HIPAA DATA SECURITY & PRIVACY COMPLIANCE

Transcription

1 HIPAA DATA SECURITY & PRIVACY COMPLIANCE This paper explores how isheriff Cloud Security enables organizations to meet HIPAA compliance requirements with technology and real-time data identification. Learn more by visiting 2014 isheriff. isheriff is a registered trademark of isheriff. All other trademarks are the property of their respective owners. Specifications subject to change without notice. All rights reserved.

2 Introduction This white paper examines the data security and privacy compliance requirements of the Healthcare Insurance Portability and Accountability Act (HIPAA). It examines the purpose and objectives of specific portions of the Act related to information security and the privacy of data transfers and communications. Finally, this paper explores how isheriff Cloud Security enables organizations to meet HIPAA compliance requirements with technology and real-time data identification. The Healthcare Insurance Portability and Accountability Act is US federal law, enacted in IT ADDRESSES: a) Healthcare insurance access, portability of healthcare insurance from one employer to another and affects the exclusion period for certain pre-existing health conditions when enrolled in a group health plan. b) Civil and criminal penalties for healthcare related offences such as fraud. c) Standards for improving the efficiency of healthcare administration and how health information is disseminated. d) Data security and privacy standards for Protected Health Information (PHI) and Electronic Protected Health Information ORGANIZATIONS AFFECTED BY HIPAA HIPAA affects any organization in the US handling Protected Health Information. Typically, organizations that handle PHI are issued with a National Provider Identifier (NPI) number by the Centers for Medicare and Medicade Services (CMS). Organizations required to comply with HIPAA regulations are termed covered entities. COMMON EXAMPLES OF COVERED ENTITIES INCLUDE: Health insurers Healthcare clearing houses» Hospitals Nursing homes Pharmacies Laboratories Physicians, physiotherapists and general practitioner s offices HIPAA REQUIREMENTS HIPAA stipulates a range of requirements for organizations handing healthcare insurance and PHI. This white paper is primarily concerned with HIPAA requirements governing data security and privacy. HIPAA IS STRUCTURED IN THREE MAIN AREAS: 1: TITLE I - HEALTHCARE ACCESS Title I regulates the availability of healthcare insurance and the portability of insurance across employers and group healthcare plans. note: this white paper does not address this area of the Act in detail. 2: TITLE II - FRAUD, PRIVACY, SECURITY AND ADMINISTRATION Title II defines various offences relating to healthcare such as fraud and sets criminal and civil penalties for these crimes. It also stipulates a series of standards and controls regarding the handling of PHI, termed Administrative Simplification. Title II sets out five rules regarding Administrative Simplification: 1) PRIVACY RULE - regulates the use and disclosure of PHI by covered entities, e.g.:

3 a) Covered entities must ensure the confidentiality of communications with individuals. b) Covered entities must disclose PHI to the individual concerned within 30 days upon request. c) Covered entities must make reasonable efforts to disclose only the minimum necessary information required to achieve its purpose, after authorization is obtained from the individual. d) Covered entities are required to notify an Individual of users of their PHI. They must also keep a record of who PHI has been disclosed to, what was disclosed and when. e) Covered entities must appoint a Privacy Official responsible for establishing PHI security policies and procedures internally, be the contact point for PHI-related complaints and be responsible for internal workforce training for procedures relating to PHI. 2) Transactions and Code Sets Rule - stipulates standards for electronic healthcare claims, billing and transactions required by HIPPA compliance. 3) SecurIty Rule - similar and complementary to the Privacy Rule, but solely concerned with Electronic Protected Healthcare Information (EPHI). The Security Rule specifies three types of security safeguards for EPHI: a) ADMINISTRATIVE SAFEGUARDS i) Covered entities must adopt a written set of privacy procedures and appoint a Privacy Officer. ii) Clearly identify employees or roles authorized to access EPHI and restrict access to only those employees who require it to perform their job function. iii) Covered entities must adopt a written set of privacy procedures and appoint a Privacy Officer. iv) Outsourced third-parties who require access to EPHI in their business process must comply with HIPAA requirements and the covered entity is responsible for ensuring this. v) Establish data disaster recovery and backup procedures for EPHI. vi) Document the scope, frequency and procedures for internal EPHI and administrative audits. vii) Document procedures for EPHI security breaches. b) PHYSICAL SAFEGUARDS i) Controls must be implemented to ensure the physical security of EPHI and protect against unauthorized access ii) Controls must govern the introduction or removal of hardware and software on the network. iii) Access to equipment storing EPHI must be restricted to authorized personnel. iv) Workstations capable of accessing EPHI should be located in private areas and out of direct view of the public or unauthorized people. v) If a covered entity uses an external contractor, they must be given training and made aware of HIPAA responsibilities. c) TECHNICAL SAFEGUARDS i) Controls must be implemented to control access to computer system and ensure that covered entities protect communications containing PHI and prevent anyone other than the intended recipient from intercepting them. ii) EPHI information systems must be protected against intrusion or hacking. iii) When EPHI is transmitted over an open network, some form of data encryption must be applied. If the network is closed, data encryption is considered to be optional.

