WHITE PAPER. What Every CIO Needs to Know About HIPAA Compliance



Similar documents
WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Guide: Meeting HIPAA Security Rules

eeye Digital Security and ECSC Ltd Whitepaper

Intrusive vs. Non-Intrusive Vulnerability Scanning Technology

Sustainable HIPAA Compliance: Protecting Patient Privacy through Highly Leveraged Investments

VMware vcloud Air HIPAA Matrix

Three Ways to Secure Virtual Applications

HIPAA Security Checklist

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Reduce the Cost of PCI DSS Compliance with Unified Vulnerability Management

Avoiding the Top 5 Vulnerability Management Mistakes

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

ITS HIPAA Security Compliance Recommendations

Integrated Threat & Security Management.

SECURITY RISK ASSESSMENT SUMMARY

787 Wye Road, Akron, Ohio P F

SecurityMetrics Business Associate HIPAA compliance program

Solution Brief for HIPAA HIPAA. Publication Date: Jan 27, EventTracker 8815 Centre Park Drive, Columbia MD 21045

An Effective MSP Approach Towards HIPAA Compliance

The statements in this policy document establish HEALTHeLINK's expectations with respect to incident management.

General HIPAA Implementation FAQ

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Compliance Review Analysis and Summary of Results

HIPAA Security Rule Compliance and Health Care Information Protection

HIPAA Security Series

University Healthcare Physicians Compliance and Privacy Policy

HIPAA Security Rule Compliance

Strategies for. Proactively Auditing. Compliance to Mitigate. Matt Jackson, Director Kevin Dunnahoo, Manager

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

BUSINESS ASSOCIATE AGREEMENT ( BAA )

Meaningful Use and Security Risk Analysis

12/19/2014. HIPAA More Important Than You Realize. Administrative Simplification Privacy Rule Security Rule

Nationwide Review of CMS s HIPAA Oversight. Brian C. Johnson, CPA, CISA. Wednesday, January 19, 2011

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

Simplifying the Challenges of Mobile Device Security

New Boundary Technologies HIPAA Security Guide

Keeping your data yours

Healthcare Management Service Organization Accreditation Program (MSOAP)

The Impact of HIPAA and HITECH

Telemedicine HIPAA/HITECH Privacy and Security

BUSINESS ASSOCIATE AGREEMENT BETWEEN AND COMMISSION ON ACCREDITATION, AMERICAN PSYCHOLOGICAL ASSOCIATION

Security and HIPAA Compliance

BUSINESS ASSOCIATE AGREEMENT. Recitals

BUSINESS ASSOCIATE AGREEMENT

Addendum To Agreement With Business Associate

COMPLIANCE ALERT 10-12

Implementing HIPAA Compliance with ScriptLogic

Professional Solutions Insurance Company. Business Associate Agreement re HIPAA Rules

BUSINESS ASSOCIATE AGREEMENT TERMS

ALERT LOGIC FOR HIPAA COMPLIANCE

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA) TERMS AND CONDITIONS FOR BUSINESS ASSOCIATES

BUSINESS ASSOCIATE AGREEMENT HIPAA Protected Health Information

BUSINESS ASSOCIATE AGREEMENT BETWEEN LEWIS & CLARK COLLEGE AND ALLEGIANCE BENEFIT PLAN MANAGEMENT, INC. I. PREAMBLE

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

The Information Assurance Process: Charting a Path Towards Compliance

Self-Service SOX Auditing With S3 Control

Keeping watch over your best business interests.

REQUEST FOR BOARD ACTION

PATCH MANAGEMENT. February The Government of the Hong Kong Special Administrative Region

OFFICE OF CONTRACT ADMINISTRATION PURCHASING DIVISION. Appendix A HEALTHCARE INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPPA)

Achieving HIPAA Security Rule Compliance with Lumension Solutions

CHIS, Inc. Privacy General Guidelines

Business Associate Agreement

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

BUSINESS ASSOCIATE AGREEMENT

A HELPING HAND TO PROTECT YOUR REPUTATION

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

White Paper. Imperva Data Security and Compliance Lifecycle

HIPAA Compliance with LT Auditor+

Network Security and Vulnerability Assessment Solutions

Information Technology Security Review April 16, 2012

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

CA Vulnerability Manager r8.3

HIPAA Compliance and the Protection of Patient Health Information

Use & Disclosure of Protected Health Information by Business Associates

Mental Health Resources, Inc. Mental Health Resources, Inc. Corporate Compliance Plan Corporate Compliance Plan

The Institute of Professional Practice, Inc. Business Associate Agreement

Appendix : Business Associate Agreement

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

Addressing the United States CIO Office s Cybersecurity Sprint Directives

Data Loss Prevention and HIPAA. Kit Robinson Director

HIPAA Summit. March 10, Phyllis A. Patrick, MBA, FACHE, CHC Phyllis A. Patrick & Associates LLC

