How Managed File Transfer Addresses HIPAA Requirements for ephi



Similar documents
Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

itrust Medical Records System: Requirements for Technical Safeguards

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

VMware vcloud Air HIPAA Matrix

HIPAA Security Checklist

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Healthcare Compliance Solutions

HIPAA. considerations with LogMeIn

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Compliance Guide

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security Series

Healthcare Compliance Solutions

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

DMZ Gateways: Secret Weapons for Data Security

HIPAA Privacy & Security White Paper

HIPAA Security Alert

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

WHITE PAPER. Managed File Transfer: When Data Loss Prevention Is Not Enough Moving Beyond Stopping Leaks and Protecting

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

HIPAA Compliance and Wireless Networks

LogMeIn HIPAA Considerations

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

CHIS, Inc. Privacy General Guidelines

HIPAA Information Security Overview

An Effective MSP Approach Towards HIPAA Compliance

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

Krengel Technology HIPAA Policies and Documentation

Datto Compliance 101 1

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

MOVEIT: SECURE, GUARANTEED FILE DELIVERY BY JONATHAN LAMPE, GCIA, GSNA

Securing and Managing Data Transmissions. 2010, Linoma Software. All rights reserved.

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA Security COMPLIANCE Checklist For Employers

How Reflection Software Facilitates PCI DSS Compliance

HIPAA Security and HITECH Compliance Checklist

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Account Restrictions Agreement [ARA] - Required by LuxSci HIPAA Accounts

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

White Paper. Securing and Integrating File Transfers Over the Internet

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

Securing Ship-to-Shore Data Flow

Compliance and Industry Regulations

White Paper. Support for the HIPAA Security Rule PowerScribe 360

SECURE YOUR DATA EXCHANGE WITH SAFE-T BOX

Healthcare Security and HIPAA Compliance with A10

DRAFT Standard Statement Encryption

BANKING SECURITY and COMPLIANCE

Managed File Transfer and the PCI Data Security Standards

Support for the HIPAA Security Rule

Beyond FTP: Securing and Managing File Transfers

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

State of Wisconsin DET File Transfer Protocol Service Offering Definition (FTP & SFTP)

Methods available to GHP for out of band PUBLIC key distribution and verification.

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA HANDBOOK. Keeping your backup HIPAA-compliant

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

utilizing it vendors to avoid risks 1 patient privacy and data security: utilizing it vendors to meet hipaa compliance and avoid risks

Ensuring HIPAA Compliance with eztechdirect Online Backup and Archiving Services

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

Experian Secure Transport Service

Copyright Telerad Tech RADSpa. HIPAA Compliance

Meaningful Use Crosswalk to the Security Rule

2: Do not use vendor-supplied defaults for system passwords and other security parameters

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Interim Final Rule on Standards, Implementation Specifications, and Certification Criteria

Page 1. Copyright MFA - Moody, Famiglietti & Andronico, LLP. All Rights Reserved.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

An Introduction to HIPAA and how it relates to docstar

Matching BlackBerry Features to HIPAA Security Requirements

White Paper: Ensuring HIPAA Compliance by Implementing the Right Security Strategy

HIPAA Compliance for the Wireless LAN

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

FileCloud Security FAQ

Complying with PCI Data Security

How To Write A Health Care Security Rule For A University

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

C.T. Hellmuth & Associates, Inc.

Transcription:

How Managed File Transfer Addresses HIPAA Requirements for ephi 1

A White Paper by Linoma Software INTRODUCTION As the healthcare industry transitions from primarily using paper documents and patient charts to electronic health records, the need for a secure and reliable method of sharing electronic protected health information (ephi) has increased. Both the Health Information Technology for Economic and Clinical Health Act (HI- TECH) and Health Insurance Portability and Accountability Act (HIPAA) include specific guidance and requirements related to the transfer of ephi. Failure to follow these guidelines can result in potential privacy breaches and HIPAA violations. These new requirements have effectively made traditional File Transfer Protocol (FTP) file sharing ill-advised, if not obsolete. Transferring electronic patient records requires strong security, tight administrative controls, and thorough audit reporting that is not possible using traditional, ad hoc methods. A robust managed file transfer (MFT) solution can not only streamline and automate the movement of critical patient files for healthcare providers, insurance companies, vendors, and other stakeholders, it can also provide the security and controls necessary for HIPAA and HITECH compliance. By eliminating the custom programming and complex scripting normally required for these transfers, MFT can also save time and money, improve the quality of and dependability of file transfers, and free up IT and administrative resources that would otherwise have to manage these processes. A well-designed MFT solution helps organizations meet 2

