How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization



Similar documents
How to use Alertsec to Enable SOX Compliance for Your Customers

HIPAA: Understanding The Omnibus Rule and Keeping Your Business Compliant

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Securing Corporate Data and Making Life Easier for the IT Admin Benefits of Pre Boot Network Authentication Technology

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

Compliance Challenges. Ali Pabrai, MSEE, CISSP (ISSMP, ISSAP) Member, FBI InfraGard. Increased Audits & On-site Investigations

CHIS, Inc. Privacy General Guidelines

ITUS Med Solutions. HITECH & HIPAA Compliance Guide

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Compliance Guide

efolder White Paper: HIPAA Compliance

Network Detective. HIPAA Compliance Module RapidFire Tools, Inc. All rights reserved V

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

HIPAA Compliance & Privacy. What You Need to Know Now

Datto Compliance 101 1

Deciphering the Safe Harbor on Breach Notification: The Data Encryption Story

Driving Company Security is Challenging. Centralized Management Makes it Simple.

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

VMware vcloud Air HIPAA Matrix

What Every Organization Needs to Know about Basic HIPAA Compliance and Technology. April 21, 2015

MANAGED FILE TRANSFER: 10 STEPS TO HIPAA/HITECH COMPLIANCE

AB 1149 Compliance: Data Security Best Practices

HIPAA/HITECH Compliance Using VMware vcloud Air

DATA SECURITY HACKS, HIPAA AND HUMAN RISKS

HIPAA Security Alert

The Impact of HIPAA and HITECH

SECURITY RISK ASSESSMENT SUMMARY

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

HIPAA and HITECH Compliance for Cloud Applications

Using Data Encryption to Achieve HIPAA Safe Harbor in the Cloud

New HIPAA regulations require action. Are you in compliance?

Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments

HIPAA and Mental Health Privacy:

FileCloud Security FAQ

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

How TraitWare TM Can Secure and Simplify the Healthcare Industry

Telemedicine HIPAA/HITECH Privacy and Security

HIPAA Privacy & Security White Paper

Healthcare Compliance Solutions

INFORMATION SECURITY & HIPAA COMPLIANCE MPCA

Why Lawyers? Why Now?

Top Ten Technology Risks Facing Colleges and Universities

Compliance, Incentives and Penalties: Hot Topics in US Health IT

Welcome to part 2 of the HIPAA Security Administrative Safeguards presentation. This presentation covers information access management, security

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA and Cloud IT: What You Need to Know

Practical Storage Security With Key Management. Russ Fellows, Evaluator Group

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Nine Network Considerations in the New HIPAA Landscape

HIPAA Security Overview of the Regulations

The CIO s Guide to HIPAA Compliant Text Messaging

ITAR Compliance Best Practices Guide

HIPAA DATA SECURITY & PRIVACY COMPLIANCE

PROTECTING YOUR VOICE SYSTEM IN THE CLOUD

HIPAA, PHI and . How to Ensure your and Other ephi are HIPAA Compliant.

Laptops, Tablets, Smartphones and HIPAA: An Action Plan to Protect your Practice

Electronic Communication In Your Practice. How To Use & Mobile Devices While Maintaining Compliance & Security

The Basics of HIPAA Privacy and Security and HITECH

HIPAA Security COMPLIANCE Checklist For Employers

Please Read. Apgar & Associates, LLC apgarandassoc.com P. O. Box Portland, OR Fax

Did you know your security solution can help with PCI compliance too?

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA Privacy & Security Rules

REGULATIONS AND COMPLIANCE FOR ENTERPRISE MOBILE HEALTH APPLICATIONS

WHITEPAPER. Evolve your network strategy to meet new threats and achieve expanded business imperatives. Introduction... 1 The HIPAA Security Rule...

Preparing for the HIPAA Security Rule

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Secure Endpoint Management. Presented by Kinette Crain and Brad Lewis

HIPAA. considerations with LogMeIn

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

HIPAA Security Rule Compliance

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

Bridging the HIPAA/HITECH Compliance Gap

Solutions Brief. Citrix Solutions for Healthcare and HIPAA Compliance. citrix.com/healthcare

A HIPAA Security Incident and Investigation. It Can Happen to You.

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

Healthcare IT Compliance Service. Services > Overview MaaS360 Healthcare IT Compliance Service

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

The Health Insurance Portability and Accountability Act - HIPAA - Using BeAnywhere on a HIPAA context

HIPAA Security. assistance with implementation of the. security standards. This series aims to

- Procedures for Administrative Access

Healthcare Compliance Solutions

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

HIPAA Compliance Guide

Enterprise Data Protection

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

HIPAA PRIVACY AND SECURITY AWARENESS. Covering Kids and Families of Indiana April 10, 2014

Lessons Learned from Recent HIPAA and Big Data Breaches. Briar Andresen Katie Ilten Ann Ladd

Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

Kaspersky Lab s Full Disk Encryption Technology

CallRail Healthcare Marketing. HIPAA and HITECH Compliance for Covered Entities using Call Analytics Software

Data Managers Interest Group. Research. April 17, 2012

Are You Still HIPAA Compliant? Staying Protected in the Wake of the Omnibus Final Rule Click to edit Master title style.

SOOKASA WHITEPAPER HIPAA COMPLIANCE.

White Paper. BD Assurity Linc Software Security. Overview

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

Transcription:

How to use the Alertsec Service to Achieve HIPAA Compliance for Your Organization Alertsec offers Cloud Managed - Policy Controlled - Security Modules for Ensuring Compliance at the Endpoints

Contents Executive Summary... 3 Building HIPAA Compliance... 4 Who Needs to be HIPAA Compliant... 4 HIPAA Rules... 4 Alertsec HIPAA Safeguards... 5 Section 164.308 Administrative Safeguards... 5 (a)(1) Standard: Security Management Process... 5 (a)(5) Standard: Security Awareness and Training... 6 Section 164.312 Technical Safeguards... 6 (a) Standard: Access Control... 6 (b) Standard: Audit Controls... 7 (d) Standard: Person or Entity Authentication... 7 Alertsec Service Features... 8 Summary... 9 References... 9 About Alertsec... 10 Tables Table 1 Security Management Process Support... 5 Table 2 Security Awareness and Training Support... 6 Table 3 - Access Control Support... 7 Table 4 Alertsec Service Compliance Modules... 8 2

Executive Summary The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has set the stage for a lot of changes in Healthcare in the U.S. in the last decade. When combined with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, organizations dealing with electronic Protected Health Information (ephi, also referred to as the the information in this document) need to put technical controls in place to ensure the security and privacy of patient data or face severe consequences ranging from making public acknowledgement of data exposure and paying steep fines (currently up to $1.5 million for noncompliance), to the loss of government payments for care (such as from Medicare or Medicaid). Alertsec provides a solid foundation on which you can build your compliance program. Today, most organizations that deal with medical information use some sort of electronic health care system that combines the many facets of patient care, from intake and visits to follow- up care and billing, and these systems are generally designed for compliance. To provide complete coverage of the ephi technical protection needed for HIPAA compliance, you need to protect more than just the Healthcare System itself. Any systems where patient data could be accessed or stored must be protected, and this is where the Alertsec Service plays a critical part. Alertsec Service features: Protect Safeguard all ephi on computers and removable media (USB sticks/drives etc.) Comply with HIPAA and HITECH Enforcement Rule through Policy Control Manage Deploy and monitor compliance through a cloud management tool Figure 1: Alertsec management and compliance monitoring is the most intuitive system to use in the market place. 3

Building HIPAA Compliance When approaching HIPAA Compliance for your organization it is important to look at your overall compliance "story". The HIPAA and HITECH Acts lay out the penalties for ephi disclosure but also provide mechanisms for Safe Harbor against breaches when certain conditions are met. To claim an Affirmative Defense the key is to be able to show the overall compliance coverage within your organization, explaining the Administrative, Physical and Technical Safeguards you have put in place to protect the information.. Both HIPAA and HITECH are more about what you need to do and what you need to protect, rather than how. As a result ensuring your organization is compliant can be complicated. The complexity of systems involved in today s highly technical medical settings means there is no silver- bullet solution that can solve all your compliance concerns. Instead you must diligently select various components with the goal of protecting your systems that access or store patient data so that you can ensure the security and privacy of your patient information. In hospitals, pharmacies and other healthcare organizations, doctors and other staff often use mobile devices to access ephi at work in the practice, at remote sites (such as a partner facility or a patient home) or after- hours work (such as working from home). Central or cloud based healthcare systems are generally designed to be compliant but do not provide protection of ephi that is downloaded or stored on devices such as laptops, or even on the desktops in the office that never leave. Who Needs to be HIPAA Compliant If you store or access any information that could be classified as ephi, you are subject to the requirements of HIPAA and HITECH. Clearly that includes organizations such as hospitals, doctor s offices and pharmacies, but it also covers other organizations, for example companies that perform billing services, or IT services such as cloud- hosted email or patient portals. Any system that can touch ephi needs to be HIPAA compliant. If a HIPAA covered organization (a Covered Entity) engages a business associate to help carry out its health care activities and functions, there should be a Business Associate Agreement (BAA) between the two organizations. So if you have a signed BAA, then your business is also subject to HIPAA requirements for data protection. HIPAA Rules There are three main rule sets that come into play for HIPAA compliance: the Administrative Rules, the Privacy Rules and the Security Rules. Administrative Rules The Administrative Rules cover the general policies and procedures regarding the securing of information. In some cases these may be borderline technical requirements, like the requirement to guard against malicious software, but the administrative rules are really focused on establishing security best practices as a baseline for the Privacy and Security Rules to build on. 4

Privacy Rules The Privacy Rules focus on ensuring that PHI is protected from exposure outside the proper confines of use. These rules state the permitted uses and disclosures of PHI, regardless of the format (for example, paper, oral or electronic) and the types of controls that must be enforced for their protection. Security Rules The Security Rules focus on what safeguards must be in place. The Security Rules are divided into Administrative (section 164.308), Physical (section 164.310) and Technical Safeguards (section 164.312) to protect ephi. The Security Rules are written so that they provide flexibility in implementation whilst ensuring the overall goals of ephi protection are met. When combined, these rules detail what needs to be protected and provide guidance about the minimum requirements for protection. Alertsec HIPAA Safeguards The Alertsec Service provides a solid foundation for compliance with HIPAA requirements. With the Alertsec Service you are able to provide many of the Administrative Safeguards required in section 164.308 and most of the Technical Safeguards required in section 164.312. It is important to understand that full HIPAA compliance for all systems will require combining Alertsec with other tools to build a complete compliance picture. Section 164.308 Administrative Safeguards (a)(1) Standard: Security Management Process The Alertsec Service can assist with the following Security Management Process requirements: Specification Description Alertsec Support Risk Management (Required) Information System Activity Review (Required) Implement security measures to reduce risks to a reasonable level System activity must be reviewed on a regular basis for activity that could be considered malicious Table 1 Security Management Process Support The Alertsec Service provides multiple modules to secure computers against many types of risk. The Alertsec Service provides audit records for all its services as part of the activity tracking that needs to be monitored 5

(a)(5) Standard: Security Awareness and Training The Alertsec Service can help address the following Security Awareness and Training requirements: Specification Description Alertsec Support Protection from Malicious Software (Addressable) Log- in Monitoring (Addressable) Password Management (Addressable) Detect and prevent malicious software Login attempts must be logged and monitored Policies to manage password use and changes Table 2 Security Awareness and Training Support The Alertsec Anti- Malware service provides protection against malicious applications The Alertsec Service provides audit records for all authentication attempts to the Alertsec FDE and the Lock Screen in Windows The Alertsec Service provides password management capabilities to ensure strong passwords and scheduled password changes Section 164.312 Technical Safeguards (a) Standard: Access Control The Access Control requirements are divided into four implementation specifications: Specification Description Alertsec Support Unique User Identification (Required) Emergency Access Procedure (Required) Automatic Logoff (Addressable) Each user must be uniquely identified relative to every other user There must be a capability to access information in an emergency The system should automatically log out the user after a period of inactivity With Alertsec FDE, each user can be configured to login with a unique account Administrator access can be used to ensure the system or media is accessible in an emergency where regular users may not be available Alertsec FDE can be configured to automatically lock the system after a pre- defined period of inactivity 6

Specification Description Alertsec Support Alertsec FDE encrypts the entire drive on the PC and only allows logged in users access to any OS, applications or data on it Encryption and Decryption (Addressable) Data should be encrypted to ensure only the authorized users can access it Table 3 - Access Control Support Alertsec Media Encryption allows the secure use of removable media by enforcing the use of encryption of any data stored to the media Alertsec Port Control can block access to removable media, ensuring that ephi cannot leave the system and also blocking potentially malicious applications from gaining access to the system (b) Standard: Audit Controls The Audit Control requirement specifies that access to ephi be recorded for review. While the Alertsec Service does not directly protect the ephi application, but does support the requirement for audit records related to activity on the systems where the protected information will be accessed. The Alertsec Service provides a record of any authentication attempts and access to the system itself so you can review when the system/device was used (based upon successful logins) as well as any attempts to gain access (based on authentication failures). This information is supplemental to the specific Audit Controls mandated by HIPAA. The additional information provided by the Alertsec Service provides a broader coverage story about your compliance efforts and enhances your access to Affirmative Defense (as explained under Safe Harbor in the Building HIPAA Compliance section above). (d) Standard: Person or Entity Authentication The Person or Entity Authentication requirement specifies that in addition to each user having a unique identifier (as required in the Access Control requirements), they must also have unique authentication credentials paired with the unique identifier. In normal terms, this means a user has to enter a password (or token or biometric, etc.) to validate their identity. Alertsec FDE and Alertsec Media Encryption both require the user to authenticate with a username and password to access the system or any encrypted media, providing assurance about who is accessing applications dealing with ephi. 7

Alertsec Service Features The Alertsec Service provides compliance security as a service. Instead of requiring the purchase of several individual components and needing to manage them separately, the Alertsec Service provides a single, comprehensive, policy based, cloud- managed package of vital components to secure and make your systems compliant. The following compliance modules are available: Compliance Module Description Full Disk Encryption (FDE) Media Encryption/Port Control Compliance Check Anti- Malware/Program Control Firewall Ensures that only authorized users can access data on protected computers. A user must provide a valid ID and password before the operating system will boot and any ephi will automatically be stored encrypted. Media Encryption automatically encrypts any ephi data stored on removable storage media such as USB sticks and external hard drives based on policy. Data remains transparent to authorized users. Port control prevents use of unknown/unauthorized media. All endpoints are scanned for compliance with pre- defined security policies that can verify the security software is up to date. Malware detection and prevention using signatures, behavior blockers and heuristic analysis. Policy controlled Program (application) Control can be configured to limit the applications that can be run on the system to only those that have been explicitly approved. Providing proactive policy based protection: the firewall blocks targeted attacks and stops unwanted traffic, keeping data and systems safe. Table 4 Alertsec Service Compliance Modules 8

Summary The Alertsec Service provides a solid foundation for building a complete ephi security solution for your Electronic Health Record (EHR) system. The HIPAA act does not expect that a single application or service alone will provide all the security safeguards necessary to protect the information, and therefore provides the flexibility for an organization to design a complete security infrastructure using components that best meet its needs. With the Alertsec Service your organization can ensure the security of endpoint devices, providing a solid layer of technical security surrounding ephi that is unobtrusive whilst also being highly effective. By minimizing the possibility of unsecured access on endpoint devices, Alertsec helps to achieve Safe Harbor, mitigating the need for breach notifications that would otherwise be mandatory whenever unsecured ephi is accessed. Complete encryption of ephi, as provided by Alertsec, is considered a primary way to achieve Safe Harbor. Implementing Alertsec FDE on endpoint devices within your organization ensures that any copies of ephi, such as offline copies for remote work, data in Word or Excel documents, or cached data from applications, are always secured on the endpoint device. Alertsec Media Encryption can enable your organization to securely utilize removable media when transporting ephi between systems (for example, when large volumes of data need to be backed up or delivered directly to another location, or where secure network transfers are not available or possible). And Alertsec Port Control and Application control provide your organization with the ability to block access to removable media ports and block unwanted applications in order to prevent any ephi from being removed from the device. References The following selection of websites provide more information about HIPAA and HITECH. http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html http://www.hipaasurvivalguide.com/hipaa- compliance.php 9

About Alertsec Alertsec Inc. was founded in 2007 by Fredrik Lövstedt, co- founder of Pointsec Mobile Technologies, a world leader in encryption and security control software for PC s and mobile devices. Today, Pointsec Full Disk Encryption software is used on more than 30 million laptops around the world. Pointsec was acquired by Check Point Software Technologies Ltd in 2007. Simple, transparent and available to all The vision when Alertsec was established was that encryption should be simple, transparent and available for all. That principle remains at the heart of Alertsec. Alertsec is the easiest way to ensure that any data stored on a laptop is encrypted at all times and kept secure even if the device is lost or stolen. Subscribe and relax! Global reach Alertsec supports customers in more than 30 countries and over 100 US banks use Alertsec. Alertsec has offices in Palo Alto, London, Sydney and Stockholm. Alertsec HQ US Alertsec Inc. 470 Ramona Street Palo Alto, CA 94301 Tel: +1 888 473 7022 www.alertsec.com 10

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information