Transcription
E-GuideHow to comply with the HIPAASecurity RuleSince its inception, the HITECH Act has helped to not only increaseproductivity, but to streamline how information is exchanged within anorganization. While this information exchange is much more efficientand free-flowing than it has been in the past, there are also manyrequirements that must be bet in order ensure that these exchangesare HIPAA compliant. In this eGuide, you will learn how a wellimplemented security program can safeguard your organization andcan secure patient medical records.Sponsored By:
SearchHealthIT.com E-GuideHow to comply with the HIPAA Security RuleE-GuideHow to comply with the HIPAASecurity RuleTable of ContentsHow to comply with the HIPAA Security RuleResources from RedspinSponsored By:Page 2 of 9
SearchHealthIT.com E-GuideHow to comply with the HIPAA Security RuleHow to comply with the HIPAA Security RuleBy Richard E. Mackey, ContributorThe Health Information Technology for Economic and Clinical Health (HITECH) Act extendedthe requirement for direct compliance with Health Insurance Portability and AccountabilityAct (HIPAA) security and privacy rules to business associates of covered entities. TheHITECH Act's encouragement of enhanced health information exchange undoubtedly willincrease the number of entities that handle protected health information and because theyhandle PHI, are subject to the HIPAA Security Rule.Until 2009, only a HIPAA-covered entity was directly responsible for proving HIPAAcompliance to the Department of Health & Human Services (HHS), or was liable forpenalties in the event of a data breach. The HITECH Act changed all that. Now allorganizations entrusted with PHI are directly responsible for protection, breach notificationand breach penalties.As stated in the Modifications to the HIPAA Privacy, Security and Enforcement Rules Underthe HITECH Act, which were published on July 14, 2010:Section 13401 of the HITECH Act provides that the Security Rule's administrative,physical and technical safeguards requirements as well as its policies and procedures anddocumentation requirements shall apply to business associates in the same manner asthese requirements apply to covered entities, and that business associates shall be civillyand criminally liable for penalties for violations of these provisions.Before the HITECH Act, covered entities were required to ensure that the businessassociates they entrusted with electronic PHI complied with the HIPAA privacy and securityrules. This has not changed. However, with the spotlight more clearly focused on HIPAAbusiness associates, these organizations must make doubly sure they comply with the intentand letter of the two rules.In short, covered entities were already responsible for compliance, but now it's more likelythat someone will notice.Sponsored By:Page 3 of 9
SearchHealthIT.com E-GuideHow to comply with the HIPAA Security RuleIdentifying, analyzing risk under the HIPAA Security RuleThe HIPAA Security Rule requires that covered entities and business associates implementfull security programs. These include a formal assessment of security risk and theimplementation of controls commensurate with that risk.The security rule does not prescribe most controls, but suggests them instead. Mostorganizations nevertheless should look at addressable security-rule implementationspecifications as requirements unless the controls are impractical to implement or do notaddress an actual risk.The security rule also requires all covered entities and business associates to appoint aperson or group responsible for a health information security program to protect PHI. Thisincludes a program to analyze and manage risk.Risk analysis, as defined by the HIPAA Security Rule, requires a formal, repeatablemethodology that assesses the content, sensitivity and volume of information; the threatsto the confidentiality, integrity and availability of PHI; and the effectiveness of the securitycontrols the organization has implemented already. If the magnitude of risk is acceptable,the controls are adequate. If not, the organization has to select and implement newcontrols. This risk management method should be repeated regularly, with administratorsunderstanding threats, evaluating controls and addressing weaknesses to comply with theHIPAA Security Rule.Controlling access to electronic PHIOne of the main requirements of the HIPAA Security Rule is that organizations must ensurethat only authorized users have access to electronic PHI. At a minimum, this meansauthenticating users with unique IDs. However, any good security program requires athorough, auditable process for requesting and approving access, as well as a regularreview of user privileges.Obviously, access controls will vary based on the technology used to store the information.Databases, Web applications, file systems and desktop applications all have their ownSponsored By:Page 4 of 9
SearchHealthIT.com E-GuideHow to comply with the HIPAA Security Rulemechanisms. The vast majority of commercial products provide authentication that's strongenough and flexible role or group authorization to enable organizations to reasonably securetheir information.The secret to securing information is more about process than it is about technology. Bearin mind that the model for segregating data, granting access, logging access, reviewing useand reviewing access rights should be the same regardless of the underlying technology.Identity and access management (IAM) systems can help organizations meet all HIPAASecurity Rule access-control requirements. Smaller organizations, however, could find theprice tag too high, and even larger organizations might find the cost of integrating thesetechnologies daunting. In any event, stringent controls (whether implemented entirelythrough manual procedures or facilitated by IAM technology) are a critical component ofsecuring health care data.Protecting electronic PHI, in place and in motionHHS has identified encryption and destruction as acceptable methods for rendering PHIunusable, unreadable or indecipherable to unauthorized individuals. (A further explanationcan be found in the first half of this tip, How to interpret and apply federal PHI securityguidance.)Although HHS does not require organizations to encrypt electronic PHI, the security andlegal benefits of encryption are compelling. First, organizations that encrypt data accordingto the HHS guidelines are not liable if an unauthorized party gains access to the data. Thisavoids not only the penalties associated with breaches, but also the expensive process ofnotifying affected parties. Second, encryption can act as a strong access control mechanismthat can protect data when it's most vulnerable -- namely, when it's transmitted and whenit's stored on portable devices.The HHS guidance for employing encryption appears in the data breach interim final rule.The rule refers to four documents from the National Institute of Standards and Technology(NIST).Sponsored By:Page 5 of 9
SearchHealthIT.com E-GuideHow to comply with the HIPAA Security RuleThe first, the Guide to Storage Encryption Technologies for End User Devices,describes the strengths and weaknesses of various file and file-system encryptionmethods. This document is useful in describing data storage problems and the waysvarious mechanisms work to protect data.The final three -- the Guidelines for the Selection and Use of Transport LayerSecurity (TLS) Implementations, the Guide to Internet Protocol Security (IPsec)Virtual Private Networks, and the Guide to SSL VPNs -- describe how to use VPNsand encrypted channels to protect data being transmitted.Manage partners, ease HIPAA Security Rule complianceAny security program designed to protect information and comply with such regulations asHIPAA should include a program to assess, contract with and manage the partners withwhich an organization shares data. Partner management is essentially a security program inminiature. It requires risk assessment, selection of controls, governance in the form ofcontracts, monitoring, identity and access management, encryption, and periodic evaluationof controls' effectiveness.HIPAA rules require organizations to assess their partners' practices and obtain contractualguarantees that the information entrusted to them will be protected according to the privacyand security rules. With the HITECH Act, the chain of assessments and contracts has gottenlonger: Covered entities require contracts from service providers, service providers requirecontracts from their partners, and so on.There are three keys to effective partner management:1. Share only the information that partners need to provide their service: Eliminateidentity fields if possible, for example.2. Regularly assess partners' risk and security practices.3. Establish contracts with partners and review them regularly.Sponsored By:Page 6 of 9
SearchHealthIT.com E-GuideHow to comply with the HIPAA Security RuleProtect connections, ensure health information securityAn important part of securing health information is making sure that the systems involvedin storing, processing and exchanging information are protected at the network layer.Network segregation and careful filtering and monitoring of traffic can help significantly insafeguarding against many common types of attacks.There are three controls that every organization should consider when it assesses andimproves its health information network security:1. Segregate critical health information systems from the rest of the network.2. Employ strong wireless network security measures for all networks in the enterprise.3. Lock down and monitor all connections to service providers and the Internet.There are many more network-based techniques that can enhance systems and datasecurity, but these three steps provide a good basis for additional improvements.Overall, the HITECH Act has increased organizations' incentives to reduce paper andstreamline health information exchange. This increase in information flow comes withexpanded security risks and regulatory scrutiny. The most effective way for organizations tomeet regulatory requirements and avoid a health care data breach is to design a securityprogram that assesses risk accurately and implements controls that prevent breaches. Awell-designed security program not only will safeguard organizations' health information,but also will help them pass audits, satisfy partners and protect against costly penalties andnotification processes.Sponsored By:Page 7 of 9
SearchHealthIT.com E-GuideHow to comply with the HIPAA Security RuleResources from RedspinRFP Template – HIPAA Security Risk AnalysisBusiness Associate HIPAA Compliance ChecklistHIPAA Security Audits in 2012. Are You Ready?About RedspinRedspin is a leading provider of penetration testing services and IT security audits. For overa decade, Redspin has helped our clients protect critical data, harden web applications,maintain compliance, and reduce overall risk.Redspin specifically tailors its work for every customer, whether a Fortune 1000 enterpriseor small-to-medium size business. We bring a "real-world" perspective to each engagement,gained from the thousands of security assessments we've conducted since our founding in2000. This enables us to present our findings, analysis and recommendations within yourbusiness context, informed by our deep industry-specific experience in healthcare, banking,financial services, retail, energy, technology, casinos, and hospitality.Sponsored By:Page 9 of 9
The security rule also requires all covered entities and business associates to appoint a person or group responsible for a health information security program to protect PHI. This includes a program to analyze and manage risk. Risk analysis, as defined by the HIPAA Security
