XYGATE & HIPAA COMPLIANCE

XYGATE & HIPAA COMPLIANCE A Solution Paper February, 2005 XYPRO Technology Corporation 3325 Cochran Street, Suite 200 Simi Valley, California 93063-2528 U.S.A. Email: support@xypro.com Telephone: + 1 805-583-2874 FAX: + 1 805-583-0124

Copyright 2005 by XYPRO Technology Corporation. All rights reserved. Trademark Acknowledgments The following are trademarks or service marks of Hewlett-Packard Company: Distributed System Management (DSM) EDIT ENFORM Enscribe Event Management Service (EMS) FUP Guardian MEASURE NETBATCH NonStop NonStop Kernel NonStop SQL PATHCOM PATHWAY SAFECOM SAFEGUARD SCUP SPOOLCOM TACL TEDIT The following are trademarks or service marks of XYPRO Technology Corporation: XY-2K XYCLOPS XYDOC XYDOC II XYGATE XYGATE/AC XYGATE/CD XYGATE/CM XYGATE/EFTP XYGATE/ESDK XYGATE/FE XYGATE/KM XYGATE/LD XYGATE/MA XYGATE/MI XYGATE/OS XYGATE/PC XYGATE/PM UM XYGATE/PQ XYGATE/SE XYGATE/SE40 XYGATE/SM XYGATE/SP XYGATE/SR XYGATE/SW XYGATE/UA XYPRO XYTIMER XYWATCH

TABLE OF CONTENTS INTRODUCTION...1 DEFINITION OF PRINCIPALS...1 REQUIREMENTS IN HP NONSTOP SERVER ENTERPRISES...2 Administrative Safeguards...2 STANDARD: Security Management Process...2 STANDARD: Security Awareness Training...3 Technical Safeguards...5 STANDARD: Access Control...5 STANDARD: Audit Controls...6 STANDARD: Integrity...7 STANDARD: Person or Entity Identity...7 STANDARD: Transmission Security...8 CONCLUSIONS... 9 DISCLAIMER... 9 XYGATE PRODUCT TABLE... 10 APPENDIX A: EXCERPTS FROM HIPAA...13

INTRODUCTION The Health Insurance Portability and Accountability Act ( HIPAA ) has the following general objectives: Guarantee health insurance coverage of employees. Reduce health care fraud and abuse. Introduce/implement administrative simplification to increase effectiveness and efficiency of the health care system. Protect the health information of individuals against unauthorized access. This last objective is where XYPRO products will bring the most benefits to customers striving to comply with HIPAA regulations within their HP NonStop Server enterprises. This paper is intended for general informational purposes and does not contain exact definitions or guidelines on compliance. Indeed, the scalability factor -- single doctor s office versus large corporate health provider -- and the fact that risk assessment and mitigation are moving targets makes any generic checklist unfeasible. This paper does list some of the major parts of the security standards set forth in HIPAA regulations and points to the XYPRO products that can provide a company with the technological tools to implement the policies and procedures needed to achieve compliance. Product tables toward the end of this document describe each XYPRO product cross-referenced to the standards it can be used to meet. Excerpts from the HIPPA regulations are provided in Exhibit A. DEFINITIONS & PRINCIPALS Covered Entities (CEs) are defined by HIPAA as health plans, health care clearinghouses, and health care providers who maintain or transmit identifiable health information in any form, oral, written, or electronic. This information is referred to as Protected Health Information (PHI). In 64.306 HIPPA defines a series of measures that CEs must take to protect such information. Many sections of these measures involve areas that must be implemented by management, such as creation, implementation, review, and revision of written policies and procedures. XYPRO s XYGATE products are the tools that allow IT departments to achieve compliance with such policies as well as provide reporting to illustrate that compliance goals are being met. HIPAA is scalable. Each CE needs to meet the specific needs and feasibility of each facility. A single doctor s office may be able to address HIPAA with a much smaller plan and much less automation than the large corporate medical provider might need. Risk assessment and mitigation are not static entities. HIPAA stresses that risk assessment and mitigation planning must be continuous processes and are to be reviewed often. New plans must be developed and implemented based on current and new threats as well as new technologies in today s fast moving world of electronic business. Page 1

