The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

Transcription

1 The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

2 About HIPAA The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996 and otherwise known as the Kassebaum-Kennedy Act, aims, among other purposes, to protect the electronic healthcare information from unauthorized access - only health information transmitted electronically is covered by the HIPAA Security Rule (paper records stored in filing cabinets are not subject to the security standards). These rules include Technical Safeguards that apply to covered entities that use remote access products to maintain or transmit electronic healthcare information. The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities". PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. More Info: Health Insurance Portability And Accountability Act Of 1996 Health Information Privacy page of the U.S. Department of Health and Human Services Using BeAnywhere solutions in compliance with HIPAA The content of the following pages provide an introduction to HIPAA security safeguards and supply valuable information about how any entity using BeAnywhere s remote access solutions, and/or BeAnywhere insight, will be entitled to fully comply with those imposed rules. It is structured on the sections below: Section 1: HIPAA Summary Section 2: HIPAA Technical Safeguards Section 3: HIPAA compliance using BeAnywhere Section 4: Conclusion Section 5: Terms NOTE: The information contained in this document does not constitute legal advice. BeAnywhere advises you to seek legal advice before stating any compliance with any of the rules and safeguards stated in this document. BeAnywhere makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained in or referenced in this document. 1

3 Section 1 HIPAA Summary Covered Entities All healthcare clearinghouses, health plans, and healthcare providers that conduct certain transactions in electronic form. This includes entities that use a billing service to conduct transactions on their behalf. HIPAA Transactions Healthcare claims or their equivalent Healthcare payment and remittance advice Healthcare claims status Eligibility inquiries Referral certifications and authorizations Claims attachments First reports of injury 2

4 Section 2 HIPAA Technical Safeguards According to the HIPAA Security Standards published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards, Final Rule). a) Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to persons or software programs that have been granted access rights. Unique User Identification (Required) Emergency Access Procedure (Required) Automatic Logoff (Addressable*) Encryption and Decryption (Addressable) b) Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (Required) c) Integrity, Policies and Procedures c.1) Integrity Mechanism a mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. d) Person or Entity Authentication The requirement for Entity authentication, the corroboration that an entity is who it claims to be. e) Integrity, Policies and Procedures Security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of, and that electronic protected health information that is being transmitted over an electronic communications network is guarded against unauthorized access. Mechanism to Authenticate Electronic Protected Health Information (Addressable) (Required) Integrity Controls (Addressable) Encryption (Addressable) * See Section 5 3

5 Section 3 HIPAA Compliance Using BeAnywhere a) Access Control (a)(1) BeAnywhere s Security Policies: Access to the BeAnywhere infrastructure and to the host computers is completely independent, requiring different authentications processes, with different requirements. Access to host computers can be protected by Windows or Mac native OS user authentication. Access to host computers can be protected by a Master Password. Access to the BeAnywhere infrastructure can be secured by using industry-standard two-factor authentication. Role and User based, modular access to the Console, the Administration Area and to specific devices. Administration rights and Session features can be restricted per user (i.e.: restriction to use Remote Desktop, to transfer files, to view session information or other historical data ). Temporary Technicians/Users with limited permissions and visibility can be created. If the remote device is accessed through an Agent, the machine can be configured to require the authorization from a local user before starting a session; if it is accessed using a Support Express Applet, a local user needs to explicitly follow a combination of simple procedures in order to initiate a session. The applet can have its privileges limited to those of the local user running it. Through the Applet, the local user can have the option of resorting to a Panic Mode a keyword combination that immediately suspends any interactivity between the BASE technician and the remote machine (Esc + F1) and can also be allowed to suspend certain features to be used during a session (Remote Desktop, File Transfer, System Shell, Video Recording, etc.). Applets sessions can also be ended at any time. Remote access can be automatically locked after a period of inactivity. After the end of an Applet session, the technician loses all the rights on the remote machine. 4

6 b) Audit Controls (b) BeAnywhere s Security Policies: All activity on the remote computer can be logged through mandatory video recording of the sessions and detailed session reports, which include the chat history, the file transfer activity, and commands typed through the System Shell feature. An exhaustive technical log about the remote activities is additionally kept at the host computer s hard disk for at least seven days. This file can be used for advanced forensics if needed, and can be copied for a permanent location in the remote network, for compliance purposes. Account administrators can see session events and chat data in real time from every session occurring. Sessions are logged as Windows Events and also under logs on Mac OS. Analyze detailed session information through a specialized interface on the Administrative Area with enhancing filtering and searching capabilities. The access to auditing information on the Administrative Area will always be restricted, whether on role or user based permission schemes. c) Integrity, Policies and Procedures (c)(1), (c)(2) BeAnywhere s Security Policies: Sessions are completely encrypted end-to-end: chat, remote control, file transfers and any other information or interactions occurring during a session are encapsulated in the BeAnywhere s protocol, which uses point-to-point 256-bit encryption compliant with the U.S. approved Advanced Encryption Standard. All interactions of all BeAnywhere s components without the context of a session are encrypted with the industry-standard Transport Layer Security protocol (128-bit AES CBC), assuring no communications are tampered with. Remote sessions can be protected in its integrity by disabling the keyboard and mouse interactions at a local level, as well as blanking the remote screens. File integrity during transfers is validated with the MD5 message-digest algorithm, which assures the data is not tampered within the context of its transmission. Automatic alerts can be set to help identify unauthorized access to sensitive devices by authorized users. 5

7 d) Person or Entity Authentication (d) BeAnywhere s Security Policies: Access to the BeAnywhere infrastructure and to the host computers is completely independent, requiring different authentications processes, with different requirements. Access to host computers can be protected by Windows or Mac native OS user authentication. Access to host computers can be protected by a Master Password. Access to the BeAnywhere infrastructure can be secured by using industry-standard two-factor authentication. An easy to use and set, while technically complex authentication schema can be implemented, with a combination of multiple levels of authentication and permissions, to make sure that only authorized and validated persons can have access to a device and its resources. Use IP address restrictions to limit access to the Technician Console. e) Transmission Security (e)(1) Sessions are completely encrypted end-to-end: chat, remote control, file transfers and any other information or interactions occurring during a session are encapsulated in the BeAnywhere s protocol, which uses point-to-point 256-bit encryption compliant with the U.S. approved Advanced Encryption Standard. All interactions of all BeAnywhere s components without the context of a session are encrypted with the industry-standard Transport Layer Security protocol (128-bit AES CBC), assuring no communications are tampered with. File integrity during transfers is validated with the MD5 message-digest algorithm, which assures the data is not tampered within the context of its transmission. Automatic alerts can be set to help identify unauthorized access to sensitive devices by authorized users. BeAnywhere s network is continuously being monitored and probed against security issues by external entities and implements a secure password policy for all the users. 6

8 Section 4 Conclusion Although HIPAA regulations only cover entities who handle patient health information, the electronic tools used on this process are expected to implement a number of procedures, technologies and safeguards that assure or enhance the compliance with the necessary standards. BeAnywhere access protocol was designed from scratch with the security at its core and has been integrating more security and audit controls over the years, anticipating the needs of its clients and the technology's evolution. The management, configuration and operational features of BeAnywhere solutions meet or exceed HIPAA technical standards, and greatly contribute to the establishment of workflows in accordance with the best practices suggested or required by the most current U.S. and International legal and normative frameworks: BeAnywhere products can be deployed as an outsourced remote-access component of a larger information-management system without affecting HIPAA compliance. HIPAA grants a certain freedom on how to implement its security guidelines, which means that each organization should carefully plan the security implementation that will be adopted according to its needs and specificities. BeAnywhere solutions are highly modular, therefore organizations have the option of finding the correct balance of security and productivity to their particular case. BeAnywhere support staff is highly experienced in helping HIPAA-covered organizations implementing and fine-tuning remote support or remote management solutions. Please contact us if you need any help or advice. Section 5 Terms (according to the HIPAA) Electronic: The transmitting of healthcare information, but not limited to, via the Internet, an extranet, leased lines, dial-up lines, etc. Adressable: a standard or specification whose compliance is allowed a degree of flexibility, based on reasonable steps. 7

9 Europe: South America: +55 (11) North America: