XYGATE & HIPAA COMPLIANCE

Size: px
Start display at page:

Download "XYGATE & HIPAA COMPLIANCE"

Transcription

1 XYGATE & HIPAA COMPLIANCE A Solution Paper February, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California U.S.A. Telephone: FAX:

2 Copyright 2005 by XYPRO Technology Corporation. All rights reserved. Trademark Acknowledgments The following are trademarks or service marks of Hewlett-Packard Company: Distributed System Management (DSM) EDIT ENFORM Enscribe Event Management Service (EMS) FUP Guardian MEASURE NETBATCH NonStop NonStop Kernel NonStop SQL PATHCOM PATHWAY SAFECOM SAFEGUARD SCUP SPOOLCOM TACL TEDIT The following are trademarks or service marks of XYPRO Technology Corporation: XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH

3 TABLE OF CONTENTS INTRODUCTION...1 DEFINITION OF PRINCIPALS...1 REQUIREMENTS IN HP NONSTOP SERVER ENTERPRISES...2 Administrative Safeguards...2 STANDARD: Security Management Process...2 STANDARD: Security Awareness Training...3 Technical Safeguards...5 STANDARD: Access Control...5 STANDARD: Audit Controls...6 STANDARD: Integrity...7 STANDARD: Person or Entity Identity...7 STANDARD: Transmission Security...8 CONCLUSIONS... 9 DISCLAIMER... 9 XYGATE PRODUCT TABLE APPENDIX A: EXCERPTS FROM HIPAA...13

4 INTRODUCTION The Health Insurance Portability and Accountability Act ( HIPAA ) has the following general objectives: Guarantee health insurance coverage of employees. Reduce health care fraud and abuse. Introduce/implement administrative simplification to increase effectiveness and efficiency of the health care system. Protect the health information of individuals against unauthorized access. This last objective is where XYPRO products will bring the most benefits to customers striving to comply with HIPAA regulations within their HP NonStop Server enterprises. This paper is intended for general informational purposes and does not contain exact definitions or guidelines on compliance. Indeed, the scalability factor -- single doctor s office versus large corporate health provider -- and the fact that risk assessment and mitigation are moving targets makes any generic checklist unfeasible. This paper does list some of the major parts of the security standards set forth in HIPAA regulations and points to the XYPRO products that can provide a company with the technological tools to implement the policies and procedures needed to achieve compliance. Product tables toward the end of this document describe each XYPRO product cross-referenced to the standards it can be used to meet. Excerpts from the HIPPA regulations are provided in Exhibit A. DEFINITIONS & PRINCIPALS Covered Entities (CEs) are defined by HIPAA as health plans, health care clearinghouses, and health care providers who maintain or transmit identifiable health information in any form, oral, written, or electronic. This information is referred to as Protected Health Information (PHI). In HIPPA defines a series of measures that CEs must take to protect such information. Many sections of these measures involve areas that must be implemented by management, such as creation, implementation, review, and revision of written policies and procedures. XYPRO s XYGATE products are the tools that allow IT departments to achieve compliance with such policies as well as provide reporting to illustrate that compliance goals are being met. HIPAA is scalable. Each CE needs to meet the specific needs and feasibility of each facility. A single doctor s office may be able to address HIPAA with a much smaller plan and much less automation than the large corporate medical provider might need. Risk assessment and mitigation are not static entities. HIPAA stresses that risk assessment and mitigation planning must be continuous processes and are to be reviewed often. New plans must be developed and implemented based on current and new threats as well as new technologies in today s fast moving world of electronic business. Page 1

5 HIPAA specifically states that patient care cannot be interrupted or its quality affected in a negative way. This legislation points out that the most important objective of CEs is to take care of their patients. HIPAA can reach outside CEs. Application Service Providers (ASPs) are 3rd party providers operating information systems located remotely but hosting data of the hospital and its patients. Outreach, vendor remote and other 3rd parties servicing hospital equipment are also examples of entities to whom HIPAA regulations may apply. REQUIREMENTS & NONSTOP SERVER ENTERPRISES Part 164, Security and Privacy of HIPAA most directly relates to Information Technology (IT). Sections Administrative Safeguards and Technical Safeguards relate directly to needs that XYGATE products can satisfy. These sections contain standards and their corresponding implementation specifications. Implementation specifications are classified (R), REQUIRED or (A), ADDRESSABLE. If a standard is ADDRESSABLE, then CEs may use some discretion as to whether each implementation specification is a reasonable and appropriate safeguard in its environment or an equivalent alternative measure is reasonable and appropriate. What follows is a list of selected standards and how XYGATE products can help CEs achieve compliance: Administrative Safeguards STANDARD (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities appropriate to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. REQUIRED - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (See Appendix A.) XYPRO Solutions The two preceding specifications show the need for HP NonStop Server Security: A Practical Handbook. Authored by XYPRO and published by HP, this is the definitive reference for using native NonStop security products like Guardian and Safeguard. It provides practical guidance about administration, authorization, authentication, auditing and Best Practices. The XYGATE Security Compliance Wizard ( /SW ) can be used to compare the Best Practices documented in the handbook to a NonStop server environment, producing a Page 2

6 comprehensive report that documents where a particular system complies and where it differs. Justification for variances can be annotated for tracking purposes and included in audit reports. XYGATE /SW is a Windows-based wizard that makes it possible to develop security policy and monitor compliance for an entire NonStop server enterprise from authorized desktop PC/s. REQUIRED - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) REQUIRED Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. XYPRO Solutions XYGATE Merged Audit ( /MA ) software lets authorized users create reports with timely mixes of information from Safeguard, Measure as well as all of the other XYGATE security products. Data is collected from multiple audit data sources and multiple NonStop servers, then combined to produce a single reporting repository for a total audit picture. For routine audit reports, XYGATE /MA can be set to screen out data that is always present and irrelevant - permitted logons, for example. The customizable filters catch information that isn't desired and allow it to be excluded from the audit files. For audit information too critical to wait for the next audit reports cycle, XYGATE /MA supports automatic alerts, sending messages to an EMS process, third-party IP monitor, and specified addresses (perhaps for forwarding to devices able to receive text messages, i.e., support staff mobile phones). All audit data is loaded into a single SQL database on the system where XYGATE /MA is headquartered. Centralization of data is fundamental to the combined system reporting available. It also simplifies custom report generation and off-the-cuff queries using SQLCI or any PC-based SQL product that can retrieve data from a host system. Along with customized report generation, this product includes a set of standard reports for such popular topics as Alerts Issued, Logons, Failed Logons, Subject User vs. Target User and SUPER.SUPER usage. STANDARD (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Security Reminders. Implement periodic security updates. Page 3

7 ADDRESSABLE Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. ADDRESSABLE Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. ADDRESSABLE Password Management. Implement procedures for creating, changing, and safeguarding passwords. XYPRO Solutions The XYGATE suite includes Access Control (for Guardian and OSS), Process Control, CMON, and Spoolcom/Peruse/Archive tools. Together these products provide the core of a well-secured NonStop system including: Individual accountability, restricting each user to a list of authorized actions based on that user s job functions Comprehensive auditing with flexible reporting A $CMON process that administers logon to logoff session controls and load balancing Protection of SPOOLER reports, enhanced by eliminating the need for a SUPER group id to access print jobs and adding the ability to limit and audit user actions by command, subcommand, supervisor, collector, object, and subject (user). To extend core security, XYGATE includes tools specific to implementing more of the ADDRESSABLE issues above, with controls and reporting that are both highly granular and flexible. XYGATE Password Quality ( /PQ ) makes it possible to set rules to govern password characteristics with more granularity than native NonStop security or Safeguard. XYGATE /PQ then enforces those rules, standardizing and strengthening passwords for the NonStop server support staff across all nodes. And all this can be done from XYGATE s Windows based GUI running on authorized workstation PCs. XYGATE User Authentication further enhances logon security by providing granular, efficient logon controls, while eliminating the need for privileged logons such as SUPER.SUPER ids. Pre-production testing of logon rules, early detection of intrusion attempts, logons to sensitive userids, and two-factor authentication are all standard features of this product. XYGATE Safeguard Manager is a graphical interface enabling authorized users to configure and control Safeguard global settings, users, aliases and object Access Control Lists (ACLs) from their workstation PCs. Configuration updates can be propagated to a single node, some nodes, or all nodes in a NonStop network. Remote password maintenance updates can be applied to a single user, hundreds, or thousands. Flexible grids make it easy to sort data and then drill down for details. XYGATE Dynamic Object Security ( /OS ) enables creation and implementation of rules for dynamic, pattern oriented ACL administration containing Regular Expressions. Rules can be based on many characteristics including object name, Safeguard alias, and Page 4

8 userid. In addition, XYGATE /OS rules make it possible to govern the use of operational privileges not only for Read, Write, Execute, and Purge -- but for Rename, License, and the entire operations set supported by NonStop Servers Technical Safeguards STANDARD (a)(1) Access Control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED Unique User Identifier. Assign a unique name and/or number for identifying and tracking user identity. REQUIRED Emergency Access Procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. ADDRESSABLE Automatic Logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ADDRESSABLE Encryption and Decryption. Implement a mechanism to encrypt and decrypt electronic protected health information. XYPRO Solutions XYGATE is a single solution set to efficiently meet HIPAA Access Control Standards in a variety of ways. XYGATE Access Control ( /AC ) allows the functional properties of one Guardian userid to be allocated and controlled for other userids, eliminating the need for direct use or sharing of privileged userids such as SUPER.SUPER. This tool not only includes controls over what programs a user is allowed to run, but also enables command level security for the programs that the user is allowed to run. All users are able to perform their regular job functions as well as have emergency access capabilities using their own unique userid in an audited environment. XYGATE /AC commands also have the capability to request user password upon entry to a privileged command and/or after a timeout period of inactivity. XYGATE CMON forces users to logon to a personal userid before logging on to SUPER.SUPER or other power userids. Additional capabilities enable security administrators to restrict users/programs to specific ports/ip addresses, audit all user logons/logoffs and enforce automatic logoffs. Page 5

9 XYGATE File Encryption & Key Management allows encryption of files, both stored on the system and in transit. It features support for multiple platforms ( NonStop, Windows, Unix, OS390 etc.) and multiple file formats ( binary, ASCII and EBCDIC data.). XYGATE Session Encryption provides end-to-end encryption to protect privacy for many types of sessions, between your NonStop Servers, between your NonStop Server and their network-connected PCs and other computer platforms as well. Examples include: Interactive sessions using Telnet, Multi-LAN, RS232, Async, 6530 or ASCII emulation Transaction sessions using bulk transfer products like ODBC, TOP and RSC FTP sessions using dual channels, one for data and another for commands, userids and passwords NonStop Windows sessions performing crypto proxy services, as done using SSL mechanisms with SafeTGate XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as crypto key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. STANDARD (b) Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. IMPLEMENTATIONS: REQUIRED REQUIRED - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. XYPRO Solutions XYGATE Safeguard Reports ( /SR ) streamlines security audit reporting for NonStop server environments and enables reporting for Safeguard activities with flexibility and ease. XYGATE /SR provides a full range of pre-formatted reports, plus the ability to alter the content to meet your exact needs. XYGATE /SR is a stand-alone product, but can be combined with other XYGATE products to even further ease the effort of security audit reporting. XYGATE Merged Audit ( /MA ) supplies automated and comprehensive auditing that can be combined to produce a single report providing a total picture in a timely and convenient manner. XYGATE /MA provides centralized reporting for all security related audit logs (Safeguard, XYGATE, EMS, Measure). It facilitates the use of host- or PCbased standard tools for reports e.g. MS Access, Excel, ODBC, Crystal Reports. This product also provides automatic alerting for security events like more than 5 failed logons in 2 minutes, SUPER.SUPER logons at certain time of day, invalid file access, Page 6

10 etc. Alerts can be via EMS event, message to an IP address, custom ( via user written TACL macro ) or ( perhaps for forwarding to devices able to receive text messages, i.e. support staff cell phones ). STANDARD (c) Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Mechanism to Authenticate Electronic Protected Health Information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. STANDARD (d) Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. XYPRO Solutions Long before HIPAA requirements, XYGATE has been protecting integrity and authentication as it secures against unauthorized access or alteration of protected information from internal users and external intruders. XYGATE Access Control and Process Control sit between user terminals and the utility/application programs that users need in order to perform their assigned duties. Access Control Lists (ACLs) define who can have access to which privileges, in which programs, from which terminals and at what level of functionality. XYGATE User Authentication ( /UA ) brings industry-best user authentication capabilities to NonStop server environments. Like many other XYPRO products, XYGATE /UA expands upon security functions native to NonStop systems, providing customer requested enhancements like multi-factor authentication, sophisticated logon error management options and logon-specific audit reporting. XYGATE Password Quality ( /PQ ) lets you set rules to govern password characteristics. Minimum number of upper/lower case letters and numbers, control characters, special characters, repeating characters and excluded characters are among the options provided. Also included are NonStop Network-wide password updates. When a user changes a password on one system, XYGATE /PQ encrypts and propagates the changes across all systems for which the userid/alias has a valid network connection. System generated passwords and password splitting can be enabled. Automatic password Page 7

