Securing the FOSS VistA Stack HIPAA Baseline Discussion. Jack L. Shaffer, Jr. Chief Operations Officer



Similar documents
PRIVACY POLICIES AND FORMS FOR BUSINESS ASSOCIATES

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Security. Jeanne Smythe, UNC-CH Jack McCoy, ECU Chad Bebout, UNC-CH Doug Brown, UNC-CH

HIPAA Compliance Guide

HIPAA Information Security Overview

HIPAA Security. 5 Security Standards: Organizational, Policies. Security Topics. and Procedures and Documentation Requirements

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security Topics

HIPAA/HITECH PRIVACY & SECURITY CHECKLIST SELF ASSESSMENT INSTRUCTIONS

SECURITY RISK ASSESSMENT SUMMARY

HIPAA Security Rule Compliance

Privacy and Security Meaningful Use Requirement HIPAA Readiness Review

HIPAA Audit Processes HIPAA Audit Processes. Erik Hafkey Rainer Waedlich

Datto Compliance 101 1

IBM Internet Security Systems. The IBM Internet Security Systems approach for Health Insurance Portability and Accountability Act compliance overview

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

HIPAA Security. assistance with implementation of the. security standards. This series aims to

HIPAA Security. 4 Security Standards: Technical Safeguards. Security Topics

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

HIPAA Security Checklist

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

HIPAA Security Alert

Security Is Everyone s Concern:

Privacy Officer Job Description 4/28/2014. HIPAA Privacy Officer Orientation. Cathy Montgomery, RN. Presented by:

HIPAA Compliance Guide

Healthcare Compliance Solutions

CHIS, Inc. Privacy General Guidelines

HIPAA Compliance: Are you prepared for the new regulatory changes?

HIPAA Security Matrix

VMware vcloud Air HIPAA Matrix

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

How To Write A Health Care Security Rule For A University

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

HIPAA and Mental Health Privacy:

HIPAA Security COMPLIANCE Checklist For Employers

SAMPLE HIPAA/HITECH POLICIES AND PROCEDURES MANUAL FOR THE SECURITY OF ELECTRONIC PROTECTED HEALTH INFORMATION

HIPAA Security Series

The second section of the HIPAA Security Rule is related to physical safeguards. Physical safeguards are physical measures, policies and procedures

ITS HIPAA Security Compliance Recommendations

HIPAA Security. 6 Basics of Risk Analysis and Risk Management. Security Topics

HIPAA COMPLIANCE REVIEW

Policies and Compliance Guide

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

HIPAA Security: Complying with the HIPAA Security Rule Implementation Specifications Are You Correctly Addressing Them?

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

WHITE PAPER. HIPPA Compliance and Secure Online Data Backup and Disaster Recovery

HIPAA/HITECH: A Guide for IT Service Providers

A Technical Template for HIPAA Security Compliance

C.T. Hellmuth & Associates, Inc.

BEFORE THE BOARD OF COUNTY COMMISSIONERS FOR MULTNOMAH COUNTY, OREGON RESOLUTION NO

HIPAA Compliance The Time is Now Changes on the Horizon: The Final Regulations on Privacy and Security. May 7, 2013

An Oracle White Paper December Leveraging Oracle Enterprise Single Sign-On Suite Plus to Achieve HIPAA Compliance

Protecting Patient Information in an Electronic Environment- New HIPAA Requirements

HIPAA Security and HITECH Compliance Checklist

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

WHITE PAPER. Support for the HIPAA Security Rule RadWhere 3.0

HIPAA Privacy & Security White Paper

State HIPAA Security Policy State of Connecticut

White Paper. Support for the HIPAA Security Rule PowerScribe 360

An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule

HIPAA PRIVACY AND SECURITY AWARENESS

HIPAA: In Plain English

Overview of the HIPAA Security Rule

HIPAA Security Education. Updated May 2016

RAYSAFE S1 SECURITY WHITEPAPER VERSION B. RaySafe S1 SECURITY WHITEPAPER

HIPAA SECURITY RULES FOR IT: WHAT ARE THEY?

Cloud Computing in a HIPAA- Compliant World. NRTRC Telemedicine Conference Dean Oswald March 25, 2014

HIPAA Security. 2 Security Standards: Administrative Safeguards. Security. Topics

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Bridging the HIPAA/HITECH Compliance Gap

Achieving HIPAA Security Rule Compliance with Lumension Solutions

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Research and the HIPAA Security Rule Prepared for the Association of American Medical Colleges by Daniel Masys, M.D. Professor and Chairman,

Security Compliance, Vendor Questions, a Word on Encryption

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

Montclair State University. HIPAA Security Policy

Krengel Technology HIPAA Policies and Documentation

HIPAA: Compliance Essentials

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HIPAA Requirements and Mobile Apps

An Effective MSP Approach Towards HIPAA Compliance

HIPAA COMPLIANCE AND

Ensuring HIPAA Compliance with Pros 4 Technology Online Backup and Archiving Services

The HIPAA Security Rule Primer A Guide For Mental Health Practitioners

Pennsylvania Department of Public Welfare. Bureau of Information Systems OBSOLETE. Secure User Guide. Version 1.0.

Transcription:

Securing the FOSS VistA Stack HIPAA Baseline Discussion Jack L. Shaffer, Jr. Chief Operations Officer

HIPAA as Baseline of security: To secure any stack which contains ephi (electonic Protected Health Information) HIPAA must be your baseline specifically the HIPAA Security Rule The HIPAA Security Rule establishes national standards to protect individuals ephi that is created, received, used, or maintained by a covered entity. The Security Rule requires appropriate administrative, physical and technical safeguards to ensure the confidentiality, integrity, and security of electronic protected health information. The Security Rule is located at 45 CFR Part 160 and Subparts A and C of Part 164.

HIPAA Security Rule: The HIPAA Security Rule concentrates on safeguarding PHI by focusing on the confidentiality, integrity, and availability of PHI. A covered entity or business associate is required to have administrative, technical, and physical safeguards to protect the privacy of PHI. Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure in computer systems (including social networking sites such as Facebook, Twitter, and others) and work areas; Limit accidental disclosures (such as discussions in waiting rooms and hallways); and Include practices such as document shredding, locking doors and file storage areas, and use of passwords and codes for access.

HIPAA Security Rule: Implementation specifications in the Security Rule are either Required or Addressable. See 45 C.F.R. 164.306(d). If an implementation specification is required, the covered entity must implement policies and/or procedures that meet what the implementation specification requires. If an implementation specification is addressable, then the covered entity must assess whether it is a reasonable and appropriate safeguard in the entity s environment. Addressable does not mean optional.

HIPAA Security Rule: Security Standards divided into 3 categories: Administrative Safeguards The administrative functions that should be implemented to meet the security standards. These include assignment or delegation of security responsibility to an individual and security training requirements. Physical Safeguards The mechanisms required to protect electronic systems, equipment and the data they hold, from threats, environmental hazards and unauthorized intrusion. They include restricting access to EPHI and retaining off site computer backups. Technical Safeguards The automated processes used to protect data and control access to data. They include using authentication controls to verify that the person signing onto a computer is authorized to access that EPHI, or encrypting and decrypting data as it is being stored and/or transmitted. Regulatory definitions of the safeguards can be found in the Security Rule at 45 CFR 164.304.

Administrative Safeguards Applies to: Covered Entity, Business Associates, and Subcontractors Required Risk Analysis Risk Management Sanction Policy Information System Activity Review Assigned Security Responsibility Isolating Health Care Clearinghouse Function Response and Reporting Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Evaluation Written Contract or Other Arrangement Addressable Authorization and/or Supervision Workforce Clearance Procedure Termination Procedures Access Authorization Access Establishment and Modification Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Testing and Revision Procedure Applications and Data Criticality Analysis

Physical Safeguards Applies to: Covered Entity, Business Associates, and Subcontractors Required Workstation Use Workstation Security Disposal Media Re-use Addressable Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Accountability Data Backup and Storage

Technical Safeguards Applies to: Covered Entity, Business Associates, and Subcontractors Required Unique User Identification Emergency Access Procedure Audit Controls Person or Entity Authentication Addressable Automatic Logoff Encryption and Decryption Mechanism to Authenticate Electronic PHI Transmission Security Integrity Controls Transmission Security Encryption

Sample Safeguards: Some safety measures that may be built in to EHR systems include: Access controls like passwords and PIN numbers, to help limit access to your information; (VistA has already) Encrypting your stored information. This means your health information cannot be read or understood except by someone who can decrypt it, using a special key made available only to authorized individuals; (Next slide) An audit trail, which records who accessed your information, what changes were made and when. (VistA has already)

Technical Safeguard: Encryption Intersystems Cache and GT.M CAN encrypt data at rest: Can be done outside of VistA at database level. Allows secure on-disk storage of CACHE.DAT files. Minimal performance impact. Encryption Key based system cannot be unencrypted if key is lost or password is unknown. Intersystems GT.M http://docs.intersystems.com/ens20101/csp/docbook/docbook.ui.page.cls?key=g CAS_encrypt http://tinco.pair.com/bhaskar/gtm/doc/books/ao/unix_manual/ If data is encrypted then safe harbor provisions of breach notification rule applies. (i.e. loss of media is not a reportable event)

Important Resources: NIST SP 800-66 Introductory Guide for Implementing the HIPAA Security Rule NIST SP 800-53 Rev. 4 catalog of security controls for all US Federal IT systems NIST SP 800-111 Guide to storage encryption technologies for end user devices NIST Security Rule Toolkit Software to help implement HIPAA security rule http://www.sans.org/reading-room/whitepapers/hipaa

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information