HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?



Similar documents
STATEMENT OF WORK FOR HIPAA SECURITY RISK ANALYSIS

PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA and HITECH Act. Compliance Guide

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA Information Security Overview

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA Security Series

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security Rule Compliance

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

HIPAA Compliance Guide

HIPAA Security Alert

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Security COMPLIANCE Checklist For Employers

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Healthcare Compliance Solutions

VMware vcloud Air HIPAA Matrix

HIPAA Security Matrix

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Datto Compliance 101 1

HIPAA Security Checklist

How To Write A Health Care Security Rule For A University

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

SECURITY RISK ASSESSMENT SUMMARY

CHIS, Inc. Privacy General Guidelines

The Second National HIPAA Summit

HIPAA Compliance Guide

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

White Paper. Support for the HIPAA Security Rule PowerScribe 360

HIPAA compliance. Guide. and HIPAA compliance. gotomeeting.com

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

A Technical Template for HIPAA Security Compliance

ITS HIPAA Security Compliance Recommendations

The HIPAA Security Rule Primer Compliance Date: April 20, 2005

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

An Introduction to HIPAA and how it relates to docstar

C.T. Hellmuth & Associates, Inc.

HIPAA Privacy & Security White Paper

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA and Mental Health Privacy:

Policy Title: HIPAA Security Awareness and Training

HIPAA 203: Security. An Introduction to the Draft HIPAA Security Regulations

Security Is Everyone s Concern:

FINAL May Guideline on Security Systems for Safeguarding Customer Information

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA/HITECH: A Guide for IT Service Providers

An Effective MSP Approach Towards HIPAA Compliance

HIPAA: In Plain English

Krengel Technology HIPAA Policies and Documentation

Policies and Compliance Guide

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

HIPAA COMPLIANCE REVIEW

HIPAA Security and HITECH Compliance Checklist

State HIPAA Security Policy State of Connecticut

Client Security Risk Assessment Questionnaire

WHITEPAPER XMEDIUSFAX CLOUD FOR HEALTHCARE AND HIPAA COMPLIANCE

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

HIPAA Audit Risk Assessment - Risk Factors

Preparing for the HIPAA Security Rule

Joseph Suchocki HIPAA Compliance 2015

Montclair State University. HIPAA Security Policy

Procedure Title: TennDent HIPAA Security Awareness and Training

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

HIPAA Assessment HIPAA Policy and Procedures

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Healthcare Management Service Organization Accreditation Program (MSOAP)

Guidance on Risk Analysis Requirements under the HIPAA Security Rule

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

Transcription:

HIP Security: Complying with the HIP Security ule Implementation Specifications re You Correctly ddressing Them? The Seventh National HIP Summit Monday, September 15, 2003 Tom Walsh, CISSP 6108 West 121 Street Overland Park, KS 66209 Phone: 913-696-1573 e-mail: twalshconsulting@aol.com

Implementation Specifications re You Correctly ddressing Them? September 2003 Comprehensive, Flexible, Scalable, Technology Neutral HIP SECUITY ULE dministrative Safeguards (55%) 12 equired, 11 ddressable Physical Safeguards (24%) 4 equired, 6 ddressable Technical Safeguards (21%) 4 equirements, 5 ddressable ddressable Implementation Specifications In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: Implement one or more of the addressable implementation specifications; Implement one or more alternative security measures; Implement a combination of both; or Security ule Sections 164.304 Definitions 164.306 Security Standards: General ules 164.308 dministrative safeguards 164.310 Physical safeguards 164.312 Technical safeguards 164.314 Organizational requirements 164.316 Policies and procedures and documentation requirements 164.318 Compliance dates Not implement either an addressable implementation specification or an alternative security measure. Key Concepts Security ule isk nalysis Determines the appropriate means of compliance Does not imply that organizations are given complete discretion to make their own rules Covered entities must assess if an implementation specification is reasonable and appropriate DMINISTTIVE SFEGUDS Security Management Process isk nalysis () ssesses its own security risks Determines its risk tolerance or risk aversion isk Management () Privacy versus Security Parallels the Privacy ule except: Security ule covers only electronic protected health information (ephi) Privacy ule applies to PHI in paper, oral, and electronic form Security standards extend to the members a covered entity s workforce even if they work at home equires a minimum level of documentatio that must be retained for six years Devises, implements, and maintains appropriate security to address its business requirements 2003 Tom Walsh Consulting, LLC Page 1 of 7