11 expiration with first logon and defined owner of password changes make this product very helpful in meeting and maintaining user authentication standards. XYGATE CMON facilitates your security and access control, as well as system performance needs. XYGATE offers a fully supported $CMON process with: Auditing of pre-logon Guardian userids and aliases Terminal device logon restrictions Double logon to sensitive userids Parameter customization by userid Access control by TCP/IP address or ASYNC/LAN address Complete end-to-end program execution audits. STANDARD (e) Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Integrity Controls. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. ADDRESSABLE Encryption. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. XYPRO Solutions XYGATE File Encryption & Key Management allows encryption of files, both stored on the system and in transit. It features support for multiple platforms ( NonStop, Windows, Unix, OS390 etc.) and multiple file formats ( binary, ASCII and EBCDIC data.) XYGATE Session Encryption provides end-to-end encryption to protect privacy for many types of sessions, between your NonStop Servers, between your NonStop Server and their network-connected PCs and other computer platforms as well. Supported are: Interactive sessions using Telnet, Multi-LAN, RS232, Async, 6530 or ASCII emulation Transaction sessions using bulk transfer products like ODBC, TOP and RSC FTP sessions using dual channels, one for data and another for commands, userids and passwords NonStop Windows sessions performing crypto proxy services, as done using SSL mechanisms with SafeTGate Page 8

12 XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. CONCLUSIONS The effort of any one company to become HIPAA compliant will depend on many factors. The size of a company, the management philosophy, and the current state of security policies and procedures are very important considerations in starting such an effort. But if an environment includes NonStop Servers, the XYGATE suite of security tools will ease the transition into a secure environment that HIPAA compliance will require. Regulations like HIPAA bring more pressure on IT management to incorporate products like XYPRO s to bring systems into a best practice mode, which is just not possible with the native GUARDIAN security environment. The continued protection of company assets like NonStop Servers and the data they contain, as well as satisfying the demands of auditors, make the use of security enhancing products like XYGATE increasingly valuable. DISCLAIMER XYPRO has designed this document primarily as educational. Readers should note that this document has not received endorsement from any standard-setting body. Issues discussed in this paper will evolve over time. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and/or auditors. In determining the propriety of any specific procedure or test, the IT professional should apply his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. XYPRO makes no representation or warranties and provides no assurances that an organization s use of this document or XYGATE products will result in full compliance with the requirements of the act. Internal controls whether automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving security control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human factors such as errors or inappropriate override of internal controls. Page 9

13 PRODUCT TABLE XYGATE products are available in convenient packages or individually, as listed in the following table. Product Description HIPAA Standards NonStop Server Platform Security Solutions XYGATE /AC Access Control XYGATE /CM (Fully Supported) CMON XYGATE /MA Merged Audit XYGATE /OS Dynamic Object Security Enables administrators to grant privileges to NonStop staff according to job function. XYGATE /AC extends native NonStop security into the area of actions, where security is based on what a user does, providing keystroke auditing of sessions initiated in both Guardian and OSS environments. Facilitates your security and access control needs, as well as system performance needs. This fully supported $CMON process supplies auditing of prelogon Guardian userids or aliases, terminal device logon restrictions, double-logon to sensitive userids and parameter customization by userid. Port entries in the CMACL file control access based on TCP/IP address as well as ASYNC/LAN address. XYGATE /CM permits complete end-to-end program execution audits, placement and use of resources specified by user, requesting program, and other criteria. It gives you the ability to make virtually all processes follow $CMON directives on CPU use and priority. Integrates many audit trails across multiple NonStop nodes into a single source for audit information. Pre-formatted reports provide the most commonly requested data and you can create custom reports with timely mixes of information from Safeguard, Measure, EMS and all XYGATE security products. XYGATE /MA also supports automatic alerts, sending messages to a designated EMS process, third-party IP monitor or any addresses you choose. Brings to HP NonStop servers a dynamic, patternoriented method of Access Control List security for objects. Rules based on many characteristics including object name, Safeguard alias and userid extend the ability to govern the use of operational privileges beyond the Read, Write, Execute and Purge, to include Rename, License, PROGID and the entire operations set supported by NonStop servers (a)(1) Access Control (c) -- Integrity (a)(1) Security Management (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication Security Standards: General Rules (a)(1) Security Management (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (c) -- Integrity Page 10

14 Product Description HIPAA Standards XYGATE /PQ Password Quality XYGATE /PC Process Control XYGATE /SM XYGATE /SR XYGATE /SP Safeguard Manager Safeguard Reports Spooler Manager, Peruse & Archive Easily sets and enforces rules to govern password characteristics, systematically standardizing and strengthening passwords for NonStop server support staff. Rules can be pre-specified for any combination of eight different quality characteristics. Alternately a random system generated password can be applied. Updating network passwords across all nodes, automatic expiration at initial logon, password splitting, and warning mode operation are some of the other standard features. Implements the same type of assignable privileges to control the running of processes as XYGATE /AC supplies for interacting with those processes. XYGATE /PC can be configured to allow a nonprivileged userid to STOP, DEBUG, ALTPRI, SUSPEND, and ACTIVATE any other user s running process. Additional keyword-based controls can be placed in the PCACL file to qualify processes by name, owner, hometerm, cpu, and object file name. Unlike the TACL process control commands, XYGATE /PC allows users to manipulate processes using wildcard selection criteria. Enables management of NonStop server security via a familiar and friendly Windows interface, streamlining administration for Safeguard global settings, users and aliases as well as object ACLs. This product is simple to use yet versatile, to meet such security administrator needs as research by object or subject, changes to be applied to a single NonStop node or over many nodes at once. XYGATE /SM s form based screens allow the security manager to focus on What needs to be done, rather than How to do it. Bypasses the arcane and cumbersome syntax, the lack of formatting options and the inflexibility of traditional reporting tools. XYGATE /SR streamlines security audit reporting for Safeguard activity with flexibility and ease. This product provides a full range of pre-formatted reports containing just the information you need. And you can select the content of those reports in a user-friendly check this box fashion. Lets you manage the attributes of NonStop server print jobs and control your spooler via a single utility. XYGATE /SP also provides Archive and Compare capabilities. Access is based on job function, without the need to use a SUPER userid (a)(1) Access Control (d) Person or Entity Authentication (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (c) Integrity (d) Person or Entity Authentication (a)(1) Access Control (e) --Transmission Security Page 11

15 Product Description HIPAA Standards XYGATE /SW XYGATE /UA Security Compliance Wizard User Authentication Streamlines efforts to establish, monitor and report on compliance with your information security policy. XYGATE /SW comes preconfigured with all the Best Practices from the definitive reference manual for securing NonStop servers. Using reports revealing how your system security configurations differ from the Best Practice policy base, you can create or modify rules to fit your company s current situation and security policy. Automatically batched collection cycles help you track the implementation of security policies across major events like system upgrades, application deployment, etc. Supports greater flexibility and control, providing more effective and streamlined user authentication. XYGATE /UA brings to the NonStop server environment such industry-best authentication capabilities as multi-factor authentication, logonspecific audit reporting and sophisticated logon error management options at the individual userid level Security Standards: General Rules (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication Multi-Platform Encryption Solutions XYGATE /EF Encrypted FTP & Site Security XYGATE /KM Encryption Key Management XYGATE /ESDK Encryption Software Developer Kit XYGATE /FE File Encryption XYGATE /SE Session Encryption Adds protections to FTP, making it easy to encrypt both the data and command channels for transmissions from NonStop Server to NonStop Server as well as between NonStop Servers and other system types. XYGATE /EF supports both triple DES and SSL, streamlining key exchange and certificate issues. It also enables you to restrict access to commands and file locations on NonStop server FTP sites to authorized users only. Automates most key management functions and requires no expertise with encryption algorithms. XYGATE /KM supports a variety of key types with centralized static key management for NonStop servers and a subset of functions for endpoints running on NonStop, OS390, Windows, HPUX and Solaris systems. Provides a simple, API-based solution for incorporating strong encryption into your applications, communications and databases. Crypto mechanisms have been tested and proven effective through scrutiny by the cryptographic community and wide industrial use on a variety of computer platform types. Protects the privacy of file data in-house and in transit. XYGATE /FE runs on multiple computer platforms and may be deployed with fixed encryption keys or with XYGATE /KM for centralized static key management. Composed of related client and server components, provides encryption for just about any type of communications between two computer systems including interactive sessions, transaction sessions and file transfer sessions (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security Page 12