How Managed File Transfer Addresses HIPAA Requirements for ephi the requirements of HIPAA and HITECH by implementing a managed and auditable solution. These solutions can centralize file transfer processes, automate workflows, monitor file transfers, provide detailed audit logs and enable file protection (through encryption) beyond the organization s firewall. HIPAA 164.312(a)(1) Access Control: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights. This white paper will provide an overview of how MFT solutions can help healthcare organizations meet the specific requirements of the HIPAA standards. Meeting HIPAA Required Standards Below is a list of HIPAA required standards related to the transfer of ephi, along with a description of how an MFT solution can help meet those standards. All of the requirements are part of the HIPAA 164.312 Technical Safeguards. Using an MFT solution, users and passwords can be authenticated via a variety of techniques, including database authentication, LDAP and Active Directory (AD). Accounts can additionally be authenticated using X.509 certificates and SSH keys. Role-based security in a MFT solution allows administrative users to access only authorized features, and folders and files can be authorized to specific users and groups. Each user is required to have a unique ID to log into the MFT, and data can be made available for restricted access. HIPAA 164.312 (a)(2)(i) Unique User Identification: Assign a unique name and/ or number for identifying and tracking user identity. Each MFT user must have a unique user ID and password to log into the solution. All activity for the user can be audited in a central database, including all file transfer activity. This audit information can be reported within the MFT and can additionally be sent to a central SYSLOG server. HIPAA 164.312(c)(1) Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. Folders and files can be restricted from edit/delete access by user and group. This data can be made available for read-only access or can be completely restrict- 3

A White Paper by Linoma Software ed. Encrypted transmissions use hashing algorithms to confirm the integrity of data packets. HIPAA 164.312(d) Person or Entity Authentication: Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. MFT users can be authenticated using a variety of protocols including database, LDAP, AD, SSH keys and certificates. Digital signatures can be utilized in the data to confirm the sender s identity (non-repudiation). HIPAA 164.312(e)(1) Transmission Security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. With an MFT solution, files and transmissions are securely transferred using SFTP, FTPS and HTTPS protocols, as well as encryption standards of AES and Open PGP. HIPAA Addressable Standards Within HIPAA, certain parts of the standard are listed as addressable, and can be implemented in a slightly more flexible manner than other requirements. In meeting addressable implementation specifications, a covered entity can implement the specifications, implement one or more alternative security measures to accomplish the same goal, or choose not to implement the specification at all. MFT offers a simple, affordable way for covered entities to meet both the addressable and required specifications. HIPAA 164.312(a)(2)(iii) Automatic Logoff: Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. The session timeout with an MFT solution can be configured by the administrator so users are automatically logged out after being inactive for the specified length of time. HIPAA 164.312(a)(2)(iv) Encryption and Decryption: Implement a mechanism to encrypt and decrypt electronic protected health information. Data can be exchanged securely using SFTP (SSH), SCP, FTPS (SSL/TLS) and HTTPS protocols using a managed file transfer solution. The files can be individually encrypted using the Open PGP and AES encryption standards. Additionally, procedures can be established to automatically encrypt ephi while it is at rest 4

How Managed File Transfer Addresses HIPAA Requirements for ephi on internal servers, and to encrypt the tunnels through which the files may travel during transfer. HIPAA 164.312(b)(1) Audit Controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. MFT solutions can capture required audit data and provide a mechanism to monitor all file transfers. All user activity is tracked and audited in a central database, providing complete visibility. Any unauthorized activity can also be tracked using the MFT system. Providers can maintain a detailed history of security procedures associated with each transmission, as well as individual user access history since all users are uniquely identified. Any unauthorized transfers or transfer failures can trigger alerts via e-mail, SYSLOG, and other messaging systems. The data can also be used by internal auditing programs. HIPAA 164.312(c)(2) Authenticate Electronic Protected Health Information: Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Audit trails will document when unauthorized attempts are made to access the MFT system. The combination of unique user identification and the ability to limit file access by individuals and groups can further prevent unauthorized changes. HIPAA 164.312 (e)(2)(i) Integrity Controls: Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. Using an MFT solution, files and folders can be restricted by individual users and group profiles. Through standard hash algorithms, data packet checksums can verify that the data sent matches the data received. As mentioned earlier, the system also tracks all user activity centrally and can generate alerts based on customized parameters and triggers, creating another layer of protection against data tampering. HIPAA 164.312 (e)(2)(ii) Encryption: Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Files transferred via MFT can be encrypted and decrypted using the Open PGP and AES encryption standards. SSL and SSH standards are utilized for encrypting tunnels between systems. Data can be automatically encrypted on internal servers at rest. CONCLUSION Managed file transfer, as outlined above, can help healthcare organizations and their trading partners more securely exchange ephi and meet both the required and addressable specifications of the HIPAA standard. An MFT platform protects against data breaches for both internal and external transmissions. Using rigorous access control and automated transfer processes complete with encryption such solutions can provide the comprehensive management controls that HIPAA and HITECH regulations require. 5

A White Paper by Linoma Software About Linoma Software Linoma Software provides innovative technologies for protecting sensitive data and automating data movement. With a diverse install base of over 3,000 customers around the world, Linoma Software provides enterprise-class managed file transfer and data encryption solutions to corporations, non-profit organizations and government entities. With its dedication to research, development and superior customer service, Linoma Software is a recognized leader in software development. Linoma Software 1409 Silver Street Ashland, Nebraska 68003 (402) 944.4242 (800) 949.4969 sales@goanywhere.com www.goanywhere.com 6

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information