HIPAA specifically states that patient care cannot be interrupted or its quality affected in a negative way. This legislation points out that the most important objective of CEs is to take care of their patients. HIPAA can reach outside CEs. Application Service Providers (ASPs) are 3rd party providers operating information systems located remotely but hosting data of the hospital and its patients. Outreach, vendor remote and other 3rd parties servicing hospital equipment are also examples of entities to whom HIPAA regulations may apply. REQUIREMENTS & NONSTOP SERVER ENTERPRISES Part 164, Security and Privacy of HIPAA most directly relates to Information Technology (IT). Sections 164.308 Administrative Safeguards and 164.312 Technical Safeguards relate directly to needs that XYGATE products can satisfy. These sections contain standards and their corresponding implementation specifications. Implementation specifications are classified (R), REQUIRED or (A), ADDRESSABLE. If a standard is ADDRESSABLE, then CEs may use some discretion as to whether each implementation specification is a reasonable and appropriate safeguard in its environment or an equivalent alternative measure is reasonable and appropriate. What follows is a list of selected standards and how XYGATE products can help CEs achieve compliance: 164.308 Administrative Safeguards STANDARD 164.308 (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities appropriate to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. REQUIRED - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (See Appendix A.) XYPRO Solutions The two preceding specifications show the need for HP NonStop Server Security: A Practical Handbook. Authored by XYPRO and published by HP, this is the definitive reference for using native NonStop security products like Guardian and Safeguard. It provides practical guidance about administration, authorization, authentication, auditing and Best Practices. The XYGATE Security Compliance Wizard ( /SW ) can be used to compare the Best Practices documented in the handbook to a NonStop server environment, producing a Page 2

comprehensive report that documents where a particular system complies and where it differs. Justification for variances can be annotated for tracking purposes and included in audit reports. XYGATE /SW is a Windows-based wizard that makes it possible to develop security policy and monitor compliance for an entire NonStop server enterprise from authorized desktop PC/s. REQUIRED - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) REQUIRED Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. XYPRO Solutions XYGATE Merged Audit ( /MA ) software lets authorized users create reports with timely mixes of information from Safeguard, Measure as well as all of the other XYGATE security products. Data is collected from multiple audit data sources and multiple NonStop servers, then combined to produce a single reporting repository for a total audit picture. For routine audit reports, XYGATE /MA can be set to screen out data that is always present and irrelevant - permitted logons, for example. The customizable filters catch information that isn't desired and allow it to be excluded from the audit files. For audit information too critical to wait for the next audit reports cycle, XYGATE /MA supports automatic alerts, sending messages to an EMS process, third-party IP monitor, and specified email addresses (perhaps for forwarding to devices able to receive text messages, i.e., support staff mobile phones). All audit data is loaded into a single SQL database on the system where XYGATE /MA is headquartered. Centralization of data is fundamental to the combined system reporting available. It also simplifies custom report generation and off-the-cuff queries using SQLCI or any PC-based SQL product that can retrieve data from a host system. Along with customized report generation, this product includes a set of standard reports for such popular topics as Alerts Issued, Logons, Failed Logons, Subject User vs. Target User and SUPER.SUPER usage. STANDARD 164.308 (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Security Reminders. Implement periodic security updates. Page 3

ADDRESSABLE Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. ADDRESSABLE Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. ADDRESSABLE Password Management. Implement procedures for creating, changing, and safeguarding passwords. XYPRO Solutions The XYGATE suite includes Access Control (for Guardian and OSS), Process Control, CMON, and Spoolcom/Peruse/Archive tools. Together these products provide the core of a well-secured NonStop system including: Individual accountability, restricting each user to a list of authorized actions based on that user s job functions Comprehensive auditing with flexible reporting A $CMON process that administers logon to logoff session controls and load balancing Protection of SPOOLER reports, enhanced by eliminating the need for a SUPER group id to access print jobs and adding the ability to limit and audit user actions by command, subcommand, supervisor, collector, object, and subject (user). To extend core security, XYGATE includes tools specific to implementing more of the ADDRESSABLE issues above, with controls and reporting that are both highly granular and flexible. XYGATE Password Quality ( /PQ ) makes it possible to set rules to govern password characteristics with more granularity than native NonStop security or Safeguard. XYGATE /PQ then enforces those rules, standardizing and strengthening passwords for the NonStop server support staff across all nodes. And all this can be done from XYGATE s Windows based GUI running on authorized workstation PCs. XYGATE User Authentication further enhances logon security by providing granular, efficient logon controls, while eliminating the need for privileged logons such as SUPER.SUPER ids. Pre-production testing of logon rules, early detection of intrusion attempts, logons to sensitive userids, and two-factor authentication are all standard features of this product. XYGATE Safeguard Manager is a graphical interface enabling authorized users to configure and control Safeguard global settings, users, aliases and object Access Control Lists (ACLs) from their workstation PCs. Configuration updates can be propagated to a single node, some nodes, or all nodes in a NonStop network. Remote password maintenance updates can be applied to a single user, hundreds, or thousands. Flexible grids make it easy to sort data and then drill down for details. XYGATE Dynamic Object Security ( /OS ) enables creation and implementation of rules for dynamic, pattern oriented ACL administration containing Regular Expressions. Rules can be based on many characteristics including object name, Safeguard alias, and Page 4

userid. In addition, XYGATE /OS rules make it possible to govern the use of operational privileges not only for Read, Write, Execute, and Purge -- but for Rename, License, and the entire operations set supported by NonStop Servers. 164.312 Technical Safeguards STANDARD 164.312(a)(1) Access Control. Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED Unique User Identifier. Assign a unique name and/or number for identifying and tracking user identity. REQUIRED Emergency Access Procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. ADDRESSABLE Automatic Logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. ADDRESSABLE Encryption and Decryption. Implement a mechanism to encrypt and decrypt electronic protected health information. XYPRO Solutions XYGATE is a single solution set to efficiently meet HIPAA Access Control Standards in a variety of ways. XYGATE Access Control ( /AC ) allows the functional properties of one Guardian userid to be allocated and controlled for other userids, eliminating the need for direct use or sharing of privileged userids such as SUPER.SUPER. This tool not only includes controls over what programs a user is allowed to run, but also enables command level security for the programs that the user is allowed to run. All users are able to perform their regular job functions as well as have emergency access capabilities using their own unique userid in an audited environment. XYGATE /AC commands also have the capability to request user password upon entry to a privileged command and/or after a timeout period of inactivity. XYGATE CMON forces users to logon to a personal userid before logging on to SUPER.SUPER or other power userids. Additional capabilities enable security administrators to restrict users/programs to specific ports/ip addresses, audit all user logons/logoffs and enforce automatic logoffs. Page 5

XYGATE File Encryption & Key Management allows encryption of files, both stored on the system and in transit. It features support for multiple platforms ( NonStop, Windows, Unix, OS390 etc.) and multiple file formats ( binary, ASCII and EBCDIC data.). XYGATE Session Encryption provides end-to-end encryption to protect privacy for many types of sessions, between your NonStop Servers, between your NonStop Server and their network-connected PCs and other computer platforms as well. Examples include: Interactive sessions using Telnet, Multi-LAN, RS232, Async, 6530 or ASCII emulation Transaction sessions using bulk transfer products like ODBC, TOP and RSC FTP sessions using dual channels, one for data and another for commands, userids and passwords NonStop Windows sessions performing crypto proxy services, as done using SSL mechanisms with SafeTGate XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as crypto key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. STANDARD 164.312(b) Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. IMPLEMENTATIONS: REQUIRED REQUIRED - Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. XYPRO Solutions XYGATE Safeguard Reports ( /SR ) streamlines security audit reporting for NonStop server environments and enables reporting for Safeguard activities with flexibility and ease. XYGATE /SR provides a full range of pre-formatted reports, plus the ability to alter the content to meet your exact needs. XYGATE /SR is a stand-alone product, but can be combined with other XYGATE products to even further ease the effort of security audit reporting. XYGATE Merged Audit ( /MA ) supplies automated and comprehensive auditing that can be combined to produce a single report providing a total picture in a timely and convenient manner. XYGATE /MA provides centralized reporting for all security related audit logs (Safeguard, XYGATE, EMS, Measure). It facilitates the use of host- or PCbased standard tools for reports e.g. MS Access, Excel, ODBC, Crystal Reports. This product also provides automatic alerting for security events like more than 5 failed logons in 2 minutes, SUPER.SUPER logons at certain time of day, invalid file access, Page 6

etc. Alerts can be via EMS event, message to an IP address, custom ( via user written TACL macro ) or email ( perhaps for forwarding to devices able to receive text messages, i.e. support staff cell phones ). STANDARD 164.312(c) Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Mechanism to Authenticate Electronic Protected Health Information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. STANDARD 164.312(d) Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE REQUIRED - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. XYPRO Solutions Long before HIPAA requirements, XYGATE has been protecting integrity and authentication as it secures against unauthorized access or alteration of protected information from internal users and external intruders. XYGATE Access Control and Process Control sit between user terminals and the utility/application programs that users need in order to perform their assigned duties. Access Control Lists (ACLs) define who can have access to which privileges, in which programs, from which terminals and at what level of functionality. XYGATE User Authentication ( /UA ) brings industry-best user authentication capabilities to NonStop server environments. Like many other XYPRO products, XYGATE /UA expands upon security functions native to NonStop systems, providing customer requested enhancements like multi-factor authentication, sophisticated logon error management options and logon-specific audit reporting. XYGATE Password Quality ( /PQ ) lets you set rules to govern password characteristics. Minimum number of upper/lower case letters and numbers, control characters, special characters, repeating characters and excluded characters are among the options provided. Also included are NonStop Network-wide password updates. When a user changes a password on one system, XYGATE /PQ encrypts and propagates the changes across all systems for which the userid/alias has a valid network connection. System generated passwords and password splitting can be enabled. Automatic password Page 7

expiration with first logon and defined owner of password changes make this product very helpful in meeting and maintaining user authentication standards. XYGATE CMON facilitates your security and access control, as well as system performance needs. XYGATE offers a fully supported $CMON process with: Auditing of pre-logon Guardian userids and aliases Terminal device logon restrictions Double logon to sensitive userids Parameter customization by userid Access control by TCP/IP address or ASYNC/LAN address Complete end-to-end program execution audits. STANDARD 164.312(e) Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. IMPLEMENTATIONS: REQUIRED; ADDRESSABLE ADDRESSABLE Integrity Controls. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. ADDRESSABLE Encryption. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. XYPRO Solutions XYGATE File Encryption & Key Management allows encryption of files, both stored on the system and in transit. It features support for multiple platforms ( NonStop, Windows, Unix, OS390 etc.) and multiple file formats ( binary, ASCII and EBCDIC data.) XYGATE Session Encryption provides end-to-end encryption to protect privacy for many types of sessions, between your NonStop Servers, between your NonStop Server and their network-connected PCs and other computer platforms as well. Supported are: Interactive sessions using Telnet, Multi-LAN, RS232, Async, 6530 or ASCII emulation Transaction sessions using bulk transfer products like ODBC, TOP and RSC FTP sessions using dual channels, one for data and another for commands, userids and passwords NonStop Windows sessions performing crypto proxy services, as done using SSL mechanisms with SafeTGate Page 8

XYGATE Encryption Software Developer Kit ( /ESDK ) provides APIs to encryptionenable your own applications, databases and communications. It includes support for DES, triple DES, a variety of other algorithms as well as key mechanisms. XYGATE /ESDK is useable across multiple platforms and includes a digital signature mechanism to ensure data is unaltered during transmission. CONCLUSIONS The effort of any one company to become HIPAA compliant will depend on many factors. The size of a company, the management philosophy, and the current state of security policies and procedures are very important considerations in starting such an effort. But if an environment includes NonStop Servers, the XYGATE suite of security tools will ease the transition into a secure environment that HIPAA compliance will require. Regulations like HIPAA bring more pressure on IT management to incorporate products like XYPRO s to bring systems into a best practice mode, which is just not possible with the native GUARDIAN security environment. The continued protection of company assets like NonStop Servers and the data they contain, as well as satisfying the demands of auditors, make the use of security enhancing products like XYGATE increasingly valuable. DISCLAIMER XYPRO has designed this document primarily as educational. Readers should note that this document has not received endorsement from any standard-setting body. Issues discussed in this paper will evolve over time. Accordingly, companies should seek counsel and appropriate advice from their risk advisors and/or auditors. In determining the propriety of any specific procedure or test, the IT professional should apply his or her own professional judgment to specific control circumstances presented by the particular systems or information technology environment. XYPRO makes no representation or warranties and provides no assurances that an organization s use of this document or XYGATE products will result in full compliance with the requirements of the act. Internal controls whether automated or manual, no matter how well designed and operated, can provide only reasonable assurance of achieving security control objectives. The likelihood of achievement is affected by limitations inherent to internal control. These include the realities that human judgment in decision-making can be faulty and that breakdowns in internal control can occur because of human factors such as errors or inappropriate override of internal controls. Page 9

PRODUCT TABLE XYGATE products are available in convenient packages or individually, as listed in the following table. Product Description HIPAA Standards NonStop Server Platform Security Solutions XYGATE /AC Access Control XYGATE /CM (Fully Supported) CMON XYGATE /MA Merged Audit XYGATE /OS Dynamic Object Security Enables administrators to grant privileges to NonStop staff according to job function. XYGATE /AC extends native NonStop security into the area of actions, where security is based on what a user does, providing keystroke auditing of sessions initiated in both Guardian and OSS environments. Facilitates your security and access control needs, as well as system performance needs. This fully supported $CMON process supplies auditing of prelogon Guardian userids or aliases, terminal device logon restrictions, double-logon to sensitive userids and parameter customization by userid. Port entries in the CMACL file control access based on TCP/IP address as well as ASYNC/LAN address. XYGATE /CM permits complete end-to-end program execution audits, placement and use of resources specified by user, requesting program, and other criteria. It gives you the ability to make virtually all processes follow $CMON directives on CPU use and priority. Integrates many audit trails across multiple NonStop nodes into a single source for audit information. Pre-formatted reports provide the most commonly requested data and you can create custom reports with timely mixes of information from Safeguard, Measure, EMS and all XYGATE security products. XYGATE /MA also supports automatic alerts, sending messages to a designated EMS process, third-party IP monitor or any email addresses you choose. Brings to HP NonStop servers a dynamic, patternoriented method of Access Control List security for objects. Rules based on many characteristics including object name, Safeguard alias and userid extend the ability to govern the use of operational privileges beyond the Read, Write, Execute and Purge, to include Rename, License, PROGID and the entire operations set supported by NonStop servers. 164.312 (a)(1) Access Control 164.312 (c) -- Integrity 164.308 (a)(1) Security Management 164.312 (a)(1) Access Control 164.312 (c) -- Integrity 164.312 (d) Person or Entity Authentication 164.306 -- Security Standards: General Rules 164.308 (a)(1) Security Management 164.312 (a)(1) Access Control 164.312 (c) -- Integrity 164.312 (d) Person or Entity Authentication 164.312 (c) -- Integrity Page 10

Product Description HIPAA Standards XYGATE /PQ Password Quality XYGATE /PC Process Control XYGATE /SM XYGATE /SR XYGATE /SP Safeguard Manager Safeguard Reports Spooler Manager, Peruse & Archive Easily sets and enforces rules to govern password characteristics, systematically standardizing and strengthening passwords for NonStop server support staff. Rules can be pre-specified for any combination of eight different quality characteristics. Alternately a random system generated password can be applied. Updating network passwords across all nodes, automatic expiration at initial logon, password splitting, and warning mode operation are some of the other standard features. Implements the same type of assignable privileges to control the running of processes as XYGATE /AC supplies for interacting with those processes. XYGATE /PC can be configured to allow a nonprivileged userid to STOP, DEBUG, ALTPRI, SUSPEND, and ACTIVATE any other user s running process. Additional keyword-based controls can be placed in the PCACL file to qualify processes by name, owner, hometerm, cpu, and object file name. Unlike the TACL process control commands, XYGATE /PC allows users to manipulate processes using wildcard selection criteria. Enables management of NonStop server security via a familiar and friendly Windows interface, streamlining administration for Safeguard global settings, users and aliases as well as object ACLs. This product is simple to use yet versatile, to meet such security administrator needs as research by object or subject, changes to be applied to a single NonStop node or over many nodes at once. XYGATE /SM s form based screens allow the security manager to focus on What needs to be done, rather than How to do it. Bypasses the arcane and cumbersome syntax, the lack of formatting options and the inflexibility of traditional reporting tools. XYGATE /SR streamlines security audit reporting for Safeguard activity with flexibility and ease. This product provides a full range of pre-formatted reports containing just the information you need. And you can select the content of those reports in a user-friendly check this box fashion. Lets you manage the attributes of NonStop server print jobs and control your spooler via a single utility. XYGATE /SP also provides Archive and Compare capabilities. Access is based on job function, without the need to use a SUPER userid. 164.312 (a)(1) Access Control 164.312 (d) Person or Entity Authentication 164.312 (a)(1) Access Control 164.312 (c) -- Integrity 164.312 (d) Person or Entity Authentication 164.312 (a)(1) Access Control 164.312 (c) -- Integrity 164.312 (d) Person or Entity Authentication 164.312 (c) Integrity 164.312 (d) Person or Entity Authentication 164.312 (a)(1) Access Control 164.312(e) --Transmission Security Page 11

