THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies www.nntws.com
many [healthcare and insurance] providers require the waiver of HIPAA rights as a condition of service The HITECH Act - Some Background The Health Information Technology for Economic & Clinical Health (HITECH) act really does up the ante for HIPAA enforcement. In theory, Health organizations have had to comply with the Health Insurance Portability and Accountability Act (HIPAA) since its introduction in 1996. Originally HIPAA was introduced by congress to protect the health insurance rights of employees made redundant. Additional Titles to the act were introduced including Title 2 which was designed to protect electronically stored data relating to patient health information often referred to as Protected Health Information (PHI) The problem with HIPAA has been the broad interpretation adopted by many healthcare providers and insurers. In fact, many providers require the waiver of HIPAA rights as a condition of service. This has undoubtedly resulted in a varying degree of adoption among providers leaving many unsure as to whether they are or are not considered compliant. But how could you blame them? The requirements aren t specific and there has been little enforcement to speak of. What is the Impact of HITECH on HIPAA? The HITECH act as part of the American Recovery and Reinvestment Act aims to change all that with increased penalties for non compliance. A breach that exposes a patient s confidential data could have serious and lasting consequences. Unlike credit cards for example, which can be cancelled and changed if they are exposed health care records can t just be changed or re-set. According to data from Forrester Research criminals are increasingly targeting health care organizations. For security teams within health organizations HITECH s increased penalties may well assist in the justification of funding needed to sure up security and compliance projects that may otherwise have languished under the previously ambivalent and poorly defined HIPAA enforcement. It is open to debate as to how the federal government will audit compliance with HIPAA s security requirements from here on in, but it widens the number of enforcers by giving State Attorney General s the ability to file federal civil action for harmful disclosures of protected health information (PHI). There are already cases of lawsuits underway for alleged HIPAA violations due to exposed or breached PHI, likely to end with heavy financial compensation payments being ordered. www.nntws.com page 2
the scope of the standard is quite similar in respect of its approach and its measures to the PCI DSS (The Payment Card Industry Data Security Standard)... Some Good News... Like all things in life there s usually a process to follow and HIPAA and HITECH are no different. The main headings that will need to be addressed are: Administrative Safeguards specifically written evidence of measures adopted to ensure compliance. Internal auditing in particular change management processes, approvals and documentation to provide evidence that systems and process is properly governed Physical Safeguards including access controls, restrict and control access to equipment containing PHI information. This will include the use of Firewalls, Intrusion Protection technology and with particular focus on workstation, mobile/remote worker security Technical Safeguards - Configuration hardening, to ensure that known threats and vulnerabilities are eliminated from all systems, with a zealous patch management process combined with anti-virus technology, regularly tested and verified as secure. Strong Monitoring for security incidents and events, with all event logs being securely retained is also a key measure to safeguard IT system security the same technology that helps deliver HIPAA compliance should be relevant for PCI DSS...compliance with one will significantly assist compliance with the other Sounds Familiar...? In fact, the scope of the standard is quite similar in respect of its approach and its measures to the PCI DSS (The Payment Card Industry Data Security Standard), which is another security standard all healthcare providers will now be familiar with. The PCI DSS is concerned with the secure governance of Payment Card data, and any card merchant i.e. an organization handling payment card transactions. Therefore it makes sense to consider measures for HIPAA compliance in the context of PCI DSS also, since the same technology that helps deliver HIPAA compliance should be relevant for PCI DSS. Or to put it another way compliance with one will significantly assist compliance with the other. www.nntws.com page 3
What Do NNT Provide? Event Log messages forwarded from hosts/devices Security Incidents and Key Events correlated and alerted Any breach of Compliance Rules reported, including File Integrity Changes All platforms and environments supported, all devices and appliances Devices are also tracked for Configuration Changes Planned Changes and all Unplanned Changes are detected Device Hardening Templates can be applied for all Security and Governance Policies, providing a fast Compliance Audit of all Devices www.nntws.com page 4
Conclusion - The NNT View The HITECH Act brings with it a renewed focus for HIPAA and places the onus for secure governance of patient data back with the healthcare and insurance providers. However, this initiative should be embraced, not just because there is additional legislation behind it, but because the potential cost of losing the trust of your customers and patients as a result of a security breach would be more devastating than any fine or lawsuit. NNT can help using our Change Tracker Enterprise and Log Tracker Enterprise solution set will provide a complete set of measures to ensure you are provenly secure for HIPAA compliance NNT HIPAA Compliance solutions cover the following configuration hardening change management About NNT NNT build the world s best solutions for tracking and managing change, managing and protecting users, maintaining system performance and ensuring availability across the entire enterprise. Understanding and managing the day to day changes within your environment is critical to establishing and maintaining reliable service. NNT Solutions are affordable and easy to use. NNT help you establish and maintain a known and compliant state for your IT systems. Including: PC, Network, Software, Host Machine and Database. www.nntws.com 2010 New Net Technologies UK Office - Spectrum House, Dunstable Road, Redbourn, AL3 7PR Tel: +44 8456 585 005 US Office - 5633 Strand Blvd, Suite 306, Naples Florida 34110 Tel: +1 239 592 9638 event log correlation file integrity monitoring NNT Change Tracker and Log Tracker Enterprise - Compliance Clarified Audit Configuration Settings - The core function of NNT Change Tracker Enterprise is to first understand how your IT estate is configured Compare Audited Settings Against Policy - Configuration settings are assessed for compliance with any policy or standard relevant to your organization and deviations highlighted Continuously Monitor Configuration Settings - Configuration attributes are then monitored continuously for all changes, both from a compliance standpoint and from a general change management/control standpoint Change Management Process Underpinned - Authorized changes which have been approved via the formal change management process are reconciled with the original RFC to ensure the correct changes were implemented accurately The Change Management Safety Net - All unplanned changes are flagged up for review immediately to mitigate security integrity or service delivery performance SIEM Event Log Correlation - Centralize and correlate event logs messages from all windows, unix/linux, firewall and IPS systems TO REQUEST A FREE TRIAL OR DISCUSS ANY AREA COVERED IN THIS WHITEPAPER, PLEASE CONTACT US AT info@nntws.com www.nntws.com page 5