XYGATE & HIPAA COMPLIANCE
|
|
- Marianna Short
- 8 years ago
- Views:
Transcription
1 XYGATE & HIPAA COMPLIANCE A Solution Paper February, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California U.S.A. support@xypro.com Telephone: FAX:
2 Copyright 2005 by XYPRO Technology Corporation. All rights reserved. Trademark Acknowledgments The following are trademarks or service marks of Hewlett-Packard Company: Distributed System Management (DSM) EDIT ENFORM Enscribe Event Management Service (EMS) FUP Guardian MEASURE NETBATCH NonStop NonStop Kernel NonStop SQL PATHCOM PATHWAY SAFECOM SAFEGUARD SCUP SPOOLCOM TACL TEDIT The following are trademarks or service marks of XYPRO Technology Corporation: XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH
3 TABLE OF CONTENTS INTRODUCTION...1 DEFINITION OF PRINCIPALS...1 REQUIREMENTS IN HP NONSTOP SERVER ENTERPRISES...2 Administrative Safeguards...2 STANDARD: Security Management Process...2 STANDARD: Security Awareness Training...3 Technical Safeguards...5 STANDARD: Access Control...5 STANDARD: Audit Controls...6 STANDARD: Integrity...7 STANDARD: Person or Entity Identity...7 STANDARD: Transmission Security...8 CONCLUSIONS... 9 DISCLAIMER... 9 XYGATE PRODUCT TABLE APPENDIX A: EXCERPTS FROM HIPAA...13
4 INTRODUCTION The Health Insurance Portability and Accountability Act ( HIPAA ) has the following general objectives: Guarantee health insurance coverage of employees. Reduce health care fraud and abuse. Introduce/implement administrative simplification to increase effectiveness and efficiency of the health care system. Protect the health information of individuals against unauthorized access. This last objective is where XYPRO products will bring the most benefits to customers striving to comply with HIPAA regulations within their HP NonStop Server enterprises. This paper is intended for general informational purposes and does not contain exact definitions or guidelines on compliance. Indeed, the scalability factor -- single doctor s office versus large corporate health provider -- and the fact that risk assessment and mitigation are moving targets makes any generic checklist unfeasible. This paper does list some of the major parts of the security standards set forth in HIPAA regulations and points to the XYPRO products that can provide a company with the technological tools to implement the policies and procedures needed to achieve compliance. Product tables toward the end of this document describe each XYPRO product cross-referenced to the standards it can be used to meet. Excerpts from the HIPPA regulations are provided in Exhibit A. DEFINITIONS & PRINCIPALS Covered Entities (CEs) are defined by HIPAA as health plans, health care clearinghouses, and health care providers who maintain or transmit identifiable health information in any form, oral, written, or electronic. This information is referred to as Protected Health Information (PHI). In HIPPA defines a series of measures that CEs must take to protect such information. Many sections of these measures involve areas that must be implemented by management, such as creation, implementation, review, and revision of written policies and procedures. XYPRO s XYGATE products are the tools that allow IT departments to achieve compliance with such policies as well as provide reporting to illustrate that compliance goals are being met. HIPAA is scalable. Each CE needs to meet the specific needs and feasibility of each facility. A single doctor s office may be able to address HIPAA with a much smaller plan and much less automation than the large corporate medical provider might need. Risk assessment and mitigation are not static entities. HIPAA stresses that risk assessment and mitigation planning must be continuous processes and are to be reviewed often. New plans must be developed and implemented based on current and new threats as well as new technologies in today s fast moving world of electronic business. Page 1
5 HIPAA specifically states that patient care cannot be interrupted or its quality affected in a negative way. This legislation points out that the most important objective of CEs is to take care of their patients. HIPAA can reach outside CEs. Application Service Providers (ASPs) are 3rd party providers operating information systems located remotely but hosting data of the hospital and its patients. Outreach, vendor remote and other 3rd parties servicing hospital equipment are also examples of entities to whom HIPAA regulations may apply. REQUIREMENTS & NONSTOP SERVER ENTERPRISES Part 164, Security and Privacy of HIPAA most directly relates to Information Technology (IT). Sections Administrative Safeguards and Technical Safeguards relate directly to needs that XYGATE products can satisfy. These sections contain standards and their corresponding implementation specifications. Implementation specifications are classified (R), REQUIRED or (A), ADDRESSABLE. If a standard is ADDRESSABLE, then CEs may use some discretion as to whether each implementation specification is a reasonable and appropriate safeguard in its environment or an equivalent alternative measure is reasonable and appropriate. What follows is a list of selected standards and how XYGATE products can help CEs achieve compliance: Administrative Safeguards STANDARD (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities appropriate to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. REQUIRED - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (See Appendix A.) XYPRO Solutions The two preceding specifications show the need for HP NonStop Server Security: A Practical Handbook. Authored by XYPRO and published by HP, this is the definitive reference for using native NonStop security products like Guardian and Safeguard. It provides practical guidance about administration, authorization, authentication, auditing and Best Practices. The XYGATE Security Compliance Wizard ( /SW ) can be used to compare the Best Practices documented in the handbook to a NonStop server environment, producing a Page 2
6 comprehensive report that documents where a particular system complies and where it differs. Justification for variances can be annotated for tracking purposes and included in audit reports. XYGATE /SW is a Windows-based wizard that makes it possible to develop security policy and monitor compliance for an entire NonStop server enterprise from authorized desktop PC/s. REQUIRED - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) REQUIRED Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. XYPRO Solutions XYGATE Merged Audit ( /MA ) software lets authorized users create reports with timely mixes of information from Safeguard, Measure as well as all of the other XYGATE security products. Data is collected from multiple audit data sources and multiple NonStop servers, then combined to produce a single reporting repository for a total audit picture. For routine audit reports, XYGATE /MA can be set to screen out data that is always present and irrelevant - permitted logons, for example. The customizable filters catch information that isn't desired and allow it to be excluded from the audit files. For audit information too critical to wait for the next audit reports cycle, XYGATE /MA supports automatic alerts, sending messages to an EMS process, third-party IP monitor, and specified addresses (perhaps for forwarding to devices able to receive text messages, i.e., support staff mobile phones). All audit data is loaded into a single SQL database on the system where XYGATE /MA is headquartered. Centralization of data is fundamental to the combined system reporting available. It also simplifies custom report generation and off-the-cuff queries using SQLCI or any PC-based SQL product that can retrieve data from a host system. Along with customized report generation, this product includes a set of standard reports for such popular topics as Alerts Issued, Logons, Failed Logons, Subject User vs. Target User and SUPER.SUPER usage. STANDARD (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Security Reminders. Implement periodic security updates. Page 3