Implementation Specifications re You Correctly ddressing Them? September 2003 DMINISTTIVE SFEGUDS (continued) Security Management Process Sanction Policy () Information System ctivity eview () Sanctions must be clearly defined; Not just a generic statement in policies ctivity eview ( Internal udit ) Procedures for reviewing audit logs, access reports, and security incident tracking reports ssigned Security esponsibility esponsibility must rest with one individual to ensure accountability typically an Information Security Officer (ISO) Large organizations may have site security coordinators working with the ISO Smaller organizations may use the Privacy Official or outsource the ISO function Security standards extend to the members of a covered entity s workforce even if they work at home Workforce Security uthorization and/or Supervision () Workforce Clearance Procedure () Termination Procedures () uthorization controls to verify the identity of the workforce member Types of background checks that will be conducted for workforce members Termination Collecting access control devices or changing door locks, etc. Information ccess Management Isolating Healthcare Clearinghouse Function () ccess authorization () ccess Establishment and Modification () Isolating Healthcare Clearinghouse Function New requirement equirement for User-based, role-based, or context-based was removed Compliance with the Privacy ule s Minimum necessary and JCHO IM standards may drive role-based access controls Security wareness and Training Security eminders () Protection from Malicious Software () Log-in Monitoring () Password Management () What is the difference between: Training, Education and wareness? What other information security content should be covered in workforce training? Security awareness training is a critical activity, regardless of an organization s size. 2003 Tom Walsh Consulting, LLC Page 2 of 7

Implementation Specifications re You Correctly ddressing Them? September 2003 DMINISTTIVE SFEGUDS (continued) Security Incident Procedures esponse and eporting () Provides a way for users to report unusual occurrences in security or breaches to patient confidentiality Contingency Plan Data Backup Plan () Disaster ecovery Plan () Emergency Mode Operation Plan () Testing and evision Procedure () pplications and Data Criticality nalysis () Goals: Identify Contain Correct Prevent Documented procedure for the secure, off-site storage and rotation of backups Work in conjunction with Data Owners to determine the organization s ecovery Point Objective (PO) and ecovery Time Objective (TO) Evaluation Periodic review of technical controls and procedural review of the entity s security program Non-Technical review Self assessment or gap analysis Certification of systems Compliance documentation udit logs and incident reports Technical review Vulnerability scans Testing of security controls Security ule Business ssociate Contracts and Other rrangements Written Contract or Other rrangements () Identify all business associates who receive or have access to electronic PHI Tie efforts with the Privacy initiative Leverage the opportunity to establish rules for remote access for vendors to limit downstream liability 2003 Tom Walsh Consulting, LLC Page 3 of 7

Implementation Specifications re You Correctly ddressing Them? September 2003 PHYSICL SFEGUDS Facility ccess Controls Contingency Operations () Facility Security Plan () ccess Control and Validation Procedures () Maintenance ecords () To protect buildings, equipment, and media from natural and environmental hazards and unauthorized intrusions Track maintenance records for door lock repairs or changes Workstation Use Workstation Security Could address both in a single policy Verify workstations are located to prevent unauthorized or casual viewing Conduct a random audit of computer workstations to verify they have been updated with the latest version of virus definitions Device and Media Controls Disposal () Media e-use () ccountability () Data backup and Storage () Device added to media controls to address things such as PDs Media e-use is a new requirement; Sanitization of media (Overwriting the disk with random patterns of 1s and 0s ) Importance of a Media e-use Policy There have been many news stories about people purchasing used computers and finding sensitive and confidential information stored on the hard disks. Some people have been able to retrieve names, addresses, medical information, Social Security Numbers, and credit card numbers. Organizations must implement a strong media re-use policy to prevent these types of disclosures that could possibly lead to identity theft, the fastest growing crime in merica. 2003 Tom Walsh Consulting, LLC Page 4 of 7

Implementation Specifications re You Correctly ddressing Them? September 2003 TECHNICL SFEGUDS ccess Control Unique User Identification () Emergency ccess Procedure () utomatic Logoff () Encryption and Decryption () Unique UserID for accountability Most important for clinical applications utomatic logoff also permits an equivalent measure to restrict access Encryption is an acceptable method of access control (data at rest) udit Controls Use risk assessment and analysis to determine the extent of audit trails Events that trigger an audit trail need to be jointly determined by the Data Owners, the Privacy and Security Officers Check with vendors on audit capability Store audit logs on a separate server System administrators should not have access to the audit logs Integrity Mechanism to uthenticate Electronic PHI () Document any integrity controls that will be employed especially for transmissions outside of the internal network to ensure the validity of the data being sent or the sender of the data Person or Entity uthentication Person or entity authentication is primarily accomplished through UserID and passwords The Security ule does not specify any password requirements Transmission Security Integrity Controls () Encryption () When electronic protected health information is transmitted from one point to another, it must be protected in a manner commensurate with the associated risk. ecognition that there is not a simple and interoperable solution to encrypting e- mail containing PHI 2003 Tom Walsh Consulting, LLC Page 5 of 7

Implementation Specifications re You Correctly ddressing Them? September 2003 SECUITY: BUSINESS POCESS So how much security do you really need? Security: Business Process You need a little more security than the next guy No such thing as 100% security Three factors inhibit countermeasures: 1. Costs (Direct and indirect) 2. The hassle factor (Inconvenience) easonable and appropriate an emergency measures need to be taken (due diligence) balanced security approach provides due diligence without impeding health care 3. May prevent legitimate access in Source: For the ecord: Protecting Electronic Health Information Balance Lack of adequate security results in the potential unauthorized access to confidential information. Too much security may hinder health care. The goal is to reduce (not eliminate) risks to an acceptable level based upon an organization s risk tolerance. isk Cost ESOUCES ISO 17799:2000, Code of Practice for Information Security Management NIST Special Publication 800 series: http://csrc.nist.gov/publications/nistpubs/index.html Handbook for HIP Security Implementation by Margret matayakul, Steve Lazarus, Tom Walsh, and Carolyn Hartley, which is being published by the merican Medical ssociation in October 2003. Best Practices for Compliance with the Final Security ule by Tom Walsh, published by HIMSS in the Journal of Healthcare Information Management, Volume 17, Number 3, Summer 2003 CONCLUSION The Security ule requires covered entities to apply reasonable and appropriate safeguards and controls to protect electronic protected health information (ephi) Whether required or addressable, the appropriate safeguards should be based upon an organization's risk analysis and best practices 2003 Tom Walsh Consulting, LLC Page 6 of 7

Implementation Specifications re You Correctly ddressing Them? September 2003 The Final HIP Security Standards (February 2003) DMINISTTIVE SFEGUDS 164.308 Standards Section Implementation Specifications Security Management Process 164.308(a)(1) isk nalysis isk Management Sanction Policy Information System ctivity eview ssigned Security esponsibility 164.308(a)(2) Workforce Security 164.308(a)(3) uthorization and/or Supervision Workforce Clearance Procedure Termination Procedures Information ccess Management 164.308(a)(4) Isolating Healthcare Clearinghouse Function ccess uthorization ccess Establishment and Modification Security wareness and Training 164.308(a)(5) Security eminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures 164.308(a)(6) esponse and eporting Contingency Plan 164.308(a)(7) Data Backup Plan Disaster ecovery Plan Emergency Mode Operation Plan Testing and evision Procedure pplications and Data Criticality nalysis Evaluation 164.308(a)(8) Business ssociate Contracts nd 164.308(b)(1) Written Contract or Other rrangements Other rrangements PHYSICL SFEGUDS 164.310 Standards Section Implementation Specifications Facility ccess Controls 164.310(a)(1) Contingency Operations Facility Security Plan ccess Control & Validation Procedures Maintenance ecords Workstation Use 164.310(b) Workstation Security 164.310(c) Device and Media Controls 164.310(d)(1) Disposal Media e-use ccountability Data Backup and Storage TECHNICL SFEGUDS 164.312 Standards Section Implementation Specifications ccess Control 164.312(a)(1) Unique User Identification Emergency ccess Procedure utomatic Logoff Encryption and Decryption udit Controls 164.312(b) Integrity 164.312(c)(1) Mechanism to uthenticate Electronic PHI Person or Entity uthentication 164.312(d) Transmission Security 164.312(e)(1) Integrity Controls Encryption OGNIZTIONL EQUIEMENTS 164.314 POLICIES ND POCEDUES ND DOCUMENTTION EQUIEMENTS 164.316 Legend: = equired = ddressable 2003 Tom Walsh Consulting, LLC Page 7 of 7

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information