How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

Transcription

1 How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints

2 Contents Executive Summary... 3 Building HIPAA Compliance... 4 Who Needs to be HIPAA Compliant... 4 HIPAA Rules... 4 Alertsec HIPAA Safeguards... 5 Section Administrative Safeguards... 5 (a)(1) Standard: Security Management Process... 5 (a)(5) Standard: Security Awareness and Training... 6 Section Technical Safeguards... 6 (a) Standard: Access Control... 6 (b) Standard: Audit Controls... 7 (d) Standard: Person or Entity Authentication... 7 Alertsec Service Features... 8 Summary... 9 References... 9 About Alertsec Tables Table 1 Security Management Process Support... 5 Table 2 Security Awareness and Training Support... 6 Table 3 - Access Control Support... 7 Table 4 Alertsec Service Compliance Modules

3 Executive Summary The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has set the stage for a lot of changes in Healthcare in the U.S. in the last decade. When combined with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, organizations dealing with electronic Protected Health Information (ephi, also referred to as the the information in this document) need to put technical controls in place to ensure the security and privacy of patient data or face severe consequences ranging from making public acknowledgement of data exposure and paying steep fines (currently up to $1.5 million for noncompliance), to the loss of government payments for care (such as from Medicare or Medicaid). Alertsec provides a solid foundation on which you can build your compliance program. Today, most organizations that deal with medical information use some sort of electronic health care system that combines the many facets of patient care, from intake and visits to follow- up care and billing, and these systems are generally designed for compliance. To provide complete coverage of the ephi technical protection needed for HIPAA compliance, you need to protect more than just the Healthcare System itself. Any systems where patient data could be accessed or stored must be protected, and this is where the Alertsec Service plays a critical part. Alertsec Service features: Protect Safeguard all ephi on computers and removable media (USB sticks/drives etc.) Comply with HIPAA and HITECH Enforcement Rule through Policy Control Manage Deploy and monitor compliance through a cloud management tool Figure 1: Alertsec management and compliance monitoring is the most intuitive system to use in the market place. 3

4 Building HIPAA Compliance When approaching HIPAA Compliance for your organization it is important to look at your overall compliance "story". The HIPAA and HITECH Acts lay out the penalties for ephi disclosure but also provide mechanisms for Safe Harbor against breaches when certain conditions are met. To claim an Affirmative Defense the key is to be able to show the overall compliance coverage within your organization, explaining the Administrative, Physical and Technical Safeguards you have put in place to protect the information.. Both HIPAA and HITECH are more about what you need to do and what you need to protect, rather than how. As a result ensuring your organization is compliant can be complicated. The complexity of systems involved in today s highly technical medical settings means there is no silver- bullet solution that can solve all your compliance concerns. Instead you must diligently select various components with the goal of protecting your systems that access or store patient data so that you can ensure the security and privacy of your patient information. In hospitals, pharmacies and other healthcare organizations, doctors and other staff often use mobile devices to access ephi at work in the practice, at remote sites (such as a partner facility or a patient home) or after- hours work (such as working from home). Central or cloud based healthcare systems are generally designed to be compliant but do not provide protection of ephi that is downloaded or stored on devices such as laptops, or even on the desktops in the office that never leave. Who Needs to be HIPAA Compliant If you store or access any information that could be classified as ephi, you are subject to the requirements of HIPAA and HITECH. Clearly that includes organizations such as hospitals, doctor s offices and pharmacies, but it also covers other organizations, for example companies that perform billing services, or IT services such as cloud- hosted or patient portals. Any system that can touch ephi needs to be HIPAA compliant. If a HIPAA covered organization (a Covered Entity) engages a business associate to help carry out its health care activities and functions, there should be a Business Associate Agreement (BAA) between the two organizations. So if you have a signed BAA, then your business is also subject to HIPAA requirements for data protection. HIPAA Rules There are three main rule sets that come into play for HIPAA compliance: the Administrative Rules, the Privacy Rules and the Security Rules. Administrative Rules The Administrative Rules cover the general policies and procedures regarding the securing of information. In some cases these may be borderline technical requirements, like the requirement to guard against malicious software, but the administrative rules are really focused on establishing security best practices as a baseline for the Privacy and Security Rules to build on. 4

5 Privacy Rules The Privacy Rules focus on ensuring that PHI is protected from exposure outside the proper confines of use. These rules state the permitted uses and disclosures of PHI, regardless of the format (for example, paper, oral or electronic) and the types of controls that must be enforced for their protection. Security Rules The Security Rules focus on what safeguards must be in place. The Security Rules are divided into Administrative (section ), Physical (section ) and Technical Safeguards (section ) to protect ephi. The Security Rules are written so that they provide flexibility in implementation whilst ensuring the overall goals of ephi protection are met. When combined, these rules detail what needs to be protected and provide guidance about the minimum requirements for protection. Alertsec HIPAA Safeguards The Alertsec Service provides a solid foundation for compliance with HIPAA requirements. With the Alertsec Service you are able to provide many of the Administrative Safeguards required in section and most of the Technical Safeguards required in section It is important to understand that full HIPAA compliance for all systems will require combining Alertsec with other tools to build a complete compliance picture. Section Administrative Safeguards (a)(1) Standard: Security Management Process The Alertsec Service can assist with the following Security Management Process requirements: Specification Description Alertsec Support Risk Management (Required) Information System Activity Review (Required) Implement security measures to reduce risks to a reasonable level System activity must be reviewed on a regular basis for activity that could be considered malicious Table 1 Security Management Process Support The Alertsec Service provides multiple modules to secure computers against many types of risk. The Alertsec Service provides audit records for all its services as part of the activity tracking that needs to be monitored 5

6 (a)(5) Standard: Security Awareness and Training The Alertsec Service can help address the following Security Awareness and Training requirements: Specification Description Alertsec Support Protection from Malicious Software (Addressable) Log- in Monitoring (Addressable) Password Management (Addressable) Detect and prevent malicious software Login attempts must be logged and monitored Policies to manage password use and changes Table 2 Security Awareness and Training Support The Alertsec Anti- Malware service provides protection against malicious applications The Alertsec Service provides audit records for all authentication attempts to the Alertsec FDE and the Lock Screen in Windows The Alertsec Service provides password management capabilities to ensure strong passwords and scheduled password changes Section Technical Safeguards (a) Standard: Access Control The Access Control requirements are divided into four implementation specifications: Specification Description Alertsec Support Unique User Identification (Required) Emergency Access Procedure (Required) Automatic Logoff (Addressable) Each user must be uniquely identified relative to every other user There must be a capability to access information in an emergency The system should automatically log out the user after a period of inactivity With Alertsec FDE, each user can be configured to login with a unique account Administrator access can be used to ensure the system or media is accessible in an emergency where regular users may not be available Alertsec FDE can be configured to automatically lock the system after a pre- defined period of inactivity 6

7 Specification Description Alertsec Support Alertsec FDE encrypts the entire drive on the PC and only allows logged in users access to any OS, applications or data on it Encryption and Decryption (Addressable) Data should be encrypted to ensure only the authorized users can access it Table 3 - Access Control Support Alertsec Media Encryption allows the secure use of removable media by enforcing the use of encryption of any data stored to the media Alertsec Port Control can block access to removable media, ensuring that ephi cannot leave the system and also blocking potentially malicious applications from gaining access to the system (b) Standard: Audit Controls The Audit Control requirement specifies that access to ephi be recorded for review. While the Alertsec Service does not directly protect the ephi application, but does support the requirement for audit records related to activity on the systems where the protected information will be accessed. The Alertsec Service provides a record of any authentication attempts and access to the system itself so you can review when the system/device was used (based upon successful logins) as well as any attempts to gain access (based on authentication failures). This information is supplemental to the specific Audit Controls mandated by HIPAA. The additional information provided by the Alertsec Service provides a broader coverage story about your compliance efforts and enhances your access to Affirmative Defense (as explained under Safe Harbor in the Building HIPAA Compliance section above). (d) Standard: Person or Entity Authentication The Person or Entity Authentication requirement specifies that in addition to each user having a unique identifier (as required in the Access Control requirements), they must also have unique authentication credentials paired with the unique identifier. In normal terms, this means a user has to enter a password (or token or biometric, etc.) to validate their identity. Alertsec FDE and Alertsec Media Encryption both require the user to authenticate with a username and password to access the system or any encrypted media, providing assurance about who is accessing applications dealing with ephi. 7

8 Alertsec Service Features The Alertsec Service provides compliance security as a service. Instead of requiring the purchase of several individual components and needing to manage them separately, the Alertsec Service provides a single, comprehensive, policy based, cloud- managed package of vital components to secure and make your systems compliant. The following compliance modules are available: Compliance Module Description Full Disk Encryption (FDE) Media Encryption/Port Control Compliance Check Anti- Malware/Program Control Firewall Ensures that only authorized users can access data on protected computers. A user must provide a valid ID and password before the operating system will boot and any ephi will automatically be stored encrypted. Media Encryption automatically encrypts any ephi data stored on removable storage media such as USB sticks and external hard drives based on policy. Data remains transparent to authorized users. Port control prevents use of unknown/unauthorized media. All endpoints are scanned for compliance with pre- defined security policies that can verify the security software is up to date. Malware detection and prevention using signatures, behavior blockers and heuristic analysis. Policy controlled Program (application) Control can be configured to limit the applications that can be run on the system to only those that have been explicitly approved. Providing proactive policy based protection: the firewall blocks targeted attacks and stops unwanted traffic, keeping data and systems safe. Table 4 Alertsec Service Compliance Modules 8

9 Summary The Alertsec Service provides a solid foundation for building a complete ephi security solution for your Electronic Health Record (EHR) system. The HIPAA act does not expect that a single application or service alone will provide all the security safeguards necessary to protect the information, and therefore provides the flexibility for an organization to design a complete security infrastructure using components that best meet its needs. With the Alertsec Service your organization can ensure the security of endpoint devices, providing a solid layer of technical security surrounding ephi that is unobtrusive whilst also being highly effective. By minimizing the possibility of unsecured access on endpoint devices, Alertsec helps to achieve Safe Harbor, mitigating the need for breach notifications that would otherwise be mandatory whenever unsecured ephi is accessed. Complete encryption of ephi, as provided by Alertsec, is considered a primary way to achieve Safe Harbor. Implementing Alertsec FDE on endpoint devices within your organization ensures that any copies of ephi, such as offline copies for remote work, data in Word or Excel documents, or cached data from applications, are always secured on the endpoint device. Alertsec Media Encryption can enable your organization to securely utilize removable media when transporting ephi between systems (for example, when large volumes of data need to be backed up or delivered directly to another location, or where secure network transfers are not available or possible). And Alertsec Port Control and Application control provide your organization with the ability to block access to removable media ports and block unwanted applications in order to prevent any ephi from being removed from the device. References The following selection of websites provide more information about HIPAA and HITECH. compliance.php 9

10 About Alertsec Alertsec Inc. was founded in 2007 by Fredrik Lövstedt, co- founder of Pointsec Mobile Technologies, a world leader in encryption and security control software for PC s and mobile devices. Today, Pointsec Full Disk Encryption software is used on more than 30 million laptops around the world. Pointsec was acquired by Check Point Software Technologies Ltd in Simple, transparent and available to all The vision when Alertsec was established was that encryption should be simple, transparent and available for all. That principle remains at the heart of Alertsec. Alertsec is the easiest way to ensure that any data stored on a laptop is encrypted at all times and kept secure even if the device is lost or stolen. Subscribe and relax! Global reach Alertsec supports customers in more than 30 countries and over 100 US banks use Alertsec. Alertsec has offices in Palo Alto, London, Sydney and Stockholm. Alertsec HQ US Alertsec Inc. 470 Ramona Street Palo Alto, CA Tel: