HIPAA Security Rule Compliance and Health Care Information Protection

Transcription

1 HIPAA Security Rule Compliance and Health Care Information Protection How SEA s Solution Suite Ensures HIPAA Security Rule Compliance Legal Notice: This document reflects the understanding of Software Engineering of America of System i security and audit compliance related to the Health Insurance Portability and Accountability Act. SEA is not in a position to guarantee and assumes no responsibility that the implementation of the recommendations in this whitepaper ensures a complete and full compliance with all aspects of HIPAA regulations. The information is provided as an informational piece. SEA advises users to undertake their own research and advice to satisfy their required level of compliance with the standards. Software Engineering of America 1 HIPAA Compliance

2 Health Insurance Portability and Accountability Act of 1996 (HIPAA) What is HIPAA? HIPAA was enacted in 1996 with the goal of establishing a set of laws to protect individuals health information, document the rights of health providers and patients, and secure the overall healthcare system in the United States. Healthcare organizations must follow these regulations to ensure confidential information does not leak and to prevent heavy fines. HIPAA is based on five Titles: I. Health Care Access, Portability, and Renewability II. Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform III. Tax-Related Health Provisions IV. Application and Enforcement of Group Health Plan Requirements V. Revenue Offsets The full electronic HIPAA laws can be obtained from the Government Printing Office website. On February 20, 2003, the Security Rule was issued as part of HIPAA and serves as one of the key components of the overall law. These guidelines cover all electronic health information. The Security Rule is broken down into three requirements: 1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards Each requirement consists of a standard and implementation specifications. The tables on the following pages outline these guidelines. Software Engineering of America 2 HIPAA Compliance

3 ADMINISTRATIVE SAFEGUARDS These policies focus on security measures to manage the protection of health care information. In this section, there are nine standards and under each standard are implementation specifications. These specifications include access authorization, log-in monitoring, protection from malicious software, and many more. These standards comprise 50% of the Security Rule. Sections Standards Implementation Specifications (a)(1) Security Management Process Risk Analysis Risk Management Sanction Policy Information System Activity Review (a)(2) Assigned Security Responsibility (a)(3) Workforce Security Authorization and/or Supervision Workforce Clearance Procedures (a)(4) Information Access Management Termination Procedures Isolating Health care Clearinghouse Function Access Authorization (a)(5) Security Awareness and Training Access Establishment and Modification Security Reminders Protection from Malicious Software Log-In Monitoring Password Management (a)(6) Security Incident Procedures Response and Reporting (a)(7) Contingency Plan Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedure Applications and Data Criticality Analysis (a)(8) Evaluation (b)(1) Business Associate Contracts & Other Arrangements Written Contract or Other Arrangement Software Engineering of America 3 HIPAA Compliance

4 PHYSICAL SAFEGUARDS These standards pertain to the physical means of protecting electronic information and equipment. Examples include proper physical security plans and hardcopy data disposal. Although these requirements are important, SEA solutions cover the electronic security aspect of the Security Rule. Sections Standards Implementation Specifications (a)(1) Facility Access Controls Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records (b) Workstation Use (c ) Workstation Security (d)(1) Device and Media Controls Disposal Media Re-use Accountability Data Backup and Storage TECHNICAL SAFEGUARDS These guidelines refer to procedures pertaining to protecting technology policies. This section of the Security Rule is made up of five standards consisting of various implementation specifications. These include user identification, encryption, audit controls, and many more. Sections Standards Implementation Specifications (a)(1) Access Control Unique User Identification Emergency Access Procedure Automatic Logoff Encryption and Decryption (b) Audit Controls (c)(1) Integrity Mechanism to Authenticate Electronic Protected Health Information (d) Person or Entity Authentication (e)(1) Transmission Security Integrity Controls Encryption Software Engineering of America 4 HIPAA Compliance

5 Why is HIPAA Important? Because the healthcare industry is gradually transforming its processes into electronic and digital formats for efficiency purposes, a greater need for strong security measures arises. Since information flows through different gateways from insurance companies, to employers, to health care providers, and to other entities, it is important to protect this data stream and be in compliance. Therefore, it is important for IT departments to incorporate secure and reliable mechanisms to protect their data flow networks and ensure compliance. What if I m Not Compliant? Non-compliance of HIPAA may have serious consequences for an organization. Violations of the Act may result in heavy fines up to $250,000, imprisonment for up to ten years, lawsuits, and legal liability issues. Whether an incident is accidental or intentional, your company may still be subject to these lucrative penalties. Software Engineering of America offers a full line of solutions to help your organization stay compliant. Adopting SEA s product suite can help ensure your company will keep medical information secure and reduce the risk of heavy fines. SEA offers solutions that will track all types of activity, monitor over users and resources, prevent security breaches, alert proper personnel automatically, and many more. How Can SEA s Solutions Ensure HIPAA Compliance? SEA provides solutions to businesses worldwide to ensure their data centers are running securely, effectively, and smoothly while keeping up with industry standards including HIPAA. Our solutions help companies follow the standards set in the Administrative Safeguards and Technical Safeguards aspect of the Security Rule. The following is an overview of SEA s products that should be implemented to ensure HIPAA laws are adhered. Software Engineering of America 5 HIPAA Compliance