7 ADDRESSABLE Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. ADDRESSABLE Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. ADDRESSABLE Password Management. Implement procedures for creating, changing, and safeguarding passwords. XYPRO Solutions The XYGATE suite includes Access Control (for Guardian and OSS), Process Control, CMON, and Spoolcom/Peruse/Archive tools. Together these products provide the core of a well-secured NonStop system including: Individual accountability, restricting each user to a list of authorized actions based on that user s job functions Comprehensive auditing with flexible reporting A $CMON process that administers logon to logoff session controls and load balancing Protection of SPOOLER reports, enhanced by eliminating the need for a SUPER group id to access print jobs and adding the ability to limit and audit user actions by command, subcommand, supervisor, collector, object, and subject (user). To extend core security, XYGATE includes tools specific to implementing more of the ADDRESSABLE issues above, with controls and reporting that are both highly granular and flexible. XYGATE Password Quality ( /PQ ) makes it possible to set rules to govern password characteristics with more granularity than native NonStop security or Safeguard. XYGATE /PQ then enforces those rules, standardizing and strengthening passwords for the NonStop server support staff across all nodes. And all this can be done from XYGATE s Windows based GUI running on authorized workstation PCs. XYGATE User Authentication further enhances logon security by providing granular, efficient logon controls, while eliminating the need for privileged logons such as SUPER.SUPER ids. Pre-production testing of logon rules, early detection of intrusion attempts, logons to sensitive userids, and two-factor authentication are all standard features of this product. XYGATE Safeguard Manager is a graphical interface enabling authorized users to configure and control Safeguard global settings, users, aliases and object Access Control Lists (ACLs) from their workstation PCs. Configuration updates can be propagated to a single node, some nodes, or all nodes in a NonStop network. Remote password maintenance updates can be applied to a single user, hundreds, or thousands. Flexible grids make it easy to sort data and then drill down for details. XYGATE Dynamic Object Security ( /OS ) enables creation and implementation of rules for dynamic, pattern oriented ACL administration containing Regular Expressions. Rules can be based on many characteristics including object name, Safeguard alias, and Page 4
8 userid. In addition, XYGATE /OS rules make it possible to govern the use of operational privileges not only for Read, Write, Execute, and Purge -- but for Rename, License, and the entire operations set supported by NonStop Servers Technical Safeguards STANDARD (a)(1) Access Control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED Unique User Identifier. Assign a unique name and/or number for identifying and tracking user identity. REQUIRED Emergency Access Procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. ADDRESSABLE Automatic Logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ADDRESSABLE Encryption and Decryption. Implement a mechanism to encrypt and decrypt electronic protected health information. XYPRO Solutions XYGATE is a single solution set to efficiently meet HIPAA Access Control Standards in a variety of ways. XYGATE Access Control ( /AC ) allows the functional properties of one Guardian userid to be allocated and controlled for other userids, eliminating the need for direct use or sharing of privileged userids such as SUPER.SUPER. This tool not only includes controls over what programs a user is allowed to run, but also enables command level security for the programs that the user is allowed to run. All users are able to perform their regular job functions as well as have emergency access capabilities using their own unique userid in an audited environment. XYGATE /AC commands also have the capability to request user password upon entry to a privileged command and/or after a timeout period of inactivity. XYGATE CMON forces users to logon to a personal userid before logging on to SUPER.SUPER or other power userids. Additional capabilities enable security administrators to restrict users/programs to specific ports/ip addresses, audit all user logons/logoffs and enforce automatic logoffs. Page 5
9 XYGATE File Encryption & Key Management allows encryption of files, both stored on the system and in transit. It features support for multiple platforms ( NonStop, Windows, Unix, OS390 etc.) and multiple file formats ( binary, ASCII and EBCDIC data.). XYGATE Session Encryption provides end-to-end encryption to protect privacy for many types of sessions, between your NonStop Servers, between your NonStop Server and their network-connected PCs and other computer platforms as well. Examples include: Interactive sessions using Telnet, Multi-LAN, RS232, Async, 6530 or ASCII emulation Transaction sessions using bulk transfer products like ODBC, TOP and RSC FTP sessions using dual channels, one for data and another for commands, userids and passwords NonStop Windows sessions performing crypto proxy services, as done using SSL mechanisms with SafeTGate XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as crypto key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. STANDARD (b) Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. IMPLEMENTATIONS: REQUIRED REQUIRED - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. XYPRO Solutions XYGATE Safeguard Reports ( /SR ) streamlines security audit reporting for NonStop server environments and enables reporting for Safeguard activities with flexibility and ease. XYGATE /SR provides a full range of pre-formatted reports, plus the ability to alter the content to meet your exact needs. XYGATE /SR is a stand-alone product, but can be combined with other XYGATE products to even further ease the effort of security audit reporting. XYGATE Merged Audit ( /MA ) supplies automated and comprehensive auditing that can be combined to produce a single report providing a total picture in a timely and convenient manner. XYGATE /MA provides centralized reporting for all security related audit logs (Safeguard, XYGATE, EMS, Measure). It facilitates the use of host- or PCbased standard tools for reports e.g. MS Access, Excel, ODBC, Crystal Reports. This product also provides automatic alerting for security events like more than 5 failed logons in 2 minutes, SUPER.SUPER logons at certain time of day, invalid file access, Page 6
10 etc. Alerts can be via EMS event, message to an IP address, custom ( via user written TACL macro ) or ( perhaps for forwarding to devices able to receive text messages, i.e. support staff cell phones ). STANDARD (c) Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Mechanism to Authenticate Electronic Protected Health Information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. STANDARD (d) Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. XYPRO Solutions Long before HIPAA requirements, XYGATE has been protecting integrity and authentication as it secures against unauthorized access or alteration of protected information from internal users and external intruders. XYGATE Access Control and Process Control sit between user terminals and the utility/application programs that users need in order to perform their assigned duties. Access Control Lists (ACLs) define who can have access to which privileges, in which programs, from which terminals and at what level of functionality. XYGATE User Authentication ( /UA ) brings industry-best user authentication capabilities to NonStop server environments. Like many other XYPRO products, XYGATE /UA expands upon security functions native to NonStop systems, providing customer requested enhancements like multi-factor authentication, sophisticated logon error management options and logon-specific audit reporting. XYGATE Password Quality ( /PQ ) lets you set rules to govern password characteristics. Minimum number of upper/lower case letters and numbers, control characters, special characters, repeating characters and excluded characters are among the options provided. Also included are NonStop Network-wide password updates. When a user changes a password on one system, XYGATE /PQ encrypts and propagates the changes across all systems for which the userid/alias has a valid network connection. System generated passwords and password splitting can be enabled. Automatic password Page 7
11 expiration with first logon and defined owner of password changes make this product very helpful in meeting and maintaining user authentication standards. XYGATE CMON facilitates your security and access control, as well as system performance needs. XYGATE offers a fully supported $CMON process with: Auditing of pre-logon Guardian userids and aliases Terminal device logon restrictions Double logon to sensitive userids Parameter customization by userid Access control by TCP/IP address or ASYNC/LAN address Complete end-to-end program execution audits. STANDARD (e) Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Integrity Controls. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. ADDRESSABLE Encryption. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. XYPRO Solutions XYGATE File Encryption & Key Management allows encryption of files, both stored on the system and in transit. It features support for multiple platforms ( NonStop, Windows, Unix, OS390 etc.) and multiple file formats ( binary, ASCII and EBCDIC data.) XYGATE Session Encryption provides end-to-end encryption to protect privacy for many types of sessions, between your NonStop Servers, between your NonStop Server and their network-connected PCs and other computer platforms as well. Supported are: Interactive sessions using Telnet, Multi-LAN, RS232, Async, 6530 or ASCII emulation Transaction sessions using bulk transfer products like ODBC, TOP and RSC FTP sessions using dual channels, one for data and another for commands, userids and passwords NonStop Windows sessions performing crypto proxy services, as done using SSL mechanisms with SafeTGate Page 8
12 XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. CONCLUSIONS The effort of any one company to become HIPAA compliant will depend on many factors. The size of a company, the management philosophy, and the current state of security policies and procedures are very important considerations in starting such an effort. But if an environment includes NonStop Servers, the XYGATE suite of security tools will ease the transition into a secure environment that HIPAA compliance will require. Regulations like HIPAA bring more pressure on IT management to incorporate products like XYPRO s to bring systems into a best practice mode, which is just not possible with the native GUARDIAN security environment. The continued protection of company assets like NonStop Servers and the data they contain, as well as satisfying the demands of auditors, make the use of security enhancing products like XYGATE increasingly valuable. DISCLAIMER XYPRO has designed this document primarily as educational. Readers should note that this document has not received endorsement from any standard-setting body. Issues discussed in this paper will evolve over time. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and/or auditors. In determining the propriety of any specific procedure or test, the IT professional should apply his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. XYPRO makes no representation or warranties and provides no assurances that an organization s use of this document or XYGATE products will result in full compliance with the requirements of the act. Internal controls whether automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving security control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human factors such as errors or inappropriate override of internal controls. Page 9
13 PRODUCT TABLE XYGATE products are available in convenient packages or individually, as listed in the following table. Product Description HIPAA Standards NonStop Server Platform Security Solutions XYGATE /AC Access Control XYGATE /CM (Fully Supported) CMON XYGATE /MA Merged Audit XYGATE /OS Dynamic Object Security Enables administrators to grant privileges to NonStop staff according to job function. XYGATE /AC extends native NonStop security into the area of actions, where security is based on what a user does, providing keystroke auditing of sessions initiated in both Guardian and OSS environments. Facilitates your security and access control needs, as well as system performance needs. This fully supported $CMON process supplies auditing of prelogon Guardian userids or aliases, terminal device logon restrictions, double-logon to sensitive userids and parameter customization by userid. Port entries in the CMACL file control access based on TCP/IP address as well as ASYNC/LAN address. XYGATE /CM permits complete end-to-end program execution audits, placement and use of resources specified by user, requesting program, and other criteria. It gives you the ability to make virtually all processes follow $CMON directives on CPU use and priority. Integrates many audit trails across multiple NonStop nodes into a single source for audit information. Pre-formatted reports provide the most commonly requested data and you can create custom reports with timely mixes of information from Safeguard, Measure, EMS and all XYGATE security products. XYGATE /MA also supports automatic alerts, sending messages to a designated EMS process, third-party IP monitor or any addresses you choose. Brings to HP NonStop servers a dynamic, patternoriented method of Access Control List security for objects. Rules based on many characteristics including object name, Safeguard alias and userid extend the ability to govern the use of operational privileges beyond the Read, Write, Execute and Purge, to include Rename, License, PROGID and the entire operations set supported by NonStop servers (a)(1) Access Control (c) -- Integrity (a)(1) Security Management (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication Security Standards: General Rules (a)(1) Security Management (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (c) -- Integrity Page 10
14 Product Description HIPAA Standards XYGATE /PQ Password Quality XYGATE /PC Process Control XYGATE /SM XYGATE /SR XYGATE /SP Safeguard Manager Safeguard Reports Spooler Manager, Peruse & Archive Easily sets and enforces rules to govern password characteristics, systematically standardizing and strengthening passwords for NonStop server support staff. Rules can be pre-specified for any combination of eight different quality characteristics. Alternately a random system generated password can be applied. Updating network passwords across all nodes, automatic expiration at initial logon, password splitting, and warning mode operation are some of the other standard features. Implements the same type of assignable privileges to control the running of processes as XYGATE /AC supplies for interacting with those processes. XYGATE /PC can be configured to allow a nonprivileged userid to STOP, DEBUG, ALTPRI, SUSPEND, and ACTIVATE any other user s running process. Additional keyword-based controls can be placed in the PCACL file to qualify processes by name, owner, hometerm, cpu, and object file name. Unlike the TACL process control commands, XYGATE /PC allows users to manipulate processes using wildcard selection criteria. Enables management of NonStop server security via a familiar and friendly Windows interface, streamlining administration for Safeguard global settings, users and aliases as well as object ACLs. This product is simple to use yet versatile, to meet such security administrator needs as research by object or subject, changes to be applied to a single NonStop node or over many nodes at once. XYGATE /SM s form based screens allow the security manager to focus on What needs to be done, rather than How to do it. Bypasses the arcane and cumbersome syntax, the lack of formatting options and the inflexibility of traditional reporting tools. XYGATE /SR streamlines security audit reporting for Safeguard activity with flexibility and ease. This product provides a full range of pre-formatted reports containing just the information you need. And you can select the content of those reports in a user-friendly check this box fashion. Lets you manage the attributes of NonStop server print jobs and control your spooler via a single utility. XYGATE /SP also provides Archive and Compare capabilities. Access is based on job function, without the need to use a SUPER userid (a)(1) Access Control (d) Person or Entity Authentication (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication (c) Integrity (d) Person or Entity Authentication (a)(1) Access Control (e) --Transmission Security Page 11
15 Product Description HIPAA Standards XYGATE /SW XYGATE /UA Security Compliance Wizard User Authentication Streamlines efforts to establish, monitor and report on compliance with your information security policy. XYGATE /SW comes preconfigured with all the Best Practices from the definitive reference manual for securing NonStop servers. Using reports revealing how your system security configurations differ from the Best Practice policy base, you can create or modify rules to fit your company s current situation and security policy. Automatically batched collection cycles help you track the implementation of security policies across major events like system upgrades, application deployment, etc. Supports greater flexibility and control, providing more effective and streamlined user authentication. XYGATE /UA brings to the NonStop server environment such industry-best authentication capabilities as multi-factor authentication, logonspecific audit reporting and sophisticated logon error management options at the individual userid level Security Standards: General Rules (a)(1) Access Control (c) -- Integrity (d) Person or Entity Authentication Multi-Platform Encryption Solutions XYGATE /EF Encrypted FTP & Site Security XYGATE /KM Encryption Key Management XYGATE /ESDK Encryption Software Developer Kit XYGATE /FE File Encryption XYGATE /SE Session Encryption Adds protections to FTP, making it easy to encrypt both the data and command channels for transmissions from NonStop Server to NonStop Server as well as between NonStop Servers and other system types. XYGATE /EF supports both triple DES and SSL, streamlining key exchange and certificate issues. It also enables you to restrict access to commands and file locations on NonStop server FTP sites to authorized users only. Automates most key management functions and requires no expertise with encryption algorithms. XYGATE /KM supports a variety of key types with centralized static key management for NonStop servers and a subset of functions for endpoints running on NonStop, OS390, Windows, HPUX and Solaris systems. Provides a simple, API-based solution for incorporating strong encryption into your applications, communications and databases. Crypto mechanisms have been tested and proven effective through scrutiny by the cryptographic community and wide industrial use on a variety of computer platform types. Protects the privacy of file data in-house and in transit. XYGATE /FE runs on multiple computer platforms and may be deployed with fixed encryption keys or with XYGATE /KM for centralized static key management. Composed of related client and server components, provides encryption for just about any type of communications between two computer systems including interactive sessions, transaction sessions and file transfer sessions (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security (a) -- Access Control (c) -- Integrity (e) -- Transmission Security Page 12
16 APPENDIX A: EXCERPTS FROM HIPAA SECURITY STANDARDS: GENERAL RULES. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered Entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risk to electronic protected health information. (c) Standards. A covered entity must comply with the standards as provided in this section and in , , , , and with respect to all electronic protected health information. (d) Implementation specifications. In this subpart: (1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification. (2) When a standard adopted in , , , , or includes required implementation specifications, a covered entity must implement the implementation specifications. (3) When a standard adopted in , , , , or includes addressable implementation specifications, a covered entity must-- (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and (ii) As applicable to the entity-- (A) Implement the implementation specification if reasonable and appropriate; or Page 13
17 (B) If implementing the implementation specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate. (e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at ADMINISTRATIVE SAFEGUARDS (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (R) [REQUIRED] - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (R) [REQUIRED] - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with (a). (R) [REQUIRED] - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) (R) [REQUIRED] Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). (A) [ADDRESSABLE] Security Reminders. Implement periodic security updates. (A) [ADDRESSABLE] Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. (A) [ADDRESSABLE] Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. (A) [ADDRESSABLE] Password Management. Implement procedures for creating, changing, and safeguarding passwords TECHNICAL SAFEGUARDS Page 14
18 (a)(1) Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in (a)(4). (R) [REQUIRED] Unique User Identifier. Assign a unique name and/or number for identifying and tracking user identity. (R) [REQUIRED] Emergency Access Procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (A) [ADDRESSABLE] Automatic Logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (A) [ADDRESSABLE] Encryption and Decryption. Implement a mechanism to encrypt and decrypt electronic protected health information (b) Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information (c) Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (A) [ADDRESSABLE] Mechanism to Authenticate Electronic Protected Health Information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner (d) Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (R) [REQUIRED] - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed (e) Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (A) [ADDRESSABLE] Integrity Controls. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (A) [ADDRESSABLE] Encryption. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Page 15
XYGATE & SOX COMPLIANCE
XYGATE & SOX COMPLIANCE A Solution Paper January, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: support@xypro.com Telephone: + 1 805-583-2874
More informationAuditor s Checklist. A XYPRO Solution Paper. MAY, 2009 XYPRO Technology Corporation
Auditor s Checklist A XYPRO Solution Paper MAY, 2009 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: info@xypro.com Telephone: + 1 805-583-2874
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHealth Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)
Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) Table of Contents Introduction... 1 1. Administrative Safeguards...
More informationHIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics
HIPAA Security S E R I E S Security Topics 1. Security 101 for Covered Entities 2. Security Standards - Administrative Safeguards 3. Security Standards - Physical Safeguards 4. Security Standards - Technical
More informationIBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview
IBM Internet Security Systems The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview Health Insurance Portability and Accountability Act
More informationHIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics
HIPAA Security SERIES Security Topics 1. Security 101 for Covered Entities 5. 2. Security Standards - Organizational, Security Policies Standards & Procedures, - Administrative and Documentation Safeguards
More informationHIPAA Security Alert
Shipman & Goodwin LLP HIPAA Security Alert July 2008 EXECUTIVE GUIDANCE HIPAA SECURITY COMPLIANCE How would your organization s senior management respond to CMS or OIG inquiries about health information
More informationHIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER
HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER With technology everywhere we look, the technical safeguards required by HIPAA are extremely important in ensuring that our information
More informationAn Oracle White Paper December 2010. Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance
An Oracle White Paper December 2010 Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance Executive Overview... 1 Health Information Portability and Accountability Act Security
More informationHIPAA Information Security Overview
HIPAA Information Security Overview Security Overview HIPAA Security Regulations establish safeguards for protected health information (PHI) in electronic format. The security rules apply to PHI that is
More informationHIPAA: The Role of PatientTrak in Supporting Compliance
HIPAA: The Role of PatientTrak in Supporting Compliance The purpose of this document is to describe the methods by which PatientTrak addresses the requirements of the HIPAA Security Rule, as pertaining
More informationMANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both.
More informationDatto Compliance 101 1
Datto Compliance 101 1 Overview Overview This document provides a general overview of the Health Insurance Portability and Accounting Act (HIPAA) compliance requirements for Managed Service Providers (MSPs)
More informationCSP & PCI DSS Compliance on HP NonStop systems
CSP & PCI DSS Compliance on HP NonStop systems July 23, 2014 For more information about Computer Security Products Inc., contact us at: 200 Matheson Blvd. West Suite 200 Mississauga, Ontario, Canada L5R
More informationVMware vcloud Air HIPAA Matrix
goes to great lengths to ensure the security and availability of vcloud Air services. In this effort VMware has completed an independent third party examination of vcloud Air against applicable regulatory
More informationHIPAA Security Rule Compliance
HIPAA Security Rule Compliance Caryn Reiker MAXIS360 HIPAA Security Rule Compliance what is it and why you should be concerned about it Table of Contents About HIPAA... 2 Who Must Comply... 2 The HIPAA
More informationSolution Brief for HIPAA HIPAA. Publication Date: Jan 27, 2015. EventTracker 8815 Centre Park Drive, Columbia MD 21045
Publication Date: Jan 27, 2015 8815 Centre Park Drive, Columbia MD 21045 HIPAA About delivers business critical software and services that transform high-volume cryptic log data into actionable, prioritized
More informationPolicies and Compliance Guide
Brooklyn Community Services Policies and Compliance Guide relating to the HIPAA Security Rule June 2013 Table of Contents INTRODUCTION... 3 GUIDE TO BCS COMPLIANCE WITH THE HIPAA SECURITY REGULATION...
More informationUnified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES
Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES HIPAA COMPLIANCE Achieving HIPAA Compliance with Security Professional Services The Health Insurance
More informationHIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich
HIPAA Audit Processes Erik Hafkey Rainer Waedlich 1 Policies for all HIPAA relevant Requirements and Regulations Checklist for an internal Audit Process Documentation of the compliance as Preparation for
More informationHIPAA Security. 1 Security 101 for Covered Entities. Security Topics
HIPAA SERIES Topics 1. 101 for Covered Entities 2. Standards - Administrative Safeguards 3. Standards - Physical Safeguards 4. Standards - Technical Safeguards 5. Standards - Organizational, Policies &
More informationCompliance and Industry Regulations
Compliance and Industry Regulations Table of Contents Introduction...1 Executive Summary...1 General Federal Regulations and Oversight Agencies...1 Agency or Industry Specific Regulations...2 Hierarchy
More informationHIPAA Security COMPLIANCE Checklist For Employers
Compliance HIPAA Security COMPLIANCE Checklist For Employers All of the following steps must be completed by April 20, 2006 (April 14, 2005 for Large Health Plans) Broadly speaking, there are three major
More informationPREPARED BY: AUDIT PROGRAM Author: Lance M. Turcato. APPROVED BY: Logical Security Operating Systems - Generic. Audit Date:
A SYSTEMS UNDERSTANDING A 1.0 Organization Objective: To ensure that the audit team has a clear understanding of the delineation of responsibilities for system administration and maintenance. A 1.1 Determine
More informationHow To Write A Health Care Security Rule For A University
INTRODUCTION HIPAA Security Rule Safeguards Recommended Standards Developed by: USF HIPAA Security Team May 12, 2005 The Health Insurance Portability and Accountability Act (HIPAA) Security Rule, as a
More informationHIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations
HIPAA 203: Security An Introduction to the Draft HIPAA Security Regulations Presentation Agenda Security Introduction Security Component Requirements and Impacts Administrative Procedures Physical Safeguards
More informationWhite Paper. Support for the HIPAA Security Rule PowerScribe 360
White Paper Support for the HIPAA Security Rule PowerScribe 360 2 Summary This white paper is intended to assist Nuance customers who are evaluating the security aspects of the PowerScribe 360 system as
More informationHIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS
HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS Thank you for taking the time to fill out the privacy & security checklist. Once completed, this checklist will help us get a better
More informationState HIPAA Security Policy State of Connecticut
Health Insurance Portability and Accountability Act State HIPAA Security Policy State of Connecticut Release 2.0 November 30 th, 2004 Table of Contents Executive Summary... 1 Policy Definitions... 3 1.
More informationSUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
UNIVERSITY OF PITTSBURGH POLICY SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA) DATE: March 18, 2005 I. SCOPE This
More informationHIPAA Security Checklist
HIPAA Security Checklist The following checklist summarizes HIPAA Security Rule requirements that should be implemented by covered entities and business associates. The citations are to 45 CFR 164.300
More informationSolutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance
White Paper Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance Troy Herrera Sr. Field Solutions Manager Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA
More informationWHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0
WHITE PAPER Support for the HIPAA Security Rule RadWhere 3.0 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of the RadWhere 3.0 system as part of
More informationThe Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context
The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context About HIPAA The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in
More informationHIPAA. considerations with LogMeIn
HIPAA considerations with LogMeIn Introduction The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996, requires all organizations that maintain or transmit electronic
More informationHIPAA Security Rule Compliance and Health Care Information Protection
HIPAA Security Rule Compliance and Health Care Information Protection How SEA s Solution Suite Ensures HIPAA Security Rule Compliance Legal Notice: This document reflects the understanding of Software
More informationHIPAA Compliance Guide
HIPAA Compliance Guide Important Terms Covered Entities (CAs) The HIPAA Privacy Rule refers to three specific groups as covered entities, including health plans, healthcare clearinghouses, and health care
More informationHow Managed File Transfer Addresses HIPAA Requirements for ephi
How Managed File Transfer Addresses HIPAA Requirements for ephi 1 A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts
More informationCHIS, Inc. Privacy General Guidelines
CHIS, Inc. and HIPAA CHIS, Inc. provides services to healthcare facilities and uses certain protected health information (PHI) in connection with performing these services. Therefore, CHIS, Inc. is classified
More informationSupport for the HIPAA Security Rule
WHITE PAPER Support for the HIPAA Security Rule PowerScribe 360 Reporting v2.0 HEALTHCARE 2 SUMMARY This white paper is intended to assist Nuance customers who are evaluating the security aspects of PowerScribe
More informationHIPAA Compliance and Wireless Networks. 2005 Cranite Systems, Inc. All Rights Reserved.
HIPAA Compliance and Wireless Networks White Paper HIPAA Compliance and Wireless Networks 2005 Cranite Systems, Inc. All Rights Reserved. All materials contained in this document are the copyrighted property
More informationHIPAA: In Plain English
HIPAA: In Plain English Material derived from a presentation by Kris K. Hughes, Esq. Posted with permission from the author. The Health Insurance Portability and Accountability Act of 1996 (HIPAA), Pub.
More informationHIPAA, PHI and Email. How to Ensure your Email and Other ephi are HIPAA Compliant. www.fusemail.com
How to Ensure your Email and Other ephi are HIPAA Compliant How to Ensure Your Email and Other ephi Are HIPAA Compliant Do you know if the patient appointments your staff makes by email are compliant with
More informationHIPAA Security Series
7 Security Standards: Implementation for the Small Provider What is the Security Series? The security series of papers provides guidance from the Centers for Medicare & Medicaid Services (CMS) on the rule
More informationHIPAA Compliance and Wireless Networks
HIPAA Compliance and Wireless Networks White Paper 2004 Cranite Systems, Inc. All Rights Reserved. All materials contained in this document are the copyrighted property of Cranite Systems, Inc. and/or
More informationSECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS
COMPLIANCE AND INDUSTRY REGULATIONS INTRODUCTION Multiple federal regulations exist today requiring government organizations to implement effective controls that ensure the security of their information
More informationHIPAA Security Matrix
HIPAA Matrix Hardware : 164.308(a)(1) Management Process =Required, =Addressable Risk Analysis The Covered Entity (CE) can store its Risk Analysis document encrypted and offsite using EVault managed software
More informationData Management Policies. Sage ERP Online
Sage ERP Online Sage ERP Online Table of Contents 1.0 Server Backup and Restore Policy... 3 1.1 Objectives... 3 1.2 Scope... 3 1.3 Responsibilities... 3 1.4 Policy... 4 1.5 Policy Violation... 5 1.6 Communication...
More informationHealthcare Security and HIPAA Compliance with A10
WHITE PAPER Healthcare Security and HIPAA Compliance with A10 Contents Moving Medicine to the Cloud: the HIPAA Challenge...3 HIPAA History and Standards...3 HIPAA Compliance and the A10 Solution...4 164.308
More informationSECURITY RISK ASSESSMENT SUMMARY
Providers Business Name: Providers Business Address: City, State, Zip Acronyms NIST FIPS PHI EPHI BA CE EHR HHS IS National Institute of Standards and Technology Federal Information Process Standards Protected
More informationWHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery
WHITE PAPER HIPAA-Compliant Data Backup and Disaster Recovery DOCUMENT INFORMATION HIPAA-Compliant Data Backup and Disaster Recovery PRINTED March 2011 COPYRIGHT Copyright 2011 VaultLogix, LLC. All Rights
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationHealthcare Compliance Solutions
Privacy Compliance Healthcare Compliance Solutions Trust and privacy are essential for building meaningful human relationships. Let Protected Trust be your Safe Harbor The U.S. Department of Health and
More informationHealth Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper
Regulatory Compliance Solutions for Microsoft Windows IT Security Controls Supporting DHS HIPAA Final Security Rules Health Insurance Portability and Accountability Act Enterprise Compliance Auditing &
More informationMANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE
WHITE PAPER MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE 1. OVERVIEW Do you want to design a file transfer process that is secure? Or one that is compliant? Of course, the answer is both. But it s
More informationHIPAA: Compliance Essentials
HIPAA: Compliance Essentials Presented by: Health Security Solutions August 15, 2014 What is HIPAA?? HIPAA is Law that governs a person s ability to qualify immediately for health coverage when they change
More information12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule
HIPAA More Important Than You Realize J. Ira Bedenbaugh Consulting Shareholder February 20, 2015 This material was used by Elliott Davis Decosimo during an oral presentation; it is not a complete record
More informationPreparing for the HIPAA Security Rule
A White Paper for Health Care Professionals Preparing for the HIPAA Security Rule Introduction The Health Insurance Portability and Accountability Act (HIPAA) comprises three sets of standards transactions
More informationU.S. Department of the Interior's Federal Information Systems Security Awareness Online Course
U.S. Department of the Interior's Federal Information Systems Security Awareness Online Course Rules of Behavior Before you print your certificate of completion, please read the following Rules of Behavior
More informationDevelop HIPAA-Compliant Mobile Apps with Verivo Akula
Develop HIPAA-Compliant Mobile Apps with Verivo Akula Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200 sales@verivo.com Verivo Software 1000 Winter Street Waltham MA 02451 781.795.8200
More informationLogMeIn HIPAA Considerations
LogMeIn HIPAA Considerations Contents Introduction LogMeIn HIPAA Considerations...3 General HIPAA Information...4 Section A Background information on HIPAA Rules...4 Technical Safeguards Overview...5 Section
More informationUNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook
Introduction Per UCSC's HIPAA Security Rule Compliance Policy 1, all UCSC entities subject to the HIPAA Security Rule ( HIPAA entities ) must implement the UCSC Practices for HIPAA Security Rule Compliance
More informationIT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:
IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including: 1. IT Cost Containment 84 topics 2. Cloud Computing Readiness 225
More informationAppendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice
Appendix 4-2: Administrative, Physical, and Technical Safeguards Breach Notification Rule How Use this Assessment The following sample risk assessment provides you with a series of sample questions help
More informationAn Effective MSP Approach Towards HIPAA Compliance
MAX Insight Whitepaper An Effective MSP Approach Towards HIPAA Compliance An independent review of HIPAA requirements, detailed recommendations and vital resources to aid in achieving compliance. Table
More informationYou may be PCI DSS compliant but are you really secure?
You may be PCI DSS compliant but are you really secure? Greg Swedosh Knightcraft Technology Knightcraft Technology HP NonStop Security and PCI Compliance Specialists Agenda * PCI DSS Limitations and Strengths
More informationHeather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com
Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc. hhughes@uslegalsupport.com www.uslegalsupport.com HIPAA Privacy Rule Sets standards for confidentiality and privacy of individually
More informationHealthcare Compliance Solutions
Healthcare Compliance Solutions Let Protected Trust be your Safe Harbor In the Health Information Technology for Economic and Clinical Health Act of 2009 (HITECH), the U.S. Department of Health and Human
More informationFor more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.
For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today! www.lutrum.com 844-644-4600 This publication describes the implications of HIPAA (the Health
More informationTechnical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and
Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and procedures to govern who has access to electronic protected
More informationitrust Medical Records System: Requirements for Technical Safeguards
itrust Medical Records System: Requirements for Technical Safeguards Physicians and healthcare practitioners use Electronic Health Records (EHR) systems to obtain, manage, and share patient information.
More informationHIPAA Compliance: Are you prepared for the new regulatory changes?
HIPAA Compliance: Are you prepared for the new regulatory changes? Baker Tilly CARIS Innovation, Inc. April 30, 2013 Baker Tilly refers to Baker Tilly Virchow Krause, LLP, an independently owned and managed
More informationRAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER
RaySafe S1 SECURITY WHITEPAPER Contents 1. INTRODUCTION 2 ARCHITECTURE OVERVIEW 2.1 Structure 3 SECURITY ASPECTS 3.1 Security Aspects for RaySafe S1 Data Collector 3.2 Security Aspects for RaySafe S1 cloud-based
More informationefolder White Paper: HIPAA Compliance
efolder White Paper: HIPAA Compliance October 2014 Copyright 2014, efolder, Inc. Abstract This paper outlines how companies can use certain efolder services to facilitate HIPAA and HITECH compliance within
More informationThe HIPAA Security Rule Primer A Guide For Mental Health Practitioners
The HIPAA Security Rule Primer A Guide For Mental Health Practitioners Distributed by NASW Printer-friendly PDF 2006 APAPO 1 Contents Click on any title below to jump to that page. 1 What is HIPAA? 3 2
More informationHIPAA Privacy & Security White Paper
HIPAA Privacy & Security White Paper Sabrina Patel, JD +1.718.683.6577 sabrina@captureproof.com Compliance TABLE OF CONTENTS Overview 2 Security Frameworks & Standards 3 Key Security & Privacy Elements
More informationHIPAA/HITECH: A Guide for IT Service Providers
HIPAA/HITECH: A Guide for IT Service Providers Much like Arthur Dent in the opening scene of The Hitchhiker s Guide to the Galaxy (HHGTTG), you re experiencing the impact of new legislation that s infringing
More informationBest Practices for PCI DSS V3.0 Network Security Compliance
Best Practices for PCI DSS V3.0 Network Security Compliance January 2015 www.tufin.com Table of Contents Preparing for PCI DSS V3.0 Audit... 3 Protecting Cardholder Data with PCI DSS... 3 Complying with
More informationGoToAssist Remote Support HIPAA compliance guide
GoToAssist emote Support HIPAA compliance guide Privacy, productivity and remote support 2 The healthcare industry has benefited greatly from the ability to receive remote support from technology providers
More informationKrengel Technology HIPAA Policies and Documentation
Krengel Technology HIPAA Policies and Documentation Purpose and Scope What is Protected Health Information (PHI) and What is Not What is PHI? What is not PHI? The List of 18 Protected Health Information
More informationInformation Technology Branch Access Control Technical Standard
Information Technology Branch Access Control Technical Standard Information Management, Administrative Directive A1461 Cyber Security Technical Standard # 5 November 20, 2014 Approved: Date: November 20,
More informationHIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant
1 HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant Introduction U.S. healthcare laws intended to protect patient information (Protected Health Information or PHI) and the myriad
More informationEnforcive / Enterprise Security
TM Enforcive / Enterprise Security End to End Security and Compliance Management for the IBM i Enterprise Enforcive / Enterprise Security is the single most comprehensive and easy to use security and compliance
More informationSAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION
SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION Please Note: 1. THIS IS NOT A ONE-SIZE-FITS-ALL OR A FILL-IN-THE BLANK COMPLIANCE PROGRAM.
More informationEstate Agents Authority
INFORMATION SECURITY AND PRIVACY PROTECTION POLICY AND GUIDELINES FOR ESTATE AGENTS Estate Agents Authority The contents of this document remain the property of, and may not be reproduced in whole or in
More informationImplementing HIPAA Compliance with ScriptLogic
Implementing HIPAA Compliance with ScriptLogic A ScriptLogic Product Positioning Paper By Nick Cavalancia 1.800.424.9411 www.scriptlogic.com Table of Contents INTRODUCTION... 3 HIPAA BACKGROUND... 3 ADMINISTRATIVE
More informationIBM Data Security Services for endpoint data protection endpoint data loss prevention solution
Automating policy enforcement to prevent endpoint data loss IBM Data Security Services for endpoint data protection endpoint data loss prevention solution Highlights Protecting your business value from
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationHIPAA Compliance with LT Auditor+
HIPAA Compliance with LT Auditor+ An Executive White Paper By BLUE LANCE, Inc. BLUE LANCE INC. www.bluelance.com 713.255.4800 info@bluelance.com On February 20, 2003, the Department of Health and Human
More informationADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access. Policy Number: ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access
Policy Title: Remote Access Policy Type: Administrative Policy Number: ADMINISTRATIVE POLICY # 32 8 117 (2014) Remote Access Approval Date: 05/20/2014 Revised Responsible Office: Office of Information
More informationWhite Paper. From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards
From Policy to Practice: A Practical Guide to Implementing HIPAA Security Safeguards Abstract HIPAA requires a number of administrative, technical, and physical safeguards to protect patient information
More informationHIPAA Compliance for the Wireless LAN
White Paper HIPAA Compliance for the Wireless LAN JUNE 2015 This publication describes the implications of HIPAA (the Health Insurance Portability and Accountability Act of 1996) on a wireless LAN solution,
More informationWHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...
WHITEPAPER HIPAA Requirements Addressed By Bradford s Network Sentry Family Evolve your network strategy to meet new threats and achieve expanded business imperatives Introduction.... 1 The HIPAA Security
More informationFive Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer
Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer 1 A White Paper by Linoma Software INTRODUCTION The healthcare industry is under increasing pressure
More informationPolicies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification
Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification Type of Policy and Procedure Comments Completed Privacy Policy to Maintain and Update Notice of Privacy Practices
More informationThe HIPAA Security Rule Primer Compliance Date: April 20, 2005
AMERICAN PSYCHOLOGICAL ASSOCIATION PRACTICE ORGANIZATION Practice Working for You The HIPAA Security Rule Primer Compliance Date: April 20, 2005 Printer-friendly PDF 1 Contents Click on any title below
More informationThe Impact of HIPAA and HITECH
The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients
More information