Achieving HIPAA Security Rule Compliance with Lumension Solutions

Achieving HIPAA Security Rule Compliance with Lumension Solutions Healthcare organizations face a host of HIPAA Security Rule compliance challenges with the move to put patient medical records online. Lumension helps organizations address these compliance challenges by providing the proactive risk management and the required audit readiness to meet many aspects of the HIPAA Security Rule. March 2009 WP-EN-03-30-09

Achieving HIPAA Security Rule Compliance with Lumension Solutions What Is It? The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act (HIPAA) established standards for the privacy and security of protected health information, inter alia. The Security Rule is focused on protecting the confidentiality, integrity, and availability of electronic protected health information (EPHI) which is created, received, maintained, or transmitted by any covered entity against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. And, by meeting the Security Rule for EPHI, covered entities will also meet the EPHI requirements of the Privacy Rule; the Security Rule is more comprehensive than, and includes a level of detail not in, the Privacy Rule. Who Has To Comply In general, the security rules of HIPAA apply to the following covered entities: Covered Healthcare Providers - Any provider of medical or other health services which maintains and/or transmits any health information. Health Plans - Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance company or Medicare / Medicaid programs). Healthcare Clearinghouses - Any organization that processes another entity s healthcare transactions (e.g., payment or reimbursement systems). Medicare Prescription Drug Card Sponsors - Any non-governmental entity that offers an endorsed discount drug program. HIPAA Health Insurance Portability and Accountability Act of 1996 Title I Title II Title III Title IV Title V Health Care Access, Portability, and Renewability Preventing Health Care Fraud and Abuse Medical Liability Reform Administrative Simplification Tax-Related Health Provision Group Health Plan Requirements Revenue Offsets Electronic Data Interchange Transactions Identifiers Figure 1. HIPAA Components Privacy Code Sets Security Security Standards: General Rules Administrative Safeguards Technical Safeguards Physical Safeguards Organizational Requirements Policies and Procedures and Documentation Requirements

Achieving HIPAA Security Rule Compliance with Lumension Solutions What Are the Standards The HIPAA Security Rule is comprised of six main sections. Each of these consists of several standards and implementation specifications which must be addressed, including: Technical Safeguards are defined as the the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. 3 Security Standards: General Rules Organizational Requirements includes includes the general requirements all covered standards to ensure appropriate safeguards entities must meet to ensure reasonable and are in place at business associates and others appropriate protection of EPHI. who share EPHI. 4 Administrative Safeguards are defined as the administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. 1 Physical Safeguards are defined as the physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. 2 Policies and Procedures and Documentation Requirements ensures that covered entities have formal plans (i.e., policies, procedures and documentation) in place for the reasonable and appropriate implementation of EPHI security. 4 Each one of these safeguards consists of any number of standards; these in turn include any number of implementation specifications that are either required or addressable. If required, the covered entity must implement policies and/or procedures which meet the implementation specification requirements. If addressable, the covered entity must assess whether it is a reasonable and appropriate safeguard in their environment; if not, they must implement an equivalent alternative measure.... 4. For additional information, please see http://www.cms.hhs.gov/educationmaterials/downloads/securitystandardsadministrativesafeguards.pdf For additional information, please see http://www.cms.hhs.gov/educationmaterials/downloads/securitystandardsphysicalsafeguards.pdf For additional information, please see http://www.cms.hhs.gov/educationmaterials/downloads/securitystandardstechnicalsafeguards.pdf For additional information, please see http://www.cms.hhs.gov/educationmaterials/downloads/securitystandardsorganizationalpolicies.pdf

Achieving HIPAA Security Rule Compliance with Lumension Solutions The HIPAA Security Rule 5 mentions several documents from the National Institute of Standards and Technology (NIST) as being potentially helpful, but not mandatory, for compliance. In October 2008, NIST published Special Publication 800-66 Revision 1, An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule 6. It is designed to help a) educate readers about information security terms used in the HIPAA Security Rule, b) facilitate understanding of the security standards set out in the Security Rule, and c) direct readers to other helpful NIST publications relevant to individual topics addressed in the Security Rule. Two important side notes need to be made: State laws that are contrary to the Privacy Rule and Security Rule are preempted by the Federal requirements, unless a specific exception applies. 7 Records protected by Family Educational Rights and Privacy Act (FERPA) are specifically excluded from the HIPAA Privacy Rule. This exception for records covered by FERPA applies both to the HIPAA Privacy and Security Rules, because the Security Rule applies to a subset of information covered by the Privacy Rule (i.e., electronic PHI). 8 The Challenges of Compliance The move to managed care, the need to track patient medical records, and the proposals around universal medical record systems and absolute patient portability have all brought new and complex technologies, processes and relationships into the healthcare arena. These create a number of compliance challenges with respect to the HIPAA Security Rule, including: Protecting Against Targeted Attacks. Sophisticated criminal networks are targeting medical institutions, where data theft is increasing faster than retail or banking data thefts. 9 These cyber attacks are exploiting known security flaws for which there is a remediation available 90% of the time. Protecting against known vulnerabilities and malware (viruses, trojans, et cetera) is hard enough; it s even harder when dealing with unknown threats introduced via unauthorized applications. Preventing Data Loss and/or Theft. There is the need to share medical data: to provide better care as patients see specialists; to spot and address public health issues; or to allow for research. However, the risk of accidental or malicious disclosure of patient health information must be mitigated, 5. 6. 7. 8. 9. Federal Register / Vol. 68, No. 34 / Thursday, February 20, 2003 / Rules and Regulations See http://csrc.nist.gov/publications/nistpubs/800-66-rev1/sp-800-66-revision1.pdf For more information, see 45 C.F.R. Part 160, Subpart B. See Joint Guidance on the Application of the Family Educational Rights and Privacy Act (FERPA) And the Health Insurance Portability and Accountability Act of 1996 (HIPAA) To Student Health Records, published by the HHS and DOE (Nov-08) (http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/hipaaferpajointguide.pdf) Poremba, Sue Marquette. Medical identity thefts on the rise. SC Magazine (August 25, 2008). http://www.scmagazineus.com/medical-identity-thefts-on-the-rise/article/115880/

Achieving HIPAA Security Rule Compliance with Lumension Solutions especially if it poses a risk of identity theft or other substantial harm to an individual such as: embarrassment, inconvenience, unfairness, harm to reputation or the potential for harassment or prejudice, particularly when health or financial benefits information is involved. 10 Enforcing Security Policy. EPHI security requires a coherent and comprehensive strategy, supported by a framework of appropriate policies and technical controls. These controls must proactively enforce the security policy rather than relying on goodwill adherence. Preparing for Audits. Ever since the first HIPAA Security Rule audit of Atlanta s Piedmont Hospital in March 2007, 11 and the more recent finding by the US Department of Health and Human Services (HHS) Office of Inspector General (OIG) that the Centers for Medicare and Medicaid Services (CMS) had taken limited actions to ensure that covered entities adequately implemented the [HIPAA] Security Rule [and] had not provided effective oversight or encouraged enforcement of the HIPAA Security Rule by covered entities, 12 the healthcare industry has been on edge. The message is clear: covered entities must be prepared to face compliance audits. 13 Lowering IT Costs. Like everyone else in these trying economic times, healthcare organizations are having to do more with less. Hence, in addition to supporting the needs of staff and patients and delivering more aggressive IT service levels, it is important to maintain focus on IT costs, encompassing everything from purchase, implementation, maintenance, and on-going operations. Continued 0.... 5 U.S.C. 552a (e)(10) Vijayan, Jaikumar. HIPAA audit at hospital riles health care IT. Computerworld (June 15, 2007). http://www.computerworld.com/action/article.do?command=viewarticlebasic&articleid=9024921 Audit (A-04-07-05064) entitled Nationwide Review of the Centers for Medicare & Medicaid Services Health Insurance Portability and Accountability Act of 1996 Oversight, dated 10-27-2008. See http://www.oig.hhs.gov/oas/reports/region4/40705064.asp Suggested reading: Rishel et al. Refresh HIPAA Security Assessments to Prepare for More-Proactive Audits. Gartner Research ID Number: G00157353 (24 April 2008) 4

Achieving HIPAA Security Rule Compliance with Lumension Solutions Lumension s security management software addresses these compliance challenges by delivering vulnerability management, data protection and endpoint protection solutions which provide the proactive risk management and the required audit readiness to meet many aspects of the HIPAA Security Rule. Compliance Timeline The Privacy Rule compliance deadline for all covered entities except for small health plans 14 was April 2003; for small health plans it was April 2004. The Security Rule compliance deadline for all covered entities except for small health plans was April 2005; for small health plans it was April 2006. 15 Complete asset identification of both managed and unmanaged assets Proactive monitoring of security configurations Full control over data flows to removable devices / media, with forced encryption to protect EPHI In February 2006 the US Department of Health and Human Services (HHS) published the final Enforcement Rule. This established the rules and procedures for the imposition of civil penalties on organizations which violate standards of the HIPAA Administrative Simplification provisions. It became effective in March 2006. 16 Prevent malware from downloading and/or executing on network assets Taken together, these capabilities can help protect against targeted attacks, prevent data loss or theft, enforce security policies, prepare organizations for compliance audits, and lower the cost of IT security. To get a more complete understanding of how Lumension s security management software solutions can help healthcare organizations address the HIPAA Security Rule requirements, please see appendix A. Continued 4. 5. 6. Defined as a health plan with annual receipts of not more than $5 million (45 C.F.R. 160.103) http://www.cms.hhs.gov/hipaageninfo/downloads/hipaacompliancedeadlines.pdf http://www.cms.hhs.gov/enforcement/03_enforcementregulation.asp 5

Achieving HIPAA Security Rule Compliance with Lumension Solutions Financial Implications The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) is responsible for enforcing HIPAA regulations; this is because the right of privacy of medical records is considered a fundamental civil right. In order to try to put more teeth into the civil penalties, the OCR enforces the civil side and the Department of Justice (DOJ) enforces the criminal side. The breakdown of the civil penalties are not more than $100 for each violation and not more than $25,000 for all violations of identical type during a single calendar year. 17 Improperly obtaining or disclosing individual health information, or improper use of unique health identifiers are subject As previously mentioned, enforcement of HIPAA regulations is picking up steam. In fact, the recently signed stimulus package signed contains significant additions to HIPAA. The new rules include a breach notification law, forcing healthcare providers to provide notification to individuals and via prominent media outlets if more than 500 people are impacted by a breach. In addition, stricter enforcement and penalties are included, and it authorizes State Attorneys General to bring a civil action in federal District Court against individuals who violate HIPAA. to the following criminal penalties: 18 Knowingly False Pretenses For Profit, Gain, or Harm Fine $50,000 $100,000 $250,000 Prison 1 Year 5 Years 10 Years Continued 7. 8. http://www.cms.hhs.gov/enforcement/downloads/civilmoneypenalties.pdf 42 U.S.C. 1320d-6 6

Appendix A : HIPAA Security Rule Cross Reference Appendix A The HIPAA Security Rule consists of three safeguards and two general requirements (Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements). In all, these encompass 22 Standards and 42 Implementation Specifications, of which 20 are Required and 22 are Addressable. Required Implementation Specifications are those for which the covered entity must implement policies and/or procedures which meet the implementation specification requirements. Addressable Implementation Specifications are those that the covered entity must assess whether it is a reasonable and appropriate safeguard in their environment; if not, they must implement an equivalent alternative measure. Standards without additional Implementation Specifications are also considered required. The following matrix focuses on how Lumension s security management software solutions can help healthcare organizations address the Standards and Implementation Specifications found in the Administrative Safeguards, Physical Safeguards, Technical Safeguards, and Policies and Procedures and Documentation Requirements areas. The remaining area (Organizational Requirements), while important, is not covered as Lumension does not provide additive value in this area for achieving compliance. Continued 7

Administrative Safeguards 164.308(a)(1) Security Management Process Risk Analysis R Understand your current risk profile: Use the free Lumension Vulnerability / Device Application Scanners to scan and analyze your entire network. Use Lumension Scan to scan your entire network for known vulnerabilities and prioritize for remediation. Use Lumension Security Configuration Management to understand configurations on various (groups of) machines, allowing you to appropriately configure different machines for their level of risk. Use Lumension Device Control to monitor and control all your endpoints for devices being connected and data flows off network. Use Lumension Application Control to monitor and enforce application usage across your network. 8

Administrative Safeguards Risk Management R Manage risks on / to your network: Use Lumension Patch and Remediation to update and fix known vulnerabilities. Use Lumension Device Control to control data flows off network, and to prevent the introduction of malware. Use Lumension Application Control to control what applications are used by whom, and to prevent malware from executing. Sanction Policy R Use Lumension Endpoint Security Suite to support Sanction Policies via its integrated reports (e.g., user A repeated attempts to connect a rogue device to the network). Information System Activity Review R Monitor system activity: Actively manage both your hardware and software assets, and vulnerability and patch status using Lumension Patch and Remediation. Integrate 3 rd party data into a common repository for dashboard reporting using Lumension Enterprise Reporting. Device usage and data flows using Lumension Device Control. Application usage using Lumension Application Control. 9

Administrative Safeguards 164.308(a)(2) Assigned Security Responsibility All Lumension solutions utilize RBAC controls for administrative actions and can be configured to support unique organizational needs. 164.308(a)(3) Workforce Security Authorization and/or Supervision A Use Lumension Endpoint Security Suite to control device and application usage on your managed endpoints, no matter where / when users are logged on; includes: Control at user or group level. Can be tied to MS Active Directory or Novell edirectory. Supports zero day start / stop to limit unauthorized usage. Uses RBAC and grouping to maintain separation of duties and notion of least privilege. Workforce Clearance Procedure A Use Lumension Device Control to: Prevent unauthorized employees from downloading / transferring data off your network. Provision authorized users with encrypted devices to protect EPHI when distributed via removable media. 10

Administrative Safeguards Termination Procedure A Use Lumension Device Control to prevent terminated employees from downloading / transferring data off your network. Use Lumension Application Control to prevent terminated employees from executing any applications on your network. 164.308(a)(4) Information Access Management Isolating Healthcare Clearinghouse Functions R N/A Access Authorization A Prevent unauthorized access: Use Lumension Scan to identify rogue network devices. Use Lumension Device Control to control / prevent access of removable devices / media which can be used to download / transfer data. Use Lumension Application Control to limit access to applications. Access Establishment and Modification A Use Lumension Endpoint Security Suite to monitor / manage access: Control / prevent access of removable devices / media which can be used to download / transfer data. Limit access to applications. Monitor all administrative actions / changes to security policy enforcement. 11

164.308(a)(5) Security Awareness and Training Administrative Safeguards Security Reminders A Provide customizable messages to end users when attempting to contravene security policy; for instance: Use Lumension Device Control to control / prevent data downloads, and/or to force encryption. Use Lumension Application Control to control / prevent unauthorized use of certain applications. Protection from Malicious Software A Protect your network from malware: Use Lumension Security Configuration Management to report on configuration settings of all network assets. Use Lumension Patch and Remediation to stay up-to-date on patching and remediation of all known vulnerabilities. Use Lumension Device Control to prevent malware being downloaded from external devices (e.g., USB flash drives). Use Lumension Application Control to prevent malware from executing on your network. 12

Administrative Safeguards Log-in Monitoring A Look beyond network logins: Use Lumension Device Control to monitor / control / report on attempts to use removable devices and/or download data. Use Lumension Application Control to monitor / control / report on attempts to use applications or unknown applications attempting to execute. Password Management A Use Lumension Device Control to enforce existing or new (strong) password usage for encrypted devices: Implement at user or group level. Tie to existing MS Active Directory or Novell edirectory. Integrates with MS Certificate Authority. 13

Administrative Safeguards 164.308(a)(6) Security Incident Procedures Response and Reporting R Prevent / Report on potentially harmful incidents: Use Lumension Scan to identify known vulnerabilities on network assets. Use Lumension Security Configuration Management to scan / monitor / report configurations of all network assets. Use Lumension Patch and Remediation to update and repair known vulnerabilities to limit attack surface. Use Lumension Enterprise Reporting to report on vulnerability status of all network assets, including any third party vulnerability data. Use Lumension Device Control to limit access by removable devices / media to, and downloading of data from, your network. Use Lumension Application Control to prevent unauthorized applications from executing. 164.308(a)(7) Contingency Plan Data Backup Plan R Use Lumension Device Control to force encryption of backup data being written onto external USB hard drives from workstations to prevent unauthorized usage. Disaster Recovery Plan R N/A Emergency Mode Operation Plan R N/A 14

Administrative Safeguards Testing and Revision Procedure A N/A Applications and Data Criticality Analysis A N/A 164.308(a)(8) Evaluation N/A 164.308(b)(1) Business Associate Contracts and Other Arrangements Written Contract or Other Arrangement R Use Lumension Device Control to force encryption of data being sent to / used by third parties to prevent unauthorized usage. 15

164.310(a)(1) Facility Access Controls Physical Safeguards Contingency Operations A N/A Facility Security Plan A N/A Access Control and Validation Procedures A Control access based on user / machine rights and other factors: Use Lumension Device Control to control access by removable devices / media. Use Lumension Application Control to control access to applications. Maintenance Records A N/A 164.310(b) Workstation Use Based on user / machine rights and other factors, ensure proper usage: Use Lumension Security Configuration Management to monitor workstation configurations and manage image drift. Use Lumension Patch and Remediation to update and repair known vulnerabilities to limit attack surface. Use Lumension Device Control to control access by removable devices / media, and data flows off network. Use Lumension Application Control to control access to applications, to prevent malware from executing, and to limit application usage to specific machines. 16

Physical Safeguards 164.310(c) Workstation Security Based on user / machine rights and other factors, restrict network / machine access: Use Lumension Device Control to control access by removable devices / media, and data flows off network. Use Lumension Application Control to control access to applications, and preventing malware from executing. 164.310(d)(1) Device and Media Controls Disposal R Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage. Media Reuse R Use Lumension Device Control to track and force encryption of data being saved onto removable devices / media to prevent unauthorized usage; can also be used to irrevocably delete any existing data on a given removable device / media. Accountability A Use Lumension Device Control to either track filename or create full copy of data being saved onto removable devices / media using patented bi-directional shadowing technology. Data Backup and Storage A Use Lumension Device Control to create full copy of data being saved onto removable devices / media. 17

164.312(a)(1) Access Control Technical Safeguards Unique User Identification R Use Lumension Device Control to control access to removable devices / media and applications: Emergency Access Procedure R N/A Automatic Logoff A N/A Based on user / machine rights and other factors. Based on existing MS Active Directory or Novell edirectory structures. Use Lumension Application Control to control access to specific executables. Encryption and Decryption A Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage. 18

Technical Safeguards 164.312(b) Audit Controls Monitor system activity: Configurations of all network assets using Lumension Security Configuration Management. Vulnerability and patch status using Lumension Scan and Lumension Patch and Remediation. Device usage and data flows using Lumension Device Control. Application availability and usage using Lumension Application Control. Monitor both user and administrative activities using Lumension Endpoint Security Suite. 164.312(c)(1) Integrity Mechanism to Authenticate Electronic Protected Health Information A Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage. 164.312(d) Person or Entity Authentication Use Lumension Device Control to control access to removable devices / media and applications: Based on user / machine rights and other factors. Based on existing MS Active Directory or Novell edirectory structures. 164.312(e)(1) Transmission Security Integrity Controls A Use Lumension Device Control to track and force encryption of data being saved onto removable devices / media to prevent unauthorized usage. 19

Technical Safeguards Encryption A Use Lumension Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage. 20

Policies and Procedure and Documentation Requirements 164.316(a) Policies and Procedures Enforce your policies and procedures: Use Lumension Scan to identify all vulnerabilities on network assets. Use Lumension Security Configuration Management to scan / monitor / report configurations of all network assets. Use Lumension Patch and Remediation to update and fix known vulnerabilities to limit attack surface. Use Lumension Enterprise Reporting to report on vulnerability status of all network assets, including any third party vulnerability data. Use Lumension Endpoint Security Suite to control device and application usage on your managed endpoints, no matter where / when users are logged on; includes: Control at user or group level. Can be tied to MS Active Directory or Novell edirectory. Supports zero day start / stop to limit unauthorized usage. Uses RBAC and grouping to maintain separation of duties and notion of least privilege. 164.316(b)(1) Documentation Time Limit R N/A Availability R N/A Updates R N/A 21

Achieving HIPAA Security Rule Compliance with Lumension Solutions About Lumension Lumension, Inc., a global leader in operational endpoint security, develops, integrates and markets security software solutions that help businesses protect their vital information and manage critical risk across network and endpoint assets. Lumension enables more than 5,100 customers worldwide to achieve optimal security and IT success by delivering a proven and award-winning solution portfolio that includes Vulnerability Management, Endpoint Protection, Data Protection, and Reporting and Compliance offerings. Lumension is known for providing world-class customer support and services 24x7, 365 days a year. Headquartered in Scottsdale, Arizona, Lumension has operations worldwide, including Virginia, Florida, Luxembourg, the United Kingdom, Spain, Australia, India, Hong Kong and Singapore. Lumension: IT Secured. Success Optimized. More information can be found at www.lumension.com. Global Headquarters 15580 N. Greenway-Hayden Loop, Suite 100 Scottsdale, AZ 85260 USA phone: +1.888.725.7828 fax: +1.480.970.6323 www.lumension.com Vulnerability Management Endpoint Protection Data Protection Reporting and Compliance 22