Product Description HIPAA Standards XYGATE /SW XYGATE /UA Security Compliance Wizard User Authentication Streamlines efforts to establish, monitor and report on compliance with your information security policy. XYGATE /SW comes preconfigured with all the Best Practices from the definitive reference manual for securing NonStop servers. Using reports revealing how your system security configurations differ from the Best Practice policy base, you can create or modify rules to fit your company s current situation and security policy. Automatically batched collection cycles help you track the implementation of security policies across major events like system upgrades, application deployment, etc. Supports greater flexibility and control, providing more effective and streamlined user authentication. XYGATE /UA brings to the NonStop server environment such industry-best authentication capabilities as multi-factor authentication, logonspecific audit reporting and sophisticated logon error management options at the individual userid level. 163.306 -- Security Standards: General Rules 164.312 (a)(1) Access Control 164.312 (c) -- Integrity164.312 (d) Person or Entity Authentication Multi-Platform Encryption Solutions XYGATE /EF Encrypted FTP & Site Security XYGATE /KM Encryption Key Management XYGATE /ESDK Encryption Software Developer Kit XYGATE /FE File Encryption XYGATE /SE Session Encryption Adds protections to FTP, making it easy to encrypt both the data and command channels for transmissions from NonStop Server to NonStop Server as well as between NonStop Servers and other system types. XYGATE /EF supports both triple DES and SSL, streamlining key exchange and certificate issues. It also enables you to restrict access to commands and file locations on NonStop server FTP sites to authorized users only. Automates most key management functions and requires no expertise with encryption algorithms. XYGATE /KM supports a variety of key types with centralized static key management for NonStop servers and a subset of functions for endpoints running on NonStop, OS390, Windows, HPUX and Solaris systems. Provides a simple, API-based solution for incorporating strong encryption into your applications, communications and databases. Crypto mechanisms have been tested and proven effective through scrutiny by the cryptographic community and wide industrial use on a variety of computer platform types. Protects the privacy of file data in-house and in transit. XYGATE /FE runs on multiple computer platforms and may be deployed with fixed encryption keys or with XYGATE /KM for centralized static key management. Composed of related client and server components, provides encryption for just about any type of communications between two computer systems including interactive sessions, transaction sessions and file transfer sessions. 164.312(a) -- Access Control 164.312(c) -- Integrity 164.312(e) -- Transmission Security 164.312(a) -- Access Control 164.312(c) -- Integrity 164.312(e) -- Transmission Security 164.312(a) -- Access Control 164.312(c) -- Integrity 164.312(e) -- Transmission Security 164.312(a) -- Access Control 164.312(c) -- Integrity 164.312(e) -- Transmission Security 164.312(a) -- Access Control 164.312(c) -- Integrity 164.312(e) -- Transmission Security Page 12

