White Paper Instant Messaging (IM) HIPAA Compliance



Similar documents
White Paper Instant Messaging (IM) and Sarbanes Oxley Compliance

INSTANT MESSAGING SECURITY

Security Solutions

Ensuring HIPAA Compliance with AcclaimVault Online Backup and Archiving Services

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Implementing HIPAA Compliance with ScriptLogic

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

Copyright Telerad Tech RADSpa. HIPAA Compliance

F-Secure Internet Gatekeeper Virtual Appliance

THE SECURITY OF HOSTED EXCHANGE FOR SMBs

Secure Web Appliance. Reverse Proxy

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

Did you know your security solution can help with PCI compliance too?

Internet Filtering Appliance. User s Guide VERSION 1.2

FileCloud Security FAQ

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Configuration Information

Secured Enterprise eprivacy Suite

A new business application, that supports e- mail, IM communication, calendaring and collaboration

Cloud Services MDM. ios User Guide

Best Practices for Controlling Skype within the Enterprise > White Paper

Security FAQs (Frequently Asked Questions) for Xerox Remote Print Services

Network Security Policy

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

Firewalls for small business

ipatch System Manager - HIPAA Compliance

Tumbleweed MailGate Secure Messenger

Why Encryption is Essential to the Safety of Your Business

H.I.P.A.A. Compliance Made Easy Products and Services

Information Security Policy

Features Security. File Versioning. Intuitive User Interface. Fast and efficient Backups

Virtual Appliance Setup Guide

Navigating Endpoint Encryption Technologies

Barracuda IM Firewall Administrator s Guide

Network and Workstation Acceptable Use Policy

Configuring SonicWALL TSA on Citrix and Terminal Services Servers

A Guide to New Features in Propalms OneGate 4.0

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Firewalls Overview and Best Practices. White Paper

Building A Secure Microsoft Exchange Continuity Appliance

Supplier IT Security Guide

GoToMyPC. Remote Access Technologies: A Comparison of GoToMyPC and Microsoft Windows XP Remote Desktop

IBM Managed Security Services (Cloud Computing) hosted and Web security - express managed Web security

NETASQ & PCI DSS. Is NETASQ compatible with PCI DSS? NG Firewall version 9

Inspection of Encrypted HTTPS Traffic

10 Must-Follow Rules for Effective. Document Management. 10 Must-Follow. Rules for Effective. Document Management

F-Secure Messaging Security Gateway. Deployment Guide

Security Technology: Firewalls and VPNs

Unifying Information Security. Implementing TLS on the CLEARSWIFT SECURE Gateway

Achieving PCI Compliance for: Privileged Password Management & Remote Vendor Access

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

Step-by-Step Guide to Securing Windows XP Professional with Service Pack 2 in Small and Medium Businesses

Securing the Service Desk in the Cloud

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Faster, Smarter, More Secure: IT Services Geared for the Health Care Industry A White Paper by CMIT Solutions

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

Encryption Services

CounterACT Plugin Configuration Guide for ForeScout Mobile Integration Module MaaS360 Version ForeScout Mobile

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Setting Up Scan to SMB on TaskALFA series MFP s.

Protecting personally identifiable information: What data is at risk and what you can do about it

redcoal SMS for MS Outlook and Lotus Notes

Directed Circuits Meet Today s Security Challenges in Enterprise Remote Monitoring. A White Paper from the Experts in Business-Critical Continuity TM

SETTING UP AN INSTANT MESSAGING SERVER

Getting Started Guide

Guidance Regarding Skype and Other P2P VoIP Solutions

Virtual Appliance for VMware Server. Getting Started Guide. Revision Warning and Disclaimer

Hosted SharePoint. OneDrive for Business. OneDrive for Business with Hosted SharePoint. Secure UK Cloud Document Management from Your Office Anywhere

eztechdirect Backup Service Features

Securing Data on Portable Media.

When your users take devices outside the corporate environment, these web security policies and defenses within your network no longer work.

Cisco WebEx Connect Administrator s Guide

Compliance in 5 Steps

How to complete the Secure Internet Site Declaration (SISD) form

DMZ Gateways: Secret Weapons for Data Security

The Advantages of Security as a Service versus On-Premise Security

Passing PCI Compliance How to Address the Application Security Mandates

PAI Secure Program Guide

SECURELINK.COM REMOTE SUPPORT NETWORK

How To Upgrade To Symantec Mail Security Appliance 7.5.5

Internet-based remote support for help desks

A 123Together.com White Paper. Microsoft Exchange Server: To Outsource Or Not To Outsource The affordable way to bring Exchange to your company.

Cyber Security: Beginners Guide to Firewalls

8 Critical Requirements for Secure, Mobile File Transfer and Collaboration

Transcription:

White Paper Instant Messaging (IM) HIPAA Compliance - 1 -

Statement of Purpose This document is focused on providing health care companies, and all others bound by HIPAA regulations, with an eye opening description of instant messaging use in the enterprise, and how to ensure its compliance with government regulation. Descriptions about how to effectively manage a corporate IM infrastructure are also covered, as well as ways in which the InterIM product line can provide your company with an easy full featured solution that meets all government IM requirements, at a price that will not break your IT budget. - 2 -

Table of Contents 1AN OVERVIEW OF INSTANT MESSAGING... 4 1.1The Advantages of IM... 4 1.2Corporate IM Growth... 4 2THE HIPAA DILEMMA...5 2.1History and Requirements...5 2.2Compliance Options... 5 2.3Penalties...5 2.4HIPAA Resources and Links...6 3ENTERPRISE CLASS INSTANT MESSAGING... 7 3.1Security... 7 3.2Message Logging and Auditing... 7 3.3Instant Messaging Policy Management... 8 4INTERIM IS YOUR SOLUTION...9 4.1Ease of Use... 9 4.2Why an Appliance?...9 4.3The Deviant Philosophy... 10 5APPENDIX A...11-3 -

1 An Overview of Instant Messaging Instant Messaging (IM) provides the ability to interactively communicate via text messages. The concept dates back to the 1960s with the UNIX talk program but has only recently come into widespread use. It started with AOL, MSN, and Yahoo providing IM services to their subscribers. The advantage of IM is that it allows users to communicate informally over the internet in real time. An additional advantage is the concept of presence which allows users to see if the person that they need to communicate with is available, thus avoiding frustrating phone-tag scenarios. 1.1 The Advantages of IM Daily management of a business is a symphony of small decisions. However, if these decisions do not flow freely, they can hold up critical business functions which may result in missed opportunities. Instant Messaging provides an affordable and rapid communications medium that fills the void between the telephone and email. Instant Messaging is the perfect medium for getting quick answers through direct communication, without the time consuming chore of setting up a meeting. Incorporating instant messaging capabilities into your business can actually result in less communications overhead, freeing up time for more productive meetings that focus on issues of greater strategic relevance. 1.2 Corporate IM Growth Instant messaging is quickly becoming the medium of choice for rapid communications in businesses and its use is growing at an astounding rate. In a recent study, the Radicati group has projected that the number of business IM accounts will grow beyond 300 million by 2007 1. However, most companies remain vulnerable to prying eyes and government regulations because they rely on public IM networks. 1 http://www.eweek.com/article2/0,3959,1124698,00.asp projected user base of 1.4 billion with a 3:1 ratio of personal and business users by 2007. - 4 -

2 The HIPAA Dilemma The rules governing the use of instant messaging in the healthcare industry are often overlooked as firms work tirelessly to comply with the intricacies of the HIPAA act. HIPAA permeates many areas of a business, including instant messaging. In fact, even firms that specialize in compliance often overlook IM, yet the Center for Medicare and Medicaid Services, CMS, makes clear that IM is bound by the same guidelines as any electronic data transmission. 2.1 History and Requirements HIPAA, The Health Insurance Portability and Accountability Act of 1996, provides legislation to protect workers who leave their jobs from losing their ability to be covered by health insurance (Portability), and to protect the integrity, confidentiality, and availability of electronic health information (Accountability). Confidentiality applies to all aspects of patient information and HIPAA requires that all communications be encrypted, and that there be an audit trail in place. For instant messaging, an audit trail means that the messages must be logged and available for future reference. Alarms and event reports are also required for full compliance. Please see our white paper entitled IM Policy Management for more information on how InterIM s policy management features can help protect your business. 2.2 Compliance Options Compliance can be achieved in one of two ways: Gateway solutions capture instant messaging traffic and log it to a database. These solutions do not provide an instant messaging server however, and thus, some type of server will be needed. If public services are used, they will not provide any security and information will be viewable by third parties. Server solutions provide an instant messaging infrastructure, but depending on the product, these systems my not be secure, log messages, or provide any type of auditing or management tools. InterIM is a combination of these approaches and provides everything a company requires to run an enterprise class, HIPAA compliant system in a single easy to use appliance. 2.3 Penalties Section 1176 of HIPAA states that: Penalties may not be more than $100 per person per violation and not more than $25,000 per person for violations of a single standard for a calendar year. The potential to violate HIPAA using public instant messaging networks is high. Employees often use public IM services without the consent or knowledge of their employers. InterIM provides organizations with a way to ensure compliance and eliminate the chances of penalties, without denying the productivity-enhancing use of instant messaging. 2.4 HIPAA Resources and Links For more information on HIPAA compliance we have compiled a number of links to assist your research: 1. http://www.hipaa.org provides a comprehensive look at the act in its entirety. 2. http://www.cms.hhs.gov/hipaa/ is the site from the Center for Medicare and Medicaid Services or CMS. - 5 -

3. http://www.hipaacomplete.com is a good resource for an overview on compliance. 4. http://www.palisadesys.com/news&events/hipaastudy.pdf This is a great description of how HIPAA targets IM and peer-to-peer use. - 6 -

3 Enterprise Class Instant Messaging The InterIM product line, by Deviant Technologies, Inc., provides an internal instant messaging server, as well as compatibility with the major public IM networks. There are three critical areas of IM management that ensure HIPAA compliance and provide IM administrators with the necessary tools to successfully administer a corporate IM solution. These are: Security Message logging and auditing IM policy creation and management 3.1 Security Security has been and shall remain a primary concern in all IT systems, regardless of the type or purpose. Instant messaging can be no exception. In fact, HIPAA requires that all electronic communications, which might possibly carry patient data, be encrypted. Many employees believe that if they are sending an instant message over a public IM service to someone in the next office, that the message travels from their computer to the person s computer in the adjacent office. This is not true, in fact, that message travels out of the company to the servers administered by the public IM network, then back to the person in the nearby office, the whole time as unencrypted text. Any proprietary or confidential information is available to be viewed by those with the skill to do so. This security hole has lead many IT managers to either disable IM for employee use, or take the risk of compromising private information. InterIM provides a low cost solution for ensuring your company s private data remains private. InterIM provides an internal instant messaging server boasting 512 bit default encryption on your internal instant messaging network that can be easily increased to as high as 2048 bit. Yet to provide maximum connectivity between coworkers and customers, InterIM maintains compatibility with the popular public IM networks yet cannot provide encryption on these channels. Ensuring that confidential internal communications are channeled over the internal network, instead of on public networks can be achieved through effective IM policy management and is discussed in section 3.3 of this document. 3.2 Message Logging and Auditing The ability to log and audit instant messaging traffic on your corporate network has become a necessity, not an option. HIPAA dictates that messages must be stored and easily retrievable in the event of an audit. In order to effectively log all instant messaging traffic, a proxy of some kind must be set up. This proxy acts as an IM gateway. The corporate firewall is then configured to prohibit all IM traffic except that which originates from the gateway. In this way, all IM traffic passes through the gateway where it can be logged and stored for auditing purposes. InterIM logs all instant messages, whether internal or on the public IM networks, to a relational database where the messages are archived and can be searched and audited, meeting the requirements for message archiving as mandated by CMS in the HIPAA act. Additionally, InterIM provides a variety of tools for parsing the data within the logs. Data can be audited through a number of customizable search and filtering tools allowing for common searches to be saved for reuse. Typical Enterprise IM solutions provide only one piece of the puzzle, often requiring an external database and tools to store and analyze instant messaging traffic. InterIM provides all these features in an easy to use, plug and play appliance. Our patent pending, all-inone solution delivers more features than our competitors and greater ease of use at a fraction of the cost, giving our customers a superior solution which delivers a return on investment in weeks, not years, by reducing installation and management time for your IT staff. - 7 -

3.3 Instant Messaging Policy Management Security and Message logging are critical to managing your instant messaging infrastructure, yet, without a sound and manageable policy, there is still an opportunity for employees to circumnavigate or bypass the safeguards in place. Instant messaging policy management tools allow administrators to monitor IM usage and notify them when a policy has been violated so that they may take proper action. There are three steps to successful policy management, policy creation, policy management through the use of tools, and policy enforcement. Policy creation and enforcement differ from company to company depending on the level of security required and the sensitivity of the data on the network. InterIM provides administrators with an array of tools designed to manage and enforce their IM policies. InterIM s key word notification tool allows administrators to monitor all messages on the non-secure networks for sensitive terms or phrases such as social security numbers or confidential project names. InterIM s reporting tools enable administrators to monitor instant messaging usage, for example, how much time is employee X spending on the internal system vs. public systems. InterIM s patent pending per-user-transport administration allows administrators to grant access to public networks for power users, while public network access for others. - 8 -

4 InterIM is Your Solution HIPAA compliance has become a thorn in the side of many healthcare and related firms over the past several years. We at Deviant Technologies recognize and appreciate this, and as such have worked to design a product that will bring firms into compliance with the HIPAA s guidelines for instant messaging in half an hour or less (see appendix A on InterIM Installation). InterIM provides everything a firm needs to comply with HIPAA regulations in an easy to install and administer, plug-and-play hardware appliance. InterIM can get your firm up and running on a auditable, compliant, and secure instant messaging platform now, not in weeks. Our instant messaging solution provides a high level of encryption, logging and auditing capabilities, and instant messaging policy creation and management tools, all on a hardware platform that has been optimized for speed and stability at a price far below that of our competitors. In fact, InterIM can save customers between 50%-80% off of our competitors solutions. 4.1 Ease of Use InterIM is designed to be up and running in under 30 minutes. Setup requires a few simple steps and can be performed by someone with little or no IT experience. Simply start the server, give it a name and address, import users from your existing directory server via InterIM s easy to use Directory Import tools, and your company is ready for secure, archived, instant messaging that is compatible with all your favorite Public IM networks including AOL, Yahoo!, MSN, ICQ and Jabber instant messaging services. Future support for Short Message Service or SMS messaging is planned so messages can be sent to and from cell phone users. 4.2 Why an Appliance? Our goal is to provide our customer with the highest quality product at a price that will deliver a rapid return on investment. Integrating the software and hardware provides customers with piece of mind, knowing that there will be no hardware issues to attend to, no expensive operating system to install and configure no database integration headaches, and no security holes to patch. InterIM comes with its own firewall which blocks any traffic that is not required to operate the unit, and since it runs on the Linux operating system, InterIM is not susceptible to virus attacks. Overall, InterIM provides industry leading features at affordable prices. Compliance itself is already a headache; don t let your solution become one as well. Call a Deviant representative at 1-866-DEVIANT (338-4268) today to order or learn more about our InterIM line of server appliances, or visit us online at http://www.devianttechnologies.com. 4.3 The Deviant Philosophy Deviant Technologies believes that our customers should not be shackled by expensive solutions to their regulatory problems. Our aim is to provide enterprise class products to businesses of all sizes at prices they can afford. InterIM is no exception. In short InterIM is easier, less expensive and more secure than the majority of competitors. - 9 -

5 Appendix A InterIM Installation Installation of your all InterIM appliance is a breeze. Typically, customers with little IT experience are able to have it up and running in 30 minutes or less. Provided below is a typical installation sequence. Steps may differ, and some may be skipped al together depending on your network. Step 1: IP Address and DNS In order to get your InterIM Appliance on the network, it must be given a network address. By default one can be obtained automatically. Alternatively, one can be manually provided by simply entering the address via the keypad on the front of the appliance. Step 2: Connect to the Web Administration Interface To connect to the appliance for administration, open your web browser and enter the IP address shown on the appliance display. Once connected, enter the default admin user name and password. Once logged on, create a new administrative username and password. Step 3: DNS This step is for convenience. Once the IM address is installed, and you have access to administration pages, an alias should be set, and a record made in your DNS for the name/address you have given the appliance. Step 4: Firewall Configuration In order to have your InterIM Appliance log all instant messages, those messages must pass through the appliance. To ensure this, administrators should block all IM traffic from all addresses except the InterIM appliance address. Access to the public IM networks can thus only be reached through the InterIM appliance, and only if access is granted by the administrator. Step 5: Directory Import InterIM provides the ability to import your user base from your existing LDAP-compatible directory server. Simply point the InterIM appliance at your directory server, and import. This can typically be done in 5 minutes or less. Templates are provided for certain directory schemas such as Microsoft s Active Directory. - 10 -

Step 6: Security Configuration By Default InterIM appliances come with 512bit encryption; however, Deviant Technologies recommends that all administrators create a new encryption key with the level of encryption that their organization requires. Use of existing certified keys is supported. Please see our Security page for more information on this topic. Step 7: IM Policy Creation InterIM provides a broad array of IM policy creation and management tools. These tools are designed to provide maximum flexibility to our customers. By default, access to external IM networks is off. However, access can be granted to users, groups, or your enterprise with a few clicks of the mouse. Logging and auditing policies are also easily configurable. For more information on IM Policy creation and management please see our IM Policy Management page. Step 8: Rollout Now that your corporate IM policy has been created, rollout of the IM solution can be performed. InterIM makes this easy by providing a client download page on the appliance. Simply send an email to your users notifying them of the new system and with a hyperlink to download the client. Links can also be placed on internal web sites. Client installation is simple and nearly all operating systems are supported. See our InterIM Client page for more information. Installation of your InterIM Appliance is now complete! For more information on our installation process or our appliance in general please email us at info@devianttechnologies.com or contact us at 1-866-DEVIANT. - 11 -

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information