University of Wisconsin-Madison Policy and Procedure

HIPAA Privacy and Business Associate Agreement

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Keeping your data yours

BUSINESS ASSOCIATE AGREEMENT

PCI DSS Top 10 Reports March 2011

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

How To Achieve Pca Compliance With Redhat Enterprise Linux

Plan Sponsor s Guide to the HIPAA Security Rule

case study Core Security Technologies Summary Introductory Overview ORGANIZATION: PROJECT NAME:

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Transcription:

WHITE PAPER What Every CIO Needs to Know About HIPAA Compliance

Table of Contents Executive Summary 3 HIPAA & Retina Network Security Scanner 3 Vulnerability Assessment & Remediation 4 Phase 1: Discovery & Auditing 4 Phase 2: Delegate & Remediate 4 Phase 3: Report & Adapt 4 Achieving HIPAA Compliance with Retina 4 Administrative Safeguards 5 Security Management Process [Standard: (a)(1)(i) 5 Evaluation [Standard: (a)(8)] 5 Technical Safeguards 5 Security Management Process - Risk Analysis [(a)(1)(ii)(a)] 5 Security Management Process - Risk Management [(a)(1)(ii)(b) 5 Security Management Process - Information System Activity Review [(a)(1)(ii)(d)] 6 Security Incident Procedures - Response and Reporting [(a)(6)(ii)]) 6 Business Associate Contracts and Other Arrangements [(b)(1) and (b)(4)] 6 Conclusion 6 2 2013. BeyondTrust Software, Inc.

Executive Summary The final privacy rules for securing electronic health care became effective in 2003. These regulations require healthcare companies to develop, implement and document the measures they take to ensure that health information remains secure under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is intended to protect and simplify the exchange of healthcare data nationwide. As of April 2006, all healthcare organizations are required to comply. The complete HIPAA information can be found at: http://www.cms.hhs.gov/ HIPAAGenInfo/ Compliance with HIPAA is mandatory and violators face up to $250,000 in fines and jail time of up to 10 years. HIPAA regulations are intended to protect such data as a patient s medical records and personal healthcare information. HIPAA affects organizations that transmit protected health information in electronic form (e.g. health plans, healthcare clearinghouses and healthcare providers). The law maintains that healthcare organizations implement a wide variety of safeguards and security best practices in order to adequately protect customer data. Full compliance requires that these entities understand the threats and liabilities and take proactive measures to maintain reasonable and appropriate safeguards in three areas: administrative, physical and technical. This document details the process needed to achieve compliance and breaks down the specific areas of HIPAA where eeye s Retina Network Security Scanner plays a pivotal role. HIPAA & Retina Network Security Scanner There are several areas of HIPAA where eeye s vulnerability assessment solution is key to attaining compliance. These sections include: Title II (Preventing Health Care Fraud andabuse), Subtitle F (Administrative Simplification), Section 262 and Subsection 1173d (Security Standards for Health Information). As initially mentioned Subsection 1173d containsthe three security standards categories that are critical: administrative, physical and technical. The final ruling on compliance requires all entities subject to HIPAA standards to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity s security policy and the requirements of this subpart. In terms of evaluation frequency, the regulations state that: covered entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation, for example,new technology adopted or responses to newly recognized risks to the security of their information. HIPAA regulations also point out: it is important to recognize that security is not a product, but is an ongoing, dynamic process. eeye s Retina Enterprise or family of solutions automates and fulfills these process-oriented safeguard requirements for entities of all sizes. It is important to recognize the significance of the word process from the HIPAA regulations as it pertains to security within an organization. A computer security audit is a systematic, measurable technical assessment of how the entity s security policy is employed. Security audits do not take place in a vacuum and are part of the on-going methodology of defining, maintaining and improving effective security throughout the organization. Following an established vulnerability assessment and remediation process is a proven approach to attaining HIPAA network security compliance. 3 2013. BeyondTrust Software, Inc.

Vulnerability Assessment & Remediation eeye s vulnerability assessment solution incorporates Retina and a sophisticated events management system to manage the entire process and minimizes the resources needed to undertake this critical security initiative. PHASE 1: DISCOVERY & AUDITING In order for organizations to assess their networks, it is important to understand the digital assets that make up the network. The first step in the vulnerability assessment and remediation process is asset identification. Though elementary, the Discovery Phase is an important first step in understanding the devices on a network. Retina quickly identifies and maps all of these elements in a centralized database. Unquestionably, the most critical phase in the entire vulnerability and remediation process involves properly auditing an entire network for vulnerabilities. Retina is recognized as the leader in terms of its comprehensive auditing capabilities and unparalleled speed, accuracy and ease of use. With thousands of Retina scanners deployed worldwide, Retina has become the industry s most effective security auditing product. PHASE 2: DELEGATE & REMEDIATE Upon discovery of network issues, the task of assigning vulnerabilities for remediation can be simplified with an automated solution that incorporates a security events management system. eeye s Enterprise Vulnerability Assessment solution is designed for large, distributed enterprises with expansive networks that must be protected. For smaller organizations, the stand-alone capabilities within Retina meet the delegation needs of IT and network security personnel. The Remediation Phase encompasses the fixing of the issue. eeye s technology provides hands-on fixes that resolve issues correctly the first time. Detailed remediation instructions guide administrators through the process of correcting network vulnerabilities before an attacker can compromise them. After a patch or fix has been applied, a follow-up Retina scan serves as verification that the issue has been addressed and corrected. PHASE 3: REPORT & ADAPT Reporting, trend analysis, policy settings and resource management are all part of the Report & Adapt Phase of the vulnerability assessment and remediation management process. With HIPAA, this stage provides the necessary document to prove that the proper security measures are being completed on a regular, ongoing basis. With proper auditing tools like Retina Enterprise, the unification of process and technology is simplified. Most importantly, implementing eeye s solution yields results and compliance for entities of all sizes that are subject to HIPAA regulations. Achieving HIPAA Compliance with Retina The following are the applicable areas where Retina is instrumental in attaining compliance particularly in the areas of administrative and technical initiatives (physical safeguards that are non-technical do not apply for these purposes. 4 2013. BeyondTrust Software, Inc.

Administrative Safeguards SECURITY MANAGEMENT PROCESS [STANDARD: (A)(1)(I) Implement policies and procedures to prevent, detect, contain, and correct security violations. This is the core strength of eeye s vulnerability assessment solution. Retina Enterprise is a complete, automated system that performs non-intrusive audits to prevent, detect, contain, and correct security violations. EVALUATION [STANDARD: (A)(8)] Perform a periodic technical and non-technical evaluation based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity s security policies and procedures meet the requirements of this subpart. Regular, scheduled vulnerability assessment audits can be performed by Retina, fulfilling this ongoing requirement for the entire network and verifying that any changes in thenetwork have not created exposure. Technical Safeguards SECURITY MANAGEMENT PROCESS - RISK ANALYSIS [(A)(1)(II)(A)] Conduct an accurate and thorough assessment of the potential risks and vulnerabilities of the confidentiality, integrity, and availability of electronic protected health information held by the covered entity. Required implementation specification: (a)(1)(ii)(a). Retina is the industry s #1 rated network vulnerability assessment scanner. Its database of vulnerability checks is the most accurate and comprehensive. Retina utilizes advanced technology to quickly and accurately test the strength of the entire network and reports on weaknesses with detailed remediation instructions. SECURITY MANAGEMENT PROCESS - RISK MANAGEMENT [(A)(1)(II)(B) Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with 164.306(a). Required implementation specification: (a)(1)(ii)(b). Retina provides instant vulnerability information, which can be sorted in a variety of ways, including risk-level. For largeorganizations, Retina is the core of eeye s Enterprise Vulnerability Assessment solution that enables entities to compile vulnerability reports and automate the remediation management process for the entire organization worldwide. 5 2013. BeyondTrust Software, Inc.

SECURITY MANAGEMENT PROCESS - INFORMATION SYSTEM ACTIVITY REVIEW [(A)(1)(II)(D)] Implement procedures to regularly review records of information system activity, such as audit logs, access reports, and security incident tracking reports. Required specification: (a)(1)(ii)(d). Retina automatically documents all incidents and effects of performed audits. SECURITY INCIDENT PROCEDURES - RESPONSE AND REPORTING [(A)(6)(II)]) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Required implementation specification: (a)(6)(ii). Retina is the industry s #1 rated network vulnerability assessment scanner. It s database of vulnerability checks is the most accurate and comprehensive. Retina utilizes advanced technology to quickly and accurately test the strength of the entire network and reports on weaknesses with detailed corrective action instructions. All corrective actions can be immediately tested by running a follow-up scan to assure that corrective measures were properly followed to secure the entity. BUSINESS ASSOCIATE CONTRACTS AND OTHER ARRANGEMENTS [(B)(1) AND (B)(4)] [An entity] may permit a business associate to create, receive, maintain, or transmit electronic protected health information on the covered entity s behalf only if the covered entity obtains satisfactory assurances... that the business associate will appropriately safeguard the information. Standard (b)(1) Document the satisfactory assurances required... through awritten contract or other arrangement with the business associate that meets the applicable requirements... Required implementation specification: (b)(4) Retina provides complete reports that can be used by the entity to assure compliance. Furthermore, Retina can be used by business associates to test their own security measures and assure that their networks are safe for creating, receiving, maintaining, or transmitting health information. Conclusion As with any IT project, working toward certifying compliance for regulations such as HIPAA must begin with a foundation in the organization s business and technical requirements, as there is no single magic bullet that ensures compliance. Defining the vulnerability management criteria that are most critical and the tools to ensure those criteria are met is the right process for any ongoing compliance project. 6 2013. BeyondTrust Software, Inc.

CONTACT INFO NORTH AMERICAN SALES 1.800.234.9072 sales@beyondtrust.com EMEA HEADQUARTERS Suite 345 Warren Street London W1T 6AF United Kingdom Tel: + 44 (0) 8704 586224 Fax: + 44 (0) 8704 586225 emeainfo@beyondtrust.com CONNECT WITH US Twitter: @beyondtrust Facebook.com/beyondtrust Linkedin.com/company/beyondtrust www.beyondtrust.com 7 2013. BeyondTrust Software, Inc.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information