THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA

Similar documents
Event Log Monitoring and the PCI DSS

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

PCI DSS 101- The background you need for understanding the PCI DSS

PCI DSS File Integrity Monitoring

PCI Compliance in Ten Minutes A Day. Best Practices for Addressing System Hardening, File Integrity and Event Log Monitoring Requirements

Device Hardening, Vulnerability Remediation and Mitigation for Security Compliance

File Integrity Monitoring - The Last line of Defense in the PCI Data Security Standard

COMPLIANCE ALERT 10-12

HIPAA Security Rule Compliance

Client Security Risk Assessment Questionnaire

The Impact of HIPAA and HITECH

White Paper THE HIPAA FINAL OMNIBUS RULE: NEW CHANGES IMPACTING BUSINESS ASSOCIATES

Bridging the HIPAA/HITECH Compliance Gap

Building Trust and Confidence in Healthcare Information. How TrustNet Helps


HIPAA Security Rule Compliance and Health Care Information Protection

REMOTE ACCESS TO A HEALTHCARE FACILITY AND THE IT PROFESSIONAL S OBLIGATIONS UNDER HIPAA AND THE HITECH ACT

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

The Art of Layered Security - Data Protection in a Threatscape of Modern Malware

WHITEPAPER Complying with HIPAA LogRhythm and HIPAA Compliance

HIPAA PRIVACY AND SECURITY AWARENESS

Guided HIPAA Compliance

HIPAA BUSINESS ASSOCIATE AGREEMENT

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

University Healthcare Physicians Compliance and Privacy Policy

Increasing Security Defenses in Cost-Sensitive Healthcare IT Environments

How To Protect Yourself From Cyber Threats

The Basics of HIPAA Privacy and Security and HITECH

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Somansa Data Security and Regulatory Compliance for Healthcare

HIPAA and Mental Health Privacy:

ARRA HITECH Stimulus HIPAA Security Compliance Reporter. White Paper

6/17/2013 PRESENTED BY: Updates on HIPAA, Data, IT and Security Technology. June 25, 2013

Understanding Health Insurance Portability Accountability Act AND HITECH. HIPAA s Privacy Rule

AlienVault for Regulatory Compliance

Managing data security and privacy risk of third-party vendors

HIPAA Happenings in Hospital Systems. Donna J Brock, RHIT System HIM Audit & Privacy Coordinator

Neither You Nor Your Business Associates Can Afford to be Lax About Complying with HIPAA Requirements

Data Security and Integrity of e-phi. MLCHC Annual Clinical Conference Worcester, MA Wednesday, November 12, :15pm 3:30pm

HIPAA and HITECH Compliance for Cloud Applications

HIPAA Audits: How to Be Prepared. Lindsey Wiley, MHA, CHTS-IM, CHTS-TS HIT Manager Oklahoma Foundation for Medical Quality

How To Understand And Understand The Benefits Of A Health Insurance Risk Assessment

HIPAA/HITECH Compliance Using VMware vcloud Air

Compliance, Incentives and Penalties: Hot Topics in US Health IT

Definitions. Catch-all definition:

BREVIUM HIPAA BUSINESS ASSOCIATE TERMS AND CONDITIONS

BUSINESS ASSOCIATE AGREEMENT. Business Associate. Business Associate shall mean.

Privacy & Security Matters: Protecting Personal Data. Privacy & Security Project

PierianDx - Clinical Genomicist Workstation Software as a Service FAQ s

HIPAA Overview. Darren Skyles, Partner McGinnis Lochridge. Darren S. Skyles

PCI Compliance for Cloud Applications

HIPAA Compliance Guide

Meaningful Use and Security Risk Analysis

HIPAA Compliance Guide

HIPAA Compliance and the Protection of Patient Health Information

The benefits you need... from the name you know and trust

HIPAA and the HITECH Act

Securing Patient Portals. What You Need to Know to Comply With HIPAA Omnibus and Meaningful Use

BUSINESS ASSOCIATE AGREEMENT First Choice Community Healthcare, Inc.

