HIPAA COMPLIANCE REVIEW



Similar documents
WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

White Paper. Support for the HIPAA Security Rule PowerScribe 360

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Security Matrix

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Information Security Overview

Healthcare Compliance Solutions

VISUAL PRODUCT MODELING SYSTEM (VP/MS) CRACK THE CODE FOR ADMINISTERING CALCULATIONS AND BUSINESS RULES

HIPAA Security Rule Compliance

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

How the world s favourite reinsurance suite is about to get even better

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

HIPAA Security Alert

CELERITI CUSTOMER AGILE BANKING TECHNOLOGY

WEALTH MANAGEMENT ACCELERATOR GIVE YOUR CUSTOMERS THE FREEDOM TO PROTECT, SAVE AND ACCESS ASSETS

HIPAA Compliance Guide

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Security. assistance with implementation of the. security standards. This series aims to

Policy Title: HIPAA Security Awareness and Training

CyberSecurity Solutions. Delivering

VMware vcloud Air HIPAA Matrix

CUSTOMER SERVICE ACCELERATOR

Cloud Computing in a HIPAA- Compliant World. NRTRC Telemedicine Conference Dean Oswald March 25, 2014

A Technical Template for HIPAA Security Compliance

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Options and Key Considerations

CHIS, Inc. Privacy General Guidelines

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

CYBERSECURITY IN FINANCIAL SERVICES POINT OF VIEW CHALLENGE 1 REGULATORY COMPLIANCE ACROSS GEOGRAPHIES

How To Write A Health Care Security Rule For A University

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security COMPLIANCE Checklist For Employers

PERFORMANCEPLUS GIVE YOUR PRODUCERS

CSC WORLD AN ARTICLE FROM FOCUS ON MOBILITY. Defining Your Mobile Strategy: A Guide to Developing Apps

BEYOND PREMIUM BILLING

HIPAA Security Checklist

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Life and annuity SoLutionS ReaCH for new HeiGHtS in PeRfoRManCe and flexibility

An Introduction to HIPAA and how it relates to docstar

OF MEANINGFUL USE THE HIDDEN REQUIREMENTS HOSPITAL QUALITY REPORTING: Introduction. Authors: Jane Metzger, Melissa Ames and Jared Rhoads

EARLYRESOLUTION DEFAULT MANAGEMENT ACROSS MULTIPLE CHANNELS DRIVE HIGHER PERFORMANCE

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA and Mental Health Privacy:

INSIGHTS LIFE SCIENCES

An Effective MSP Approach Towards HIPAA Compliance

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

How To Manage Money On One Contract

HIPAA Compliance for Mobile Healthcare. Peter J. Haigh, FHIMSS Verizon

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Security Is Everyone s Concern:

Datto Compliance 101 1

ITS HIPAA Security Compliance Recommendations

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

Krengel Technology HIPAA Policies and Documentation

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

Achieving HIPAA Security Rule Compliance with Lumension Solutions

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Compliance Guide

Procedure Title: TennDent HIPAA Security Awareness and Training

VIRGINIA ASSOCIATION OF COMMUNITY SERVICES BOARDS HIPAA READINESS STEERING COMMITTEE

HIPAA: Compliance Essentials

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

AdRem Software s HIPAA Compliance. An AdRem Software White Paper

Unit 6 Research Project. Eddie S. Jackson. Kaplan University. IT540: Management of Information Security. Kenneth L. Flick, Ph.D.

HIPAA Security Compliance for Konica Minolta bizhub MFPs

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

C.T. Hellmuth & Associates, Inc.

Implementing HIPAA Compliance with ScriptLogic

New Boundary Technologies HIPAA Security Guide

Health Insurance Portability and Accountability Act Enterprise Compliance Auditing & Reporting ECAR for HIPAA Technical Product Overview Whitepaper

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

State HIPAA Security Policy State of Connecticut

HIPAA Security and HITECH Compliance Checklist

Transcription:

HIPAA COMPLIANCE REVIEW DRAGON MEDICAL V 10 CSC 3811 Turtle Creek Blvd Suite 2000 Dallas, TX 75219 Phone: 214.520.0555

TABLE OF CONTENTS 1.0 Introduction 1 2.0 Findings 1 2.1 Observations and Recommendations 1 2.2 HIPAA Matrix 2

DRAGON MEDICAL V10: HIPAA COMPLIANCE REVIEW 1.0 Introduction Nuance has released version 10 of Dragon Medical and, in preparation for this release, has engaged CSC to provide an independent review of Dragon Medical s compliance with the HIPAA Security Rule. CSC is a leading provider of healthcare information technology strategy and clinical implementation practices for providers in all healthcare settings. As part of its review, CSC has published this white paper which validates and outlines the HIPAA security considerations designed into the software. 2.0 Findings Assessment activities included question/answer sessions with Dragon Medical architects and engineers and review of the following product documentation: User Guide: Dragon Medical Enterprise Version 10 User Guide: Dragon Medical Preferred Version 10 Optimizing Clinical Productivity: Using Speech Recognition with Medical Features vs. a General Purpose Solution (White Paper) Dragon Medical Network and Security Issues (February 7, 2008) 2.1 Observations and Recommendations Dragon Medical is speech recognition software that automates the input of text and commands into the user interface of any application including Microsoft Word, PowerPoint, Internet Explorer, Mozilla Foxfire, and most major Electronic Health Record (EHR) systems, replacing manual input via the keyboard and mouse peripherals. CSC evaluated Dragon Medical Version 10 against the Administrative, Physical, and Technical Safeguards established by the Department of Health and Human Services in 164.308, 164.310, and 164.312 of the Healthcare Insurance Reform: Security Standards; Final Rule. The evaluation determined that Dragon Medical has a minimum amount of security built into the product, relying instead on security mechanisms provided by the Windows operating system (O/S) on which it resides and other third-party applications. 1

2.2 HIPAA Matrix Standard and Specification Security Management Process Administrative Safeguards Risk Analysis (R) Risk Management (R) Through the creation of a HIPAA Compliance whitepaper, Nuance can provide security-related details that can assist an institution in completing a HIPAA risk analysis of the Dragon Medical product line. Dragon Medical has a minimum amount of security built into the application. Instead, the product relies on the security mechanisms found in the Windows operating system (O/S) on which it resides and other third-party applications to manage security risks. Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility (R) Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedures (A) Termination Procedures (A) Information Access Management Isolating Healthcare Clearinghouse Functions (R) Access Authorization (A) Access Establishment and Modification (A) Dragon Medical supports a PUSH installation method where the organization can control distribution of the application and push it out to only those workstations pre-authorized by management to have it. The ability to modify the application s configuration on Windows NT, 2000, XP & Vista systems formatted as NTFS depends on whether or not the user has O/S administrative privileges. Dragon Medical relies on Windows file permissions to control access to directories and files containing sensitive information. Depending on the operating system (O/S), the user s ability to modify the application setup would depend on whether or not they had administrative privileges at the O/S level. 2

Standard and Specification Security Awareness and Training Administrative Safeguards Security Reminders (A) Protection from Malicious Software (A) Security Incident Response Contingency Plan Evaluation Log-in Monitoring (A) Password Management (A) Response and Reporting (R) Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operations Plan (R) Testing and Revision Procedures (A) Application and Data Criticality Analysis (A) Response and Reporting (R) Business Associate Contract and Other Arrangements Written Contract or Other Arrangements (R) The Dragon Medical administration guide and periodic information articles sent to customers provide security related recommendations and instructions. Dragon Medical can coexist on systems with virus protection software with no impact to functionality. Dragon Medical is not password protected when access locally at the workstation. Roaming users accessing a Dragon network server can be forced to authenticate by Windows file permissions and/or WebDAV. The Dragon Medical logging feature records a variety of information to assist in the identification and response to suspicious activity and events. Dragon Medical automatically creates a backup copy of each non-roaming user file. Automatic backup of user profiles is not available for nonroaming and roaming profiles stored on a network drive the client must implement a separate backup process. Disaster Recovery procedures for Dragon Medical can be crafted from standard Windows file disaster recovery technologies, strategies and third party solutions. Dragon Medical is compatible with data backup and disk imaging products that are certified to work with the current Windows desktop and server operating systems. Nuance continually reviews customer requests for security features and enhancements based upon the results of internal risk assessment activities. 3

Standard and Specification Facility Access Controls Workstation Use (R) Contingency Operations (A) Facility Security Plan (A) Access Control and Validation (A) Physical Safeguards Procedures (A) Maintenance Records (A) Workstation Security (R) Dragon Medical relies on standard Windows workstations security features (e.g. user login, password protected screensaver) and directory/file permissions to deter unauthorized access to the application and associated files. Device and Media Controls Disposal (R) Media Reuse (R) Accountability (R) Data Backup and Storage (R) Access Control Standard and Specification Technical Safeguards Unique User Identification (R) Relies on the Windows security controls and directory/file permissions to authenticate users. There is no additional authentication required by NaturallySpeaking. Emergency Access Procedures (R) Automatic Logoff (A) When utilizing the Master Roaming User feature, authentication to the centralized Dragon server is enforced by Windows file permissions or HTTP Roaming with WebDAV. No feature identified No feature identified 4

Integrity Transmission Standard and Specification Encryption and Decryption (A) Technical Safeguards Audit Controls (R) Mechanisms to Authenticate ephi (A) When the Language Model Optimizer feature is enabled, Dragon Medical automatically retains and encrypts a subset of audio and text files on the local machine using Microsoft Windows cryptography. Although Dragon Medical does not automatically encrypt the audio and text files dictated into another application such as MS Word, the user can protect the confidentiality and integrity of the information by implementing a separate filelevel encryption solution without impacting Dragon Medical functionality. The Dragon Medical logging feature captures a variety of information to assist in auditing user activities including targeted applications, changes to user profiles, and words added to the speech recognition profile. No feature identified Person or Entity Authentication (R) Dragon Medical relies on Windows security controls and file permissions to authenticate users. Integrity Control (A) Encryption (A) Dragon Medical support HTTP over Secure Sockets Layer (SSL) when the Roaming User feature is enabled. 5

CSC Turtle Creek Centre 3811 Turtle Creek Blvd. Suite 2000 Dallas, TX, 75219 +1.214.520.0555 Worldwide CSC Headquarters The Americas 3170 Fairview Park Drive Falls Church, Virginia 22042 United States +1.703.876.1000 Europe, Middle East, Africa Royal Pavilion Wellesley Road Aldershot Hampshire GU11 1PZ United Kingdom +44(0)1252.534000 Australia 26 Talavera Road Macquarie Park, NSW 2113 Australia +61(0)29034.3000 Asia 139 Cecil Street #08-00 Cecil House Singapore 069539 Republic of Singapore +65.221.9095 About CSC The mission of CSC is to be a global leader in providing technology enabled business solutions and services. With the broadest range of capabilities, CSC offers clients the solutions they need to manage complexity, focus on core businesses, collaborate with partners and clients, and improve operations. CSC makes a special point of understanding its clients and provides experts with real-world experience to work with them. CSC is vendor-independent, delivering solutions that best meet each client s unique requirements. For more than 45 years, clients in industries and governments worldwide have trusted CSC with their business process and information systems outsourcing, systems integration and consulting needs. The company trades on the New York Stock Exchange under the symbol CSC. 2008 Computer Sciences Corporation. 6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information