4 iv) Covered entities are responsible for ensuring that EPHI is not changed or erased without appropriate authoriza- tion. v) Data corroboration such as the use of digital signatures, check sums, and message authentication should be used to ensure data integrity and anti-tampering. vi) Covered entities must authenticate with other entities which they communicate EPHI with. Covered entities must ensure that entities are indeed who they claim to be. vii) Covered entities must document their HIPAA compliance practices around the Security Rule and provide these to appropriate government regulators upon request to help determine HIPAA compliance. viii) Covered entities must also carry out and document EPHI security risk assessments and risk management programs. The Security Rule is considered to be a mandatory, minimum standard for EPHI security and covered entities are obligated to make specific assessments of their own security risks and take reasonable additional precautions necessary to protect EPHI within the covered entity s specific environment. 3: HITECH ACT The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was enacted as part of the American Recovery and Reinvestment Act of It addresses additional privacy and security issues relating to the electronic transmission of PHI. It extends the data privacy and security requirements of HIPAA to business associates of covered entities and stipulates that these requirements be included in agreements and contracts between covered entities and business associates. The Act also imposes additional notification requirements relating to PHI security breaches and extends these to not only covered entities, but business associates and vendors of personal health records. Lastly, the Act also implements changes in the rules governing disclosures of PHI when an organization uses an electronic health record (EHR). 4) UNIQUE IDENTIFIERS RULE - Covered entities governed by HIPAA must use only the National Provider Identifier (NPI) number to identify covered healthcare providers. Covered entities must not share PHI with entities that do not use an NPI - a 10 digit alphanumeric identification number. 5) ENFORCEMENT RULE - sets civil monetary penalties for covered entities that violate or fail to comply with HIPAA requirements. It also establishes how violations are investigated and prosecuted.

5 isheriff Cloud Security & HIPAA isheriff Cloud Security is a Web, and Endpoint protection service which complies with HIPAA regulations governing the security and privacy of Electronic Protected Healthcare Information. The service provides real-time analysis of and Web traffic to guard against HIPAA compliance breaches and accidental disclosure of EPHI. isheriff automatically encrypts EPHI according to HIPAA procedures and provide data leakage protection to ensure the security and privacy of PHI. 360 HIPAA POLICY COMPLIANCE isheriff Cloud Security provides a complete solution to help your organization address a range of HIPAA security requirements, including technology protection, implementation of HIPAA policies, assisting with employee education and analyzing the compliant transmission of EPHI. isheriff APPLIES A 360 DEGREE SOLUTION WHICH ENABLES CORPORATIONS TO: DEFINE PHI data security procedures. Consistently MONITOR the transmission of EPHI and automatically enforce HIPAA procedures in and Web communications and ensure the security and privacy of healthcare information. DETECT policy breaches, automatically alert HIPAA Privacy Officers of procedural breaches and help educate employees regarding HIPAA compliance. ANALYZE Web, and Endpoint activity with reports that enable healthcare providers to better educate employees and refine policies to maintain continued compliance with HIPAA rules over time.

6 ACHIEVING HIPAA COMPLIANCE HIPAA lays out multiple security rules and requirements that covered entities must implement. isheriff Cloud Security provides functionality which can meet or surpass all of these requirements: HIPAA Requirement Ensure the confidentiality of communications with individuals Adopt a written set of privacy procedures for handling EPHI Restrict access to EPHI to only those employees who require it to perform their job function Third-parties utilized by covered entities must comply with HIPAA rules Covered entities must protect communications containing PHI and prevent anyone other than the intended recipient from intercepting them Covered entities must protect information systems against intrusion or hacking isheriff Cloud Security isheriff Cloud Security provides easy to use security features such as encryption, policy-based data and file-type controls and real-time EPHI detection to ensure that data is transmitted according to confidentiality procedures and block the unauthorized or non-compliant communication of EPHI. isheriff Cloud Security enables you to easily adapt written HIPAA privacy procedures into practical, plain-english security rules using an intuitive user interface. Pre-configured, example HIPAA policies are available to help streamline policy creation, save time and money. isheriff Cloud Security can automatically secure information or trigger HIPAA policies based on: Names, addresses, phone or fax numbers addresses, IP addresses or domains National Provider Identifier (NPI) Social Security Numbers Medical record numbers Bank account numbers Any alphanumeric pattern of interest for HIPAA compliance isheriff Cloud Security is a policy-based, user authentication solution which enables healthcare providers to selectively apply EPHI communication privileges based on user ID, IP address, department, policy group or domain. This means that unauthorized employees are always blocked from transmitting EPHI and authorized EPHI communications are automatically encrypted in accordance with HIPAA guidelines. isheriff Cloud Security provides an easy to use and totally secure communication environment, allowing your organization to communicate privately with individuals and business associates. You can collaborate and share information securely and without additional costs, special software or extensive training requirements. Policy-based authentication ensures that EPHI can only be shared with an authorized list of addresses, domains or IP addresses. In addition, S/MIME and 128-bit SSL encryption prevents interception of EPHI or accidental disclosure to unintended recipients. isheriff Cloud Security helps safeguard and Web communications, and keep endpoints free from malware and other malicious Web attacks.

7 ACHIEVING HIPAA COMPLIANCE HIPAA Requirement PHI must be encrypted when transmitted over an open network Data corroboration such as digital signatures,check sums, and message authentication should be used to ensure data integrity and anti-tampering Covered entities must authenticate with other entities which they communicate EPHI with Covered entities must keep a record of who PHI has been disclosed to, what was disclosed and when isheriff Cloud Security communications are protected by 128-bit SSL connections and/or S/ MIME PKI encryption over open networks. HTTPS content inspection ensures that EPHI is only transmitted via the Web by autho- rized isheriff Cloud Security provides detailed Web and security reporting. This enables you to monitor and evaluate the disclosure of NPI, who has accessed NPI, and adjust security measures or implement new policies as needed. isheriff Cloud Security supports Public Key Infrastructure (PKI) that employs trusted x.509 certificates and S/MIME cryptography for strong authentication and encryption. isheriff Cloud Security reports provide a detailed log of communications and HIPAA-related events such as , file uploads or downloads and identification of users and addresses that EPHI has been disclosed to.

8 BEYOND HIPAA WHY isheriff CLOUD SECURITY IS IDEAL FOR HEALTHCARE PROVIDERS FOR WEB, AND ENDPOINT DEVICE SECURITY, isheriff CLOUD SECURITY OFFERS HEALTHCARE PROVIDERS CONSIDERABLE BENEFITS AND ADVANTAGES: A hosted security solution which cleans and secures and Internet use. No need to purchase or manage appliances or software - all infrastructure is provided and managed for you. A single vendor for endpoint anti-virus, security, encryption and/or Internet filtering. Predictable fixed cost structure with the flexibility to let you grow or shrink your user licensing as and when you need it. No tedious maintenance or administration.» Accessible policy tuning and reporting via a secure Web console enables you to manage your security if you wish and view reports anytime, anywhere.» Reliable, effective security with real-time, patented content and threat analysis technology from a vendor with over 10 years of proven experience delivering best of breed protection.» Eliminates spam and phishing from incoming - removes offensive unsolicited messages which also contain malicious threats and links to compromised websites and benefit from considerable bandwidth savings.» Secure your endpoints, and Web connections against viruses, malware and the latest Web 2.0 threats such as botnets and compromised websites.» Prevent access to pornographic and offensive Web content with website category filtering which is updated and driven by your usage. SafeSearch enforcement is also provided for search engines such as google, Yahoo and Bing as well as YouTube - ensures that inappropriate content is not returned by a search.» Automatic archiving to backup your important communications and aid in disaster recovery.» Access easy to understand reports on demand and readily measure the cost savings and performance delivered by the services you are paying for.

9 Other Key Features & Benefits EASE OF USE Powerful and intuitive Web console, with flexible drag & drop configurability Full integration with all major directory services - for hassle-free set-up and group/user maintenance Comprehensive and configurable reporting across all policies, security vectors and directory elements Policy enforcement through real-time reporting and alerting Lightweight endpoint anti-malware agent deployable on all current version of Windows, Mac and linux COMPREHENSIVE SECURITY CONTROLS Highly configurable content filtering, based on isheriff s proprietary url database and real-time dynamic page classification - ensuring that acceptable use policies are enforced Highly flexible application controls, enabling policy enforcement for application permissions Bandwidth controls, enabling management of bandwidth usage through policy Data leak protection for data-in-motion across both Web and transport layers, to ensure that sensitive corporate information is kept secure ADDITIONAL BENEFITS archiving for 90 days, and e-discoverability Multi-tenant management framework and dashboard, enabling management of deployment, policies and reporting for MsPs, VARs and distributed organizations through an integrated Web-based console

10 isheriff Security Specialists At isheriff, our commitment to our customers is the driving force behind everything we do. In addition to all of the customer service functions offered by competitive companies, at isheriff, you will be assigned your own Security Specialist. isheriff is the only internet security company that provides a trained, dedicated, knowledgeable single point of contact, whose job is to assist, guide and keep you informed about the best way to protect your most critical asset, your data. A Security Specialist is an additional layer of service and support, trained to advise you in this new era of cybercrime. Our Security Specialists are dedicated to both customers and partners based on customer location. Your Security Specialists Can: Design a security solution customized to meet the needs of your business Provide full security assessments as well as demos and trials of our solutions Engage and manage any tech support, license or account management questions Provide the latest info on current threats Help select the right channel partner for your specific needs Provide you with the highest levels of personal service in the industry Develop a Cloud Security Strategy Share Product Road Maps and Future release schedules Provide competitive pricing, references and Free Trial copies upon Request Contact a isheriff Security Specialist today at /specialist

11 About isheriff isheriff is the leading provider of content and endpoint security from the cloud. We keep organizations and individuals safe from cybercrime, malware and digital threats. Thousands of businesses across a wide array of industries have deployed our solutions, including some of the most sophisticated buyers of security technology worldwide. isheriff has operations in New York, California, Ireland and Asia. Free Trial isheriff s services can be easily and freely evaluated. Just provide us with some simple details via an online sign-up form and we can have a free 15-day trial of isheriff Cloud Security up and running for you within 24 hours. There is no obligation to subscribe and it is quick and easy to disconnect the service if you don t wish to continue. Sign up now at /cloudtrial isheriff Resources CLOUD SECURITY OVERVIEW CUSTOMER CASE STUDIES FREE TRIAL WHITEPAPERS SECURITY SPECIALISTS CUSTOMER SUPPORT OFFICE LOCATIONS /cloud /resources /cloudtrial /resources /specialist /support /contact

12 Learn more by visiting 2014 isheriff. isheriff is a registered trademark of isheriff. All other trademarks are the property of their respective owners. Specifications subject to change without notice. All rights reserved.