BUSINESS ASSOCIATE AGREEMENT ( BAA )

NEW PERSPECTIVES. Professional Fee Coding Audit: The Basics. Learn how to do these invaluable audits page 16

Protecting Personal Information: The Massachusetts Data Security Regulation (201 CMR 17.00)

BEFORE THE BREACH: Why Penetration Testing is Critical to Healthcare IT Security

Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

Whitefish School District. PERSONNEL 5510 page 1 of 5 HIPAA

WHITE PAPER. Attaining HIPAA Compliance with Retina Vulnerability Assessment Technology

HIPAA PRIVACY OVERVIEW

Security standards PCI-DSS, HIPAA, FISMA, ISO End Point Corporation, Jon Jensen,

BUSINESS ASSOCIATE AGREEMENT

HIPAA Compliance for Students

The Business Case for Security Information Management

Tools to Prepare and Protect Your Practice for HIPAA and Meaningful Use Audits

Updated HIPAA Regulations What Optometrists Need to Know Now. HIPAA Overview

Hosting for Healthcare: ADDRESSING THE UNIQUE ISSUES OF HEALTH IT & ACHIEVING END-TO-END COMPLIANCE

Understanding HIPAA Privacy and Security Helping Your Practice Select a HIPAA- Compliant IT Provider A White Paper by CMIT Solutions

The Cost of Payment Card Data Theft and Your Business. Aaron Lego Director of Business Development

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

HIPAA Violations Incur Multi-Million Dollar Penalties

Keeping watch over your best business interests.

What Health Care Entities Need to Know about HIPAA and the American Recovery and Reinvestment Act

HIPAA Omnibus Compliance How A Data Loss Prevention Solution Can Help

BUSINESS ASSOCIATE PRIVACY AND SECURITY ADDENDUM RECITALS

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks

Preparing for the HIPAA Security Rule Again; now, with Teeth from the HITECH Act!

Compliance Management, made easy

plantemoran.com What School Personnel Administrators Need to know

HITRUST CSF Assurance Program You Need a HITRUST CSF Assessment Now What?

Click&DECiDE s PCI DSS Version 1.2 Compliance Suite Nerys Grivolas The V ersatile BI S o l uti on!

Definitions: Policy: Duties and Responsibilities: The Privacy Officer will have the following responsibilities and duties:

Medical Privacy Version Standard. Business Associate Agreement. 1. Definitions

MASSIVE NETWORKS Online Backup Compliance Guidelines Sarbanes-Oxley (SOX) SOX Requirements... 2

Texas House Bill 300 & HIPAA. A MainNerve Whitepaper

Payment Card Industry Data Security Standard

My Docs Online HIPAA Compliance

FINAL May Guideline on Security Systems for Safeguarding Customer Information

Transcription:

THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA Produced on behalf of New Net Technologies by STEVE BROADHEAD BROADBAND TESTING 2010 broadband testing and new net technologies www.nntws.com

many [healthcare and insurance] providers require the waiver of HIPAA rights as a condition of service The HITECH Act - Some Background The Health Information Technology for Economic & Clinical Health (HITECH) act really does up the ante for HIPAA enforcement. In theory, Health organizations have had to comply with the Health Insurance Portability and Accountability Act (HIPAA) since its introduction in 1996. Originally HIPAA was introduced by congress to protect the health insurance rights of employees made redundant. Additional Titles to the act were introduced including Title 2 which was designed to protect electronically stored data relating to patient health information often referred to as Protected Health Information (PHI) The problem with HIPAA has been the broad interpretation adopted by many healthcare providers and insurers. In fact, many providers require the waiver of HIPAA rights as a condition of service. This has undoubtedly resulted in a varying degree of adoption among providers leaving many unsure as to whether they are or are not considered compliant. But how could you blame them? The requirements aren t specific and there has been little enforcement to speak of. What is the Impact of HITECH on HIPAA? The HITECH act as part of the American Recovery and Reinvestment Act aims to change all that with increased penalties for non compliance. A breach that exposes a patient s confidential data could have serious and lasting consequences. Unlike credit cards for example, which can be cancelled and changed if they are exposed health care records can t just be changed or re-set. According to data from Forrester Research criminals are increasingly targeting health care organizations. For security teams within health organizations HITECH s increased penalties may well assist in the justification of funding needed to sure up security and compliance projects that may otherwise have languished under the previously ambivalent and poorly defined HIPAA enforcement. It is open to debate as to how the federal government will audit compliance with HIPAA s security requirements from here on in, but it widens the number of enforcers by giving State Attorney General s the ability to file federal civil action for harmful disclosures of protected health information (PHI). There are already cases of lawsuits underway for alleged HIPAA violations due to exposed or breached PHI, likely to end with heavy financial compensation payments being ordered. www.nntws.com page 2

the scope of the standard is quite similar in respect of its approach and its measures to the PCI DSS (The Payment Card Industry Data Security Standard)... Some Good News... Like all things in life there s usually a process to follow and HIPAA and HITECH are no different. The main headings that will need to be addressed are: Administrative Safeguards specifically written evidence of measures adopted to ensure compliance. Internal auditing in particular change management processes, approvals and documentation to provide evidence that systems and process is properly governed Physical Safeguards including access controls, restrict and control access to equipment containing PHI information. This will include the use of Firewalls, Intrusion Protection technology and with particular focus on workstation, mobile/remote worker security Technical Safeguards - Configuration hardening, to ensure that known threats and vulnerabilities are eliminated from all systems, with a zealous patch management process combined with anti-virus technology, regularly tested and verified as secure. Strong Monitoring for security incidents and events, with all event logs being securely retained is also a key measure to safeguard IT system security the same technology that helps deliver HIPAA compliance should be relevant for PCI DSS...compliance with one will significantly assist compliance with the other Sounds Familiar...? In fact, the scope of the standard is quite similar in respect of its approach and its measures to the PCI DSS (The Payment Card Industry Data Security Standard), which is another security standard all healthcare providers will now be familiar with. The PCI DSS is concerned with the secure governance of Payment Card data, and any card merchant i.e. an organization handling payment card transactions. Therefore it makes sense to consider measures for HIPAA compliance in the context of PCI DSS also, since the same technology that helps deliver HIPAA compliance should be relevant for PCI DSS. Or to put it another way compliance with one will significantly assist compliance with the other. www.nntws.com page 3

What Do NNT Provide? Event Log messages forwarded from hosts/devices Security Incidents and Key Events correlated and alerted Any breach of Compliance Rules reported, including File Integrity Changes All platforms and environments supported, all devices and appliances Devices are also tracked for Configuration Changes Planned Changes and all Unplanned Changes are detected Device Hardening Templates can be applied for all Security and Governance Policies, providing a fast Compliance Audit of all Devices www.nntws.com page 4

Conclusion - The NNT View The HITECH Act brings with it a renewed focus for HIPAA and places the onus for secure governance of patient data back with the healthcare and insurance providers. However, this initiative should be embraced, not just because there is additional legislation behind it, but because the potential cost of losing the trust of your customers and patients as a result of a security breach would be more devastating than any fine or lawsuit. NNT can help using our Change Tracker Enterprise and Log Tracker Enterprise solution set will provide a complete set of measures to ensure you are provenly secure for HIPAA compliance NNT HIPAA Compliance solutions cover the following configuration hardening change management About NNT NNT build the world s best solutions for tracking and managing change, managing and protecting users, maintaining system performance and ensuring availability across the entire enterprise. Understanding and managing the day to day changes within your environment is critical to establishing and maintaining reliable service. NNT Solutions are affordable and easy to use. NNT help you establish and maintain a known and compliant state for your IT systems. Including: PC, Network, Software, Host Machine and Database. www.nntws.com 2010 New Net Technologies UK Office - Spectrum House, Dunstable Road, Redbourn, AL3 7PR Tