ipatch System Manager - HIPAA Compliance

Transcription

1 SYSTIMAX Solutions ipatch System Manager - HIPAA Compliance White Paper July

2 Overview Health plans, healthcare clearinghouses, healthcare providers including Medicare/ Medicaid agencies must comply with federal Health Insurance Portability and Accountability Act (HIPAA) regulations regarding the HIPAA s data security standards are similar to other federal compliance standards (Sarbanes-Oxley, GLBA, USA PATRIOT Act and others) in that they impose requirements with respect to data access and security. HIPAA specifically requires that covered entities implement safeguards that limit a user s access to patient data in a manner consistent with that user s needs. Data format requirements, encryption techniques, as well as backup and data recovery methods are also well defined. When it comes to access control of the physical layer, SYSTIMAX Intelligent Infrastructure Solutions provide the ability to monitor real-time access to the physical connectivity layer. Any breach of physical security that relates to network connectivity is automatically recorded to produce the audit trail required for HIPAA compliance. The ipatch System Manager is capable of producing a connectivity history that reflects both current and past physical network configuration conditions. HIPAA Security Standards and Intelligent Infrastructure Solutions HIPAA s security standards outline various administrative, physical and technical security safeguards, identifying each as either Required or Addressable. Below, Table 1 shows a selection of those security standards and details ipatch features that can assist in meeting these requirements. confidentiality, integrity, and availability of private health information. To comply with these mandates, healthcare organizations must assess risks, correct weaknesses, and establish mechanisms for proving regulatory compliance. TABLE 1 HIPAA SECURITY STANDARDS MATRIX Standards Sections Implementation Specifications (R) = Required (A) = Addressable Administrative Safeguards Security Management Process (a)(1) Risk Analysis (R) Risk Management (R) Information System Activity Review (R) How Intelligent Infrastructure Solutions Can Help The Event Notification Service can create multiple real-time notifications about any security events that are related to a hospital s physical layer connectivity. The events are also recorded in a log file that can be later used for auditing. Reports provide a historical review of events and activities. Security Incident Procedures Contingency Plan (a)(6) Response & Reporting (R) (a)(7) Data Backup Plan (R) Disaster Recovery Plan (R) The Event Notification Service can create multiple real-time notifications that can trigger a response by the end user. Reports provide a historical review of events and activities. In event of a physical disaster in the patching racks, the patching can easily be recreated. The ipatch database can be part of the disaster recovery plan since the entire physical structure is mapped in the database. All networked devices are documented as well, including the service and switch used by every device at the site. 2

3 TABLE 1 HIPAA SECURITY STANDARDS MATRIX CONTINUED Standards Sections Implementation Specifications (R) = Required (A) = Addressable How Intelligent Infrastructure Solutions Can Help Physical Safeguards Facilities Access Controls (a)(1) Facility Security Plan (A) Critical circuits can be monitored by motion sensitive cameras. These IP cameras can be supervised by System Manager using its SNMP features. SNMP traps can be received by System Manager and used to generate an alert that notifies the administrator immediately of activity recorded by the cameras. The alert indicates the particular camera involved, which can be located directly on a floor plan representation. The event is recorded in the log file for audit purposes. Device and Media Controls (d)(1) Accountability (A) The System Manager Device Discovery feature keeps track of all networked devices and detects their movement. Device location can be tracked by faceplate location on a floor plan. The Device Discovery feature helps to locate portable medical devices that have an IP address or World Wide Identifier. When equipment is frequently moved from room to room, this is a very helpful feature for asset tracking. It also is helpful in emergency situations since it can be used to quickly locate equipment needed for critical care. 3

4 Healthcare Information Technology Priorities and Intelligent Infrastructure Solutions The Healthcare Information and Management Systems Society (HIMSS) is the healthcare industry s membership organization ( that is exclusively focused on providing leadership for the optimal use of healthcare information technology (IT) and management systems for the betterment of healthcare. The results of the most recent HIMSS (19th annual) leadership survey, which collected opinions from IT technology executives in the healthcare industry, were published in a report dated February 25, The study collected information about IT priorities, technology adoption, application usage, and other crucial factors in the use of IT to enhance healthcare. Trends were identified by comparing the latest results to the results from the previous year s survey. Almost all correspondents (96% of those surveyed) expressed security concerns, indicating those are what keep these information technology managers and CIOs up at night. They primarily worry about internal breaches of security, specifically breaches in data security. The survey states that 18% of the respondents said they had experienced a data breach and 14% did not know whether they had experienced such a breach. Below, Figure 1 shows a comparison of the top concerns reported in 2008 in comparison to those reported in ipatch can help provide peace of mind to these managers and CIOs by giving them real-time information via instant notifications and automated reports (scheduled and customizable) as to what devices are accessing what particular services and whether any unauthorized patching activities have taken place. Figure 1 Top Concerns Reported in 2008 vs HIPAA compliance is the next highest area of concern expressed by healthcare information technology managers and CIOs. Another priority concern that could easily be addressed with ipatch is the ability to connect a remote hospital network with the main hospital. The ipatch System Manager provides excellent features for managing remote sites. In fact, non-it personnel can implement connectivity moves, adds, and changes at these remote sites using the ipatch System Manager s electronic work orders and advanced guidance features. 4

5 Below, Figure 2 shows the chief reasons for budget increases for Technology costs continue an upward trend as healthcare organizations strive to upgrade their IT Infrastructure and meet their compliance needs. Another important finding that is worth mentioning is that 15% of the respondents indicated that there is a need to prove IT ROI. Economic Value Creation (EVC) methodology that was developed for ipatch is a helpful tool to support hospitals in justifying investments into new IT technologies. Figure 2 Reasons for Budget Increases Summary Connectivity infrastructure is the conduit from the end user to healthcare data. There are a great variety of potential scenarios that might allow an individual to improperly access servers with sensitive data, posing a real threat. Most of these scenarios involve internal personnel gaining inappropriate access (rather than an external security breach). These concerns are reflected in the HIMSS Survey. The ipatch System Manager s audit trail and reporting features provide answers to questions about who did what, where, when, and how, making it a powerful and compelling solution. Recent technology and budget trends in the medical community also emphasize the benefits of Intelligent Infrastructure Solutions for addressing HIPAA compliance and security concerns. Visit our Web site or contact your local CommScope representative for more information CommScope, Inc. All rights reserved. All trademarks identified by or are registered trademarks or trademarks, respectively, of CommScope, Inc. This document is for planning purposes only and is not intended to modify or supplement any specifications or warranties relating to CommScope products or services. TD-E-1 09/11