ASQ NationalAccreditation Board5 (ANAB) is establishing anISMS accreditation scheme which, for the firsttime, will put in place a US-based means ofaccrediting certification bodies who canThe full text of the HIPAA is availableelectronically from the Electronic Code ofFederal Regulations beta test site3. That versionof the text has been the basis for this analysis.In the remainder of this paper the abbreviation‘HIPAA’ is used to refer to the SecurityStandards in particular.2.2.ISO information securitymanagement system seriesThis series of standards is based upon existingand proven standards with additional standardspresently being drafted by the InternationalStandards Organization’s (ISO/IEC).Theactual development work is the responsibility ofa specific sub-committee responsible for thedevelopment of Security Techniques, ISO/IECJTC1 SC27. The ISMS-related standards will4in May 2002 the Joint Economic Committee of the USCongress reported on "SECURITY IN THEINFORMATION AGE"(http://www.fas.org/irp/congress/2002 rpt/jec-sec.pdf).In this report, under the heading 'VALIDATINGCOMPLIANCE - THE FUTURE OF INFORMATIONPROTECTION' it is stated "The defining standard fordeveloping an information protection program around isISO 17799, formerly British Standard 7799". At the timeof that report ISO/IEC 27001 had not been published.Were the JEC to revisit this subject today, one wouldexpect the reference to 17799 to be replaced by referenceto 27001.3see http://www.gpoaccess.gov/cfr/retrieve.html tosearch for this and other parts. 2005 the Zygma partnership LLC5see http://www.anab.org/PAGE 4 OF 15
HIPAA Security Standards compliance by implementing an ISMS - white paper v1 2005-12-04perform ISMS audits. These accreditationservices will be internationally harmonized,with common standards for the accreditation ofISMS certification bodies and for thequalification of trained ISMS auditors (which,already, many other nations have alreadyestablished). Those certification bodies wouldthen be able to offer truly US-based ISMScertification services. Their certifications willbe recognized globally6.The full texts of ISO standards are availablefrom standards bodies – suggested sources inthe US are the American National StandardsInstitute7 or BSI Americas8, in the UK theBritish Standards Institute9.In the remainder of this paper, these standardswill be referred to simply by their allocatedcommon name or identification numbers, i.e.27001, 17799.2.3.HIPAA Security Standards /ISMS inter-relationship27001 provides the basis of an informationsecurity management system, and 17799provides a list of controls which organizationsshould take into consideration when definingtheir ISMS. A founding principle of thesedocuments is that they provide a starting pointfrom which an organization can develop its ownspecific ISMS, applying those controls which6it is also worth noting that 27001 includes informativeAnnexes which illustrate the correspondence betweenthis standard and: OECD Guidelines for the security ofInformation Systems and Networks; ISO 9001:2000“Quality management systems - Requirements”, and ;ISO 14001:2004 “Environmental management systems Requirements with guidance for use”. These can behelpful in developing a single Internal Control Systemembracing many management disciplines.7see w.bsitraining.com/infosecurity standards.asp9see http://www.bsonline.bsi-global.com/ 2005 the Zygma partnership LLCrelate to its business objectives and the risks ithas to deal with and, when necessary, addingadditional specific controls which it requires.27001 requires that adopters of that ISMSstandard prepare a Statement of Applicability(SoA) which explains how each of the 133controls in 17799 is responded to (includingdeterminations that a control is not applicable).Furthermore, the standards form part of anoverall certification scheme which enablesISMS owners to gain independent certificationof their ISMS (against 27001).The HIPAA Security Standards lack any suchframework of controls and does not support, noreven suggest, any mechanism for demonstratingcompliance with it. The Security Standards setout requirements which, to oversimplify a trifle,can be fulfilled through the application ofsuitable controls. One can therefore intuitivelyassert that by operating a suitably designedISMS and having it formally certified, ahealthcare organization could use its ISMS toensure that HIPAA Security Standards requiredcontrols were selected from 17799, or added tothose which 17799 offers, and properlyimplemented.As ever, though, the devil is in the detail, and tofully understand that we need to perform acareful analysis of each HIPAA SecurityStandards clause against the ISMS standards,most particularly 17799. However, much of thedemonstration of compliance comes not fromhaving once identified appropriate controls butto be able to give assurance that one iseffectively operating, managing, reviewing andimproving them. An ISMS which can becertified against the management standard, i.e.27001, delivers that assurance. The benefits ofthat assurance in HIPAA terms are furtherdiscussed in §5).The following analysis will show that 17799meets or exceeds some 92% of the HIPAASecurity Standards requirements. Where 17799is not sufficient in scope or rigour to meet theHIPAA Security Standards requirements thecovered entity can introduce, within their ISMS,additional controls required to satisfy theremaining HIPAA requirements.Thoseadditional controls should be added to theorganization’s SoA, which would form the basisPAGE 5 OF 15
HIPAA Security Standards compliance by implementing an ISMS - white paper v1 2005-12-04of a formal certification of that ISMS against27001. That ISMS could also be used by thecovered entity to manage not just its HIPAAcompliance but the business-wide aspects of itsinformation security.An ISMS Certificate can be used to giveconfidence to business partners and clients, toCenters for Medicare & Medicaid Services(CMS), and potentially reduce insurancepremiums and liability exposure (each throughhaving demonstrated that accepted bestpractices are being applied to their HIPAAcompliance and other aspects of managing theorganization’s business).Furthermore, we have now, for the first time, aninternationally-agreed framework for ISMS andit is understood that ANSI-ASQ NationalAccreditation Board5 (ANAB) is establishing anISMS accreditation scheme which will providethe USA with its own scheme, internationallyrecognized, rather than obliging US-basedenterprises to seek certification of their ISMSusing certifiers qualified off-shore.3. Comparative assessmentIn preparing this comparative mapping, eachHIPAA Security Standards clause has beenassessed against the controls identified in17799, first for a match in the scope andintention of the clauses and then to determinethe extent to which the 17799 clause wouldenablecompliancewiththeHIPAArequirement. Wherever possible the principallevel of comparison has been the HIPPA’s‘Implementation specifications’ against 17799’s“Implementation guidance”. In some caseswhere there is a good match whole sectionshave also been mapped to one another, andsome 17799 clauses (concerning legalcompliance) have been mapped to the HIPAAas a whole entity. This latter point reflects thefact that HIPAA and 17799 are not just differentin that they are a regulation versus a standard,but that they are complementary in terms of acovered entity’s operations.Each mapping gives an indication of whether itis a substantially equivalent match or whetherthe 17799 clause exceeds or falls short of being 2005 the Zygma partnership LLCable to support a demonstration of compliancewith the HIPAA requirement.A business operating as a covered entity couldalso use this approach to map its otherinformation security and audit requirements intoa single information security managementsystem, based upon the ISO ISMS model.4. Findings and conclusions fromthe mappingThe HIPAA Security Standards have, in§164.306 to ’316 inclusive, 41 specific clauses(ref. Appendix A to § 164 Subpart C). Fromthese, this paper has extracted a total of 86discrete requirements statements against whicha 17799 control could potentially be mapped.Each HIPAA clause in this paper has beenmapped to at least one 17799 clause. §8 showsthis mapping based on the ordering of 17799;§10 shows the mapping based on the orderingof the HIPAA. The two matrices are hyperlinked so users can easily review the manymany relationships that this paper has revealed.As already stated, 17799 has 133 specificcontrols. In the mapping in §8 there are 263instances of HIPAA clauses mapping into17799 controls. Of these there are only 24mappings where the author finds there to be lessthan equivalence of scope and intentionbetween the respective clauses. In all others itis judged that the means to show HIPAAcompliance is present in the scope of thematching 17799 clause (subject to .If one assumes that clauses have equalweighting or importance (i.e. they are definedwithin the HIPAA and 17799 alike at aconsistent level of granularity – this is areasonable but not entirely reliable assumption)then one can deduce that 17799 meets orexceeds the HIPAA Security Standardsrequirements for 91% of the HIPAA’scoverage. For the remaining 9% of the HIPAAcoverage, supplemental text or additionalcontrols have been introduced to better supportPAGE 6 OF 15
HIPAA Security Standards compliance by implementing an ISMS - white paper v1 2005-12-04the HIPAA’s requirements: the inclusion ofadditional controls to meet implementationspecific needs is entirely consistent with theethos and guidance of 17799 (ref §9).Without placing too much focus on the absolutepercentage values given above, the findingsshow that one may state with confidence thatISO/IEC 17799:2005 is very substantiallysupportive of HIPAA compliance and that,when implemented within an ISMS inaccordance with ISO/IEC 27001:2005, 17799provides all the means to achieve thatcompliance in a framework which can alsoembrace the business’ whole informationsecurity needs.The matrix in §8 sh
Zygma OF HIPAA Security Standards “ information ” management; information security