6 Firewall Firewall will protect and secure all types of access to and from the System i, keeping your company safe from intruders. Not only an easy to use filter for incoming and outgoing TCP/IP activity and intrusion prevention, it will also manage user profile status, password restrictions, sign-on time control, object access control, rule exceptions, and logging of all activity. Scripts can be created in real time to automatically respond to monitored activity with system commands, programs, to alert you via an , AS/400 message, and/or by phone. Users can utilize the Java-based GUI in addition to the traditional green-screen interface to effectively monitor and analyze activity for any type of AS/400 environment. Audit Audit provides real-time monitoring and logging of system and user activities. Audit can also take action against these threats by triggering pro-active alerts. Monitored activity can be viewed, printed or obtained via an automatic report scheduler that can be sent to an administrator, senior managers, and auditors. Scripts can be created in real time to automatically respond to monitored activity with system commands or programs, to alert you via an , AS/400 message, and/or by phone. Antivirus Antivirus will scan compressed files and protect against viruses found on your System i server. This application will run natively on your iseries and scan your IFS and mail for viruses and will eliminate the requirement to download these files to your PC or server for scanning. This prevents unnecessary network traffic from tying up your LAN. In addition, Antivirus removes infected files from the system, scans s through the Mail Alert scan feature and utilizes a user-friendly interface. On-access, On-Demand scanning and automatic updates are other key features of Antivirus that will keep your system safe. Journal This solution will allow you to monitor data modifications, providing you with before and after images of your data. Enterprises can see who made changes, what modifications were made, and when these changes took place. Data retrieval is simple and allows security administrators to have control over information flowing within their organization. Capture Capture secretly obtains and documents users screens for ultimate security without affecting system performance. The solution works silently and invisibly in the background; users may not even notice it is running. This solution allows administrators to see what users are doing and what they are doing with the specific information. Capture can automatically trigger screen capturing according to a variety of pre-defined Software Engineering of America 6 HIPAA Compliance

7 rules. Capture allows an organization to retrieve archived screenshots for definitive and accurate forensics for keeping your System i in compliance. View View gives administrators the ability to restrict access to specific fields and records while specifying user levels. System administrators can create rules that define which users are authorized to view or modify the contents of a database. This will ensure that users are not accessing information they shouldn t be such as confidential patient data. Assessment Use assessment to test system vulnerabilities by monitoring ports, user privileges etc. View charted reports and ensure industry compliance. Assessment shows you detailed reports if your network is really protected, auditing policies are in place, exit points are open, and many more. abscompress abscompress compresses objects over 80% at high speeds to save space and reduce file transfer time. abscompress provides government approved AES encryption up to 256 bit. Users can enter a string as a password for strong security measures. In addition, the history console can track the details of all compression or decompression it performs. absmessage absmessage allows administrators to monitor messages through a centralized console and take action immediately. Users can monitor and manage there system messages and resources through a Java gui, web console, PDA, or green screen interface. absmessage also provides message notifications to personnel and gives them the ability to respond via , cell phone or PDA Users can create smart message filters for complete control over there system messages. absmessage also allows the monitoring of critical system resources, provides escalations to multiple personnel in your enterprise and can automate responses via its powerful scripting, Software Engineering of America 7 HIPAA Compliance

8 Examples of How SEA Will Help Your Company Comply with the Security Rule Administrative Safeguards Security Rule Section Description SEA Solution (a)(1)(ii)(A) This is the risk analysis portion under the standard Security Management Process. It requires companies to assess vulnerabilities and potential risks of electronic health information. Audit Assessment These solutions will identify potential security risks through real-time monitoring (Audit) and test system vulnerabilities by checking for open ports etc. (Assessment). In addition, view detailed reports and charts (a)(3)(ii)(A) (a)(5)(ii)(B) The Authorization and/or Supervision implementation specification of the Workforce Security standard. This calls for determining user rights such as the ability to read a file or run a program. Protection from Malicious Software implementation specification of the Security Awareness and Training standard. This security measure calls for preventing harmful programs or viruses. (Assessment). View Assessment Firewall Administrators can restrict user access and specify user levels to see specific fields (View). Users can also Utilize Assessment to view reports of user privileges. Manage user profiles, sign-on time control, and object access control thru Firewall. Antivirus Antivirus will scan for viruses and remove them from your system. Utilize the Mail Alert scan to check through s for harmful viruses. Antivirus will update automatically so your system will always be aware of the latest threats. Software Engineering of America 8 HIPAA Compliance

9 Technical Safeguards HIPAA Security Rule Description SEA Solution (a)(2)(iv) This is the Encryption and Decryption implementation specification of the Access Control standard. A proper encryption tool will convert regular text into encoded data (must be opened with a proper key). abscompress abscompress will encrypt your data via government approved AES encryption up to 256 bit. In addition, abscompress can quickly compress your objects by (b) This is the standard Audit Controls (there are no implementation specifications). This standard calls for implementing an audit report tool or other method for recording system activity. 80% to save space. Firewall Audit Journal Capture absmessage All of the above solutions will record critical types of activity on the i5. Firewall will keep track of network activity through a customized Java GUI or traditional greenscreen. Audit provides user monitoring which can be viewed, printed, or sent to predefined personnel through an automatic report scheduler. Journal shows who made data modifications and what changes were made. Capture can obtain screenshots of a users screen automatically and archive them. absmessage can monitor any message queue, QHST as well as QAUDJRN and send notifications to administrators. Software Engineering of America 9 HIPAA Compliance