The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context



Similar documents
LogMeIn HIPAA Considerations

HIPAA. considerations with LogMeIn

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

GoToAssist Remote Support HIPAA compliance guide

How Managed File Transfer Addresses HIPAA Requirements for ephi

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

HIPAA compliance. Guide. and HIPAA compliance. gotomeeting.com

Compliance and Industry Regulations

HIPAA Compliance Guide

HIPAA Information Security Overview

SECURELINK.COM COMPLIANCE AND INDUSTRY REGULATIONS

C.T. Hellmuth & Associates, Inc.

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

itrust Medical Records System: Requirements for Technical Safeguards

HIPAA Security Alert

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

CHIS, Inc. Privacy General Guidelines

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

HIPAA Privacy & Security White Paper

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

SECURITY RISK ASSESSMENT SUMMARY

An Effective MSP Approach Towards HIPAA Compliance

Datto Compliance 101 1

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Healthcare Compliance Solutions

HIPAA PRIVACY AND SECURITY AWARENESS

White Paper. Support for the HIPAA Security Rule PowerScribe 360

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

8.03 Health Insurance Portability and Accountability Act (HIPAA)

How To Write A Health Care Security Rule For A University

HIPAA Security Checklist

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA Compliance and Wireless Networks Cranite Systems, Inc. All Rights Reserved.

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Compliance and Wireless Networks

VMware vcloud Air HIPAA Matrix

MAX Insight. HIPAA Hardening & Configuration Guide for MSP s

efolder White Paper: HIPAA Compliance

HIPAA Security Series

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA Security Rule Compliance

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

White Paper. BD Assurity Linc Software Security. Overview

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

CREATIVE SOLUTIONS IN HEALTHCARE, INC. Privacy Policy

Running Head: WIRELESS DATA NETWORK SECURITY FOR HOSTPITALS

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

HIPAA COMPLIANCE REVIEW

SecureAge SecureDs Data Breach Prevention Solution

HIPAA and HITECH Compliance for Cloud Applications

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

The CIO s Guide to HIPAA Compliant Text Messaging

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Goverlan Remote Control

Krengel Technology HIPAA Policies and Documentation

Policies and Compliance Guide

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Security Policy Revision Date: 23 April 2009

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Overview of the HIPAA Security Rule

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

What Virginia s Free Clinics Need to Know About HIPAA and HITECH

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Copyright Telerad Tech RADSpa. HIPAA Compliance

How To Protect Your Health Care From Being Hacked

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Awareness Training

HIPAA COMPLIANCE AND

HIPAA Compliance and the Protection of Patient Health Information

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA): FACT SHEET FOR NEUROPSYCHOLOGISTS Division 40, American Psychological Association

Transcription:

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

About HIPAA The Health Insurance Portability and Accountability Act (HIPAA), passed by Congress in 1996 and otherwise known as the Kassebaum-Kennedy Act, aims, among other purposes, to protect the electronic healthcare information from unauthorized access - only health information transmitted electronically is covered by the HIPAA Security Rule (paper records stored in filing cabinets are not subject to the security standards). These rules include Technical Safeguards that apply to covered entities that use remote access products to maintain or transmit electronic healthcare information. The HIPAA Privacy Rule regulates the use and disclosure of Protected Health Information (PHI) held by "covered entities". PHI is any information held by a covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. More Info: Health Insurance Portability And Accountability Act Of 1996 Health Information Privacy page of the U.S. Department of Health and Human Services Using BeAnywhere solutions in compliance with HIPAA The content of the following pages provide an introduction to HIPAA security safeguards and supply valuable information about how any entity using BeAnywhere s remote access solutions, and/or BeAnywhere insight, will be entitled to fully comply with those imposed rules. It is structured on the sections below: Section 1: HIPAA Summary Section 2: HIPAA Technical Safeguards Section 3: HIPAA compliance using BeAnywhere Section 4: Conclusion Section 5: Terms NOTE: The information contained in this document does not constitute legal advice. BeAnywhere advises you to seek legal advice before stating any compliance with any of the rules and safeguards stated in this document. BeAnywhere makes no claims, promises or guarantees about the accuracy, completeness, or adequacy of the information contained in or referenced in this document. 1

Section 1 HIPAA Summary Covered Entities All healthcare clearinghouses, health plans, and healthcare providers that conduct certain transactions in electronic form. This includes entities that use a billing service to conduct transactions on their behalf. HIPAA Transactions Healthcare claims or their equivalent Healthcare payment and remittance advice Healthcare claims status Eligibility inquiries Referral certifications and authorizations Claims attachments First reports of injury 2

Section 2 HIPAA Technical Safeguards According to the HIPAA Security Standards published in the Federal Register on February 20, 2003 (45 CFR Parts 160, 162 and 164 Health Insurance Reform: Security Standards, Final Rule). a) Access Control Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to persons or software programs that have been granted access rights. Unique User Identification (Required) Emergency Access Procedure (Required) Automatic Logoff (Addressable*) Encryption and Decryption (Addressable) b) Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. (Required) c) Integrity, Policies and Procedures c.1) Integrity Mechanism a mechanism to authenticate electronic protected health information. Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. d) Person or Entity Authentication The requirement for Entity authentication, the corroboration that an entity is who it claims to be. e) Integrity, Policies and Procedures Security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of, and that electronic protected health information that is being transmitted over an electronic communications network is guarded against unauthorized access. Mechanism to Authenticate Electronic Protected Health Information (Addressable) (Required) Integrity Controls (Addressable) Encryption (Addressable) * See Section 5 3

Section 3 HIPAA Compliance Using BeAnywhere a) Access Control 164.312(a)(1) BeAnywhere s Security Policies: Access to the BeAnywhere infrastructure and to the host computers is completely independent, requiring different authentications processes, with different requirements. Access to host computers can be protected by Windows or Mac native OS user authentication. Access to host computers can be protected by a Master Password. Access to the BeAnywhere infrastructure can be secured by using industry-standard two-factor authentication. Role and User based, modular access to the Console, the Administration Area and to specific devices. Administration rights and Session features can be restricted per user (i.e.: restriction to use Remote Desktop, to transfer files, to view session information or other historical data ). Temporary Technicians/Users with limited permissions and visibility can be created. If the remote device is accessed through an Agent, the machine can be configured to require the authorization from a local user before starting a session; if it is accessed using a Support Express Applet, a local user needs to explicitly follow a combination of simple procedures in order to initiate a session. The applet can have its privileges limited to those of the local user running it. Through the Applet, the local user can have the option of resorting to a Panic Mode a keyword combination that immediately suspends any interactivity between the BASE technician and the remote machine (Esc + F1) and can also be allowed to suspend certain features to be used during a session (Remote Desktop, File Transfer, System Shell, Video Recording, etc.). Applets sessions can also be ended at any time. Remote access can be automatically locked after a period of inactivity. After the end of an Applet session, the technician loses all the rights on the remote machine. 4

b) Audit Controls 164.312(b) BeAnywhere s Security Policies: All activity on the remote computer can be logged through mandatory video recording of the sessions and detailed session reports, which include the chat history, the file transfer activity, and commands typed through the System Shell feature. An exhaustive technical log about the remote activities is additionally kept at the host computer s hard disk for at least seven days. This file can be used for advanced forensics if needed, and can be copied for a permanent location in the remote network, for compliance purposes. Account administrators can see session events and chat data in real time from every session occurring. Sessions are logged as Windows Events and also under logs on Mac OS. Analyze detailed session information through a specialized interface on the Administrative Area with enhancing filtering and searching capabilities. The access to auditing information on the Administrative Area will always be restricted, whether on role or user based permission schemes. c) Integrity, Policies and Procedures 164.312(c)(1), 164.312(c)(2) BeAnywhere s Security Policies: Sessions are completely encrypted end-to-end: chat, remote control, file transfers and any other information or interactions occurring during a session are encapsulated in the BeAnywhere s protocol, which uses point-to-point 256-bit encryption compliant with the U.S. approved Advanced Encryption Standard. All interactions of all BeAnywhere s components without the context of a session are encrypted with the industry-standard Transport Layer Security protocol (128-bit AES CBC), assuring no communications are tampered with. Remote sessions can be protected in its integrity by disabling the keyboard and mouse interactions at a local level, as well as blanking the remote screens. File integrity during transfers is validated with the MD5 message-digest algorithm, which assures the data is not tampered within the context of its transmission. Automatic alerts can be set to help identify unauthorized access to sensitive devices by authorized users. 5

d) Person or Entity Authentication 164.312(d) BeAnywhere s Security Policies: Access to the BeAnywhere infrastructure and to the host computers is completely independent, requiring different authentications processes, with different requirements. Access to host computers can be protected by Windows or Mac native OS user authentication. Access to host computers can be protected by a Master Password. Access to the BeAnywhere infrastructure can be secured by using industry-standard two-factor authentication. An easy to use and set, while technically complex authentication schema can be implemented, with a combination of multiple levels of authentication and permissions, to make sure that only authorized and validated persons can have access to a device and its resources. Use IP address restrictions to limit access to the Technician Console. e) Transmission Security 164.312(e)(1) Sessions are completely encrypted end-to-end: chat, remote control, file transfers and any other information or interactions occurring during a session are encapsulated in the BeAnywhere s protocol, which uses point-to-point 256-bit encryption compliant with the U.S. approved Advanced Encryption Standard. All interactions of all BeAnywhere s components without the context of a session are encrypted with the industry-standard Transport Layer Security protocol (128-bit AES CBC), assuring no communications are tampered with. File integrity during transfers is validated with the MD5 message-digest algorithm, which assures the data is not tampered within the context of its transmission. Automatic alerts can be set to help identify unauthorized access to sensitive devices by authorized users. BeAnywhere s network is continuously being monitored and probed against security issues by external entities and implements a secure password policy for all the users. 6

Section 4 Conclusion Although HIPAA regulations only cover entities who handle patient health information, the electronic tools used on this process are expected to implement a number of procedures, technologies and safeguards that assure or enhance the compliance with the necessary standards. BeAnywhere access protocol was designed from scratch with the security at its core and has been integrating more security and audit controls over the years, anticipating the needs of its clients and the technology's evolution. The management, configuration and operational features of BeAnywhere solutions meet or exceed HIPAA technical standards, and greatly contribute to the establishment of workflows in accordance with the best practices suggested or required by the most current U.S. and International legal and normative frameworks: BeAnywhere products can be deployed as an outsourced remote-access component of a larger information-management system without affecting HIPAA compliance. HIPAA grants a certain freedom on how to implement its security guidelines, which means that each organization should carefully plan the security implementation that will be adopted according to its needs and specificities. BeAnywhere solutions are highly modular, therefore organizations have the option of finding the correct balance of security and productivity to their particular case. BeAnywhere support staff is highly experienced in helping HIPAA-covered organizations implementing and fine-tuning remote support or remote management solutions. Please contact us if you need any help or advice. Section 5 Terms (according to the HIPAA) Electronic: The transmitting of healthcare information, but not limited to, via the Internet, an extranet, leased lines, dial-up lines, etc. Adressable: a standard or specification whose compliance is allowed a degree of flexibility, based on reasonable steps. 7

Europe: +351 210 441 550 South America: +55 (11) 3230-2309 North America: +1 650 681 9690 contact@beanywhere.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information