16 APPENDIX A: EXCERPTS FROM HIPAA SECURITY STANDARDS: GENERAL RULES. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered Entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risk to electronic protected health information. (c) Standards. A covered entity must comply with the standards as provided in this section and in , , , , and with respect to all electronic protected health information. (d) Implementation specifications. In this subpart: (1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification. (2) When a standard adopted in , , , , or includes required implementation specifications, a covered entity must implement the implementation specifications. (3) When a standard adopted in , , , , or includes addressable implementation specifications, a covered entity must-- (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and (ii) As applicable to the entity-- (A) Implement the implementation specification if reasonable and appropriate; or Page 13

17 (B) If implementing the implementation specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate. (e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at ADMINISTRATIVE SAFEGUARDS (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (R) [REQUIRED] - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (R) [REQUIRED] - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (R) [REQUIRED] - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) (R) [REQUIRED] Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). (A) [ADDRESSABLE] Security Reminders. Implement periodic security updates. (A) [ADDRESSABLE] Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. (A) [ADDRESSABLE] Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. (A) [ADDRESSABLE] Password Management. Implement procedures for creating, changing, and safeguarding passwords TECHNICAL SAFEGUARDS Page 14

18 (a)(1) Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). (R) [REQUIRED] Unique User Identifier. Assign a unique name and/or number for identifying and tracking user identity. (R) [REQUIRED] Emergency Access Procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (A) [ADDRESSABLE] Automatic Logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (A) [ADDRESSABLE] Encryption and Decryption. Implement a mechanism to encrypt and decrypt electronic protected health information (b) Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (c) Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (A) [ADDRESSABLE] Mechanism to Authenticate Electronic Protected Health Information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner (d) Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (R) [REQUIRED] - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (e) Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (A) [ADDRESSABLE] Integrity Controls. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (A) [ADDRESSABLE] Encryption. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Page 15

XYGATE & SOX COMPLIANCE

XYGATE & SOX COMPLIANCE XYGATE & SOX COMPLIANCE A Solution Paper January, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: support@xypro.com Telephone: + 1 805-583-2874

More information

Auditor s Checklist. A XYPRO Solution Paper. MAY, 2009 XYPRO Technology Corporation

Auditor s Checklist. A XYPRO Solution Paper. MAY, 2009 XYPRO Technology Corporation Auditor s Checklist A XYPRO Solution Paper MAY, 2009 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: info@xypro.com Telephone: + 1 805-583-2874

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...

More information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards

More information

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act

More information

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA Information Security Overview

HIPAA Information Security Overview HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is

More information

HIPAA Security Alert

HIPAA Security Alert Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information

More information

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information

More information

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

An Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security

More information

HIPAA: The Role of PatientTrak in Supporting Compliance

HIPAA: The Role of PatientTrak in Supporting Compliance HIPAA: The Role of PatientTrak in Supporting Compliance The purpose of this document is to describe the methods by which PatientTrak addresses the requirements of the HIPAA Security Rule, as pertaining

More information

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.

More information

Datto Compliance 101 1

Datto Compliance 101 1 Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)

More information

CSP & PCI DSS Compliance on HP NonStop systems

CSP & PCI DSS Compliance on HP NonStop systems CSP & PCI DSS Compliance on HP NonStop systems July 23, 2014 For more information about Computer Security Products Inc., contact us at: 200 Matheson Blvd. West Suite 200 Mississauga, Ontario, Canada L5R

More information

VMware vcloud Air HIPAA Matrix

VMware vcloud Air HIPAA Matrix goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory

More information

HIPAA Security Rule Compliance

HIPAA Security Rule Compliance HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA

More information

Policies and Compliance Guide

Policies and Compliance Guide Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...

More information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance

More information

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005

HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a

More information

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for

More information

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045 Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized

More information

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Security COMPLIANCE Checklist For Employers Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major

More information

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:

PREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date: A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine

More information

Compliance and Industry Regulations

Compliance and Industry Regulations Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy

More information

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &

More information

White Paper. Support for the HIPAA Security Rule PowerScribe 360

White Paper. Support for the HIPAA Security Rule PowerScribe 360 White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as

More information

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards

More information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This

More information

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better

More information

State HIPAA Security Policy State of Connecticut

State HIPAA Security Policy State of Connecticut Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.

More information

HIPAA Security Checklist

HIPAA Security Checklist HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300

More information

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context About HIPAA The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in

More information

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Rule Compliance and Health Care Information Protection HIPAA Security Rule Compliance and Health Care Information Protection How SEA s Solution Suite Ensures HIPAA Security Rule Compliance Legal Notice: This document reflects the understanding of Software

More information

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA

More information

CHIS, Inc. Privacy General Guidelines

CHIS, Inc. Privacy General Guidelines CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified

More information

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0 WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of

More information

HIPAA Compliance Guide

HIPAA Compliance Guide HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care

More information

HIPAA: In Plain English

HIPAA: In Plain English HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.

More information

HIPAA. considerations with LogMeIn

HIPAA. considerations with LogMeIn HIPAA considerations with LogMeIn Introduction The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996, requires all organizations that maintain or transmit electronic

More information

HIPAA Compliance and Wireless Networks. 2005 Cranite Systems, Inc. All Rights Reserved.

HIPAA Compliance and Wireless Networks. 2005 Cranite Systems, Inc. All Rights Reserved. HIPAA Compliance and Wireless Networks White Paper HIPAA Compliance and Wireless Networks 2005 Cranite Systems, Inc. All Rights Reserved. All materials contained in this document are the copyrighted property

More information

How Managed File Transfer Addresses HIPAA Requirements for ephi

How Managed File Transfer Addresses HIPAA Requirements for ephi How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts

More information

HIPAA Security Matrix

HIPAA Security Matrix HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software

More information

Support for the HIPAA Security Rule

Support for the HIPAA Security Rule WHITE PAPER Support for the HIPAA Security Rule PowerScribe 360 Reporting v2.0 HEALTHCARE 2 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe

More information

Information Security Handbook

Information Security Handbook Information Security Handbook Adopted 6/4/14 Page 0 Page 1 1. Introduction... 5 1.1. Executive Summary... 5 1.2. Governance... 5 1.3. Scope and Application... 5 1.4. Biennial Review... 5 2. Definitions...

More information

HIPAA, PHI and Email. How to Ensure your Email and Other ephi are HIPAA Compliant. www.fusemail.com

HIPAA, PHI and Email. How to Ensure your Email and Other ephi are HIPAA Compliant. www.fusemail.com How to Ensure your Email and Other ephi are HIPAA Compliant How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with

More information

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &

More information

HIPAA Security Series

HIPAA Security Series 7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule

More information

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE

FINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security

More information

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS COMPLIANCE AND INDUSTRY REGULATIONS INTRODUCTION Multiple federal regulations exist today requiring government organizations to implement effective controls that ensure the security of their information

More information

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights

More information

HIPAA Compliance and Wireless Networks

HIPAA Compliance and Wireless Networks HIPAA Compliance and Wireless Networks White Paper 2004 Cranite Systems, Inc. All Rights Reserved. All materials contained in this document are the copyrighted property of Cranite Systems, Inc. and/or

More information

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help

More information

HIPAA: Compliance Essentials

HIPAA: Compliance Essentials HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change

More information

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Develop HIPAA-Compliant Mobile Apps with Verivo Akula Develop HIPAA-Compliant Mobile Apps with Verivo Akula Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200 sales@verivo.com Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200

More information

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225

More information

SECURITY RISK ASSESSMENT SUMMARY

SECURITY RISK ASSESSMENT SUMMARY Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected

More information

Data Management Policies. Sage ERP Online

Data Management Policies. Sage ERP Online Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...

More information

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record

More information

Healthcare Security and HIPAA Compliance with A10

Healthcare Security and HIPAA Compliance with A10 WHITE PAPER Healthcare Security and HIPAA Compliance with A10 Contents Moving Medicine to the Cloud: the HIPAA Challenge...3 HIPAA History and Standards...3 HIPAA Compliance and the A10 Solution...4 164.308

More information

Preparing for the HIPAA Security Rule

Preparing for the HIPAA Security Rule A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and

More information

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s

More information

An Effective MSP Approach Towards HIPAA Compliance

An Effective MSP Approach Towards HIPAA Compliance MAX Insight Whitepaper An Effective MSP Approach Towards HIPAA Compliance An independent review of HIPAA requirements, detailed recommendations and vital resources to aid in achieving compliance. Table

More information

Enforcive / Enterprise Security

Enforcive / Enterprise Security TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance

More information

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance

More information

LogMeIn HIPAA Considerations

LogMeIn HIPAA Considerations LogMeIn HIPAA Considerations Contents Introduction LogMeIn HIPAA Considerations...3 General HIPAA Information...4 Section A Background information on HIPAA Rules...4 Technical Safeguards Overview...5 Section

More information

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based

More information

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually

More information

Healthcare Compliance Solutions

Healthcare Compliance Solutions Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human

More information

You may be PCI DSS compliant but are you really secure?

You may be PCI DSS compliant but are you really secure? You may be PCI DSS compliant but are you really secure? Greg Swedosh Knightcraft Technology Knightcraft Technology HP NonStop Security and PCI Compliance Specialists Agenda * PCI DSS Limitations and Strengths

More information

Information Technology Branch Access Control Technical Standard

Information Technology Branch Access Control Technical Standard Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,

More information

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected

More information

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum. For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.com 844-644-4600 This publication describes the implications of HIPAA (the Health

More information

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Compliance: Are you prepared for the new regulatory changes? HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed

More information

HIPAA Privacy & Security White Paper

HIPAA Privacy & Security White Paper HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements

More information

itrust Medical Records System: Requirements for Technical Safeguards

itrust Medical Records System: Requirements for Technical Safeguards itrust Medical Records System: Requirements for Technical Safeguards Physicians and healthcare practitioners use Electronic Health Records (EHR) systems to obtain, manage, and share patient information.

More information

efolder White Paper: HIPAA Compliance

efolder White Paper: HIPAA Compliance efolder White Paper: HIPAA Compliance October 2014 Copyright 2014, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within

More information

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution

IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Automating policy enforcement to prevent endpoint data loss IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Highlights Protecting your business value from

More information

HIPAA Compliance with LT Auditor+

HIPAA Compliance with LT Auditor+ HIPAA Compliance with LT Auditor+ An Executive White Paper By BLUE LANCE, Inc. BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com On February 20, 2003, the Department of Health and Human

More information

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course

U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior

More information

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2

More information

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices

More information

Krengel Technology HIPAA Policies and Documentation

Krengel Technology HIPAA Policies and Documentation Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information

More information

HIPAA/HITECH: A Guide for IT Service Providers

HIPAA/HITECH: A Guide for IT Service Providers HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing

More information

Central Agency for Information Technology

Central Agency for Information Technology Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage

More information

Best Practices for PCI DSS V3.0 Network Security Compliance

Best Practices for PCI DSS V3.0 Network Security Compliance Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with

More information

HIPAA Compliance for the Wireless LAN

HIPAA Compliance for the Wireless LAN White Paper HIPAA Compliance for the Wireless LAN JUNE 2015 This publication describes the implications of HIPAA (the Health Insurance Portability and Accountability Act of 1996) on a wireless LAN solution,

More information

GoToAssist Remote Support HIPAA compliance guide

GoToAssist Remote Support HIPAA compliance guide GoToAssist emote Support HIPAA compliance guide Privacy, productivity and remote support 2 The healthcare industry has benefited greatly from the ability to receive remote support from technology providers

More information

March 2012 www.tufin.com

March 2012 www.tufin.com SecureTrack Supporting Compliance with PCI DSS 2.0 March 2012 www.tufin.com Table of Contents Introduction... 3 The Importance of Network Security Operations... 3 Supporting PCI DSS with Automated Solutions...

More information

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.

More information

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. assistance with implementation of the. security standards. This series aims to HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical

More information

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant 1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad

More information

WHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...

WHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule... WHITEPAPER HIPAA Requirements Addressed By Bradford s Network Sentry Family Evolve your network strategy to meet new threats and achieve expanded business imperatives Introduction.... 1 The HIPAA Security

More information

ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access

ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access Policy Title: Remote Access Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access Approval Date: 05/20/2014 Revised Responsible Office: Office of Information

More information

Implementing HIPAA Compliance with ScriptLogic

Implementing HIPAA Compliance with ScriptLogic Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE

More information

Estate Agents Authority

Estate Agents Authority INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in

More information

The Networthy iseries

The Networthy iseries W H I T E P A P E R The Networthy iseries An effective and secure network services implementation strategy. SG-001 REV2b MARCH 2005 Bytware, Inc. All Rights Reserved. 2 The Networthy iseries: A Secure

More information