APPENDIX A: EXCERPTS FROM HIPAA 164.306 SECURITY STANDARDS: GENERAL RULES. (a) General requirements. Covered entities must do the following: (1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered Entity creates, receives, maintains, or transmits. (2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information. (3) Protect against any reasonably anticipated uses or disclosures of such information that are not permitted or required under subpart E of this part. (4) Ensure compliance with this subpart by its workforce. (b) Flexibility of approach. (1) Covered entities may use any security measures that allow the covered entity to reasonably and appropriately implement the standards and implementation specifications as specified in this subpart. (2) In deciding which security measures to use, a covered entity must take into account the following factors: (i) The size, complexity, and capabilities of the covered entity. (ii) The covered entity's technical infrastructure, hardware, and software security capabilities. (iii) The costs of security measures. (iv) The probability and criticality of potential risk to electronic protected health information. (c) Standards. A covered entity must comply with the standards as provided in this section and in 164.308, 164.310, 164.312, 164.314, and 164.316 with respect to all electronic protected health information. (d) Implementation specifications. In this subpart: (1) Implementation specifications are required or addressable. If an implementation specification is required, the word "Required" appears in parentheses after the title of the implementation specification. If an implementation specification is addressable, the word "Addressable" appears in parentheses after the title of the implementation specification. (2) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316 includes required implementation specifications, a covered entity must implement the implementation specifications. (3) When a standard adopted in 164.308, 164.310, 164.312, 164.314, or 164.316 includes addressable implementation specifications, a covered entity must-- (i) Assess whether each implementation specification is a reasonable and appropriate safeguard in its environment, when analyzed with reference to the likely contribution to protecting the entity's electronic protected health information; and (ii) As applicable to the entity-- (A) Implement the implementation specification if reasonable and appropriate; or Page 13

(B) If implementing the implementation specification is not reasonable and appropriate-- (1) Document why it would not be reasonable and appropriate to implement the implementation specification; and (2) Implement an equivalent alternative measure if reasonable and appropriate. (e) Maintenance. Security measures implemented to comply with standards and implementation specifications adopted under 164.105 and this subpart must be reviewed and modified as needed to continue provision of reasonable and appropriate protection of electronic protected health information as described at 164.316. 164.308 - ADMINISTRATIVE SAFEGUARDS 164.308 (a)(1) - Security Management Process. Implement policies and procedures to prevent, detect, contain, and correct security violations. (R) [REQUIRED] - Risk Analysis. Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. (R) [REQUIRED] - Risk Management. Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). (R) [REQUIRED] - Sanction Policy. Apply appropriate sanctions against workforce members who fail to comply with the security policies and procedures of the covered entity. (Statements regarding disciplinary actions that are communicated to all employees, agents, and contractors; for example, verbal warning, notice of disciplinary action placed in personnel files, removal of system privileges, termination of employment and contract penalties.) (R) [REQUIRED] Information System Activity Review. Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. 164.308 (a)(5) Security Awareness. Implement a security awareness and training program for all members of its workforce (including management). (A) [ADDRESSABLE] Security Reminders. Implement periodic security updates. (A) [ADDRESSABLE] Protection from Malicious Software. Implement procedures for guarding against, detecting, and reporting malicious software. (A) [ADDRESSABLE] Log-In Monitoring. Implement procedures for monitoring log-in attempts and reporting discrepancies. (A) [ADDRESSABLE] Password Management. Implement procedures for creating, changing, and safeguarding passwords 164.312 - TECHNICAL SAFEGUARDS Page 14

164.312(a)(1) Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4). (R) [REQUIRED] Unique User Identifier. Assign a unique name and/or number for identifying and tracking user identity. (R) [REQUIRED] Emergency Access Procedure. Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. (A) [ADDRESSABLE] Automatic Logoff. Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. (A) [ADDRESSABLE] Encryption and Decryption. Implement a mechanism to encrypt and decrypt electronic protected health information. 164.312(b) Audit Controls. Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. 164.312(c) Integrity. Implement policies and procedures to protect electronic protected health information from improper alteration or destruction. (A) [ADDRESSABLE] Mechanism to Authenticate Electronic Protected Health Information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. 164.312(d) Person or Entity Authentication. Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. (R) [REQUIRED] - Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed. 164.312(e) Transmission Security. Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. (A) [ADDRESSABLE] Integrity Controls. Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of. (A) [ADDRESSABLE] Encryption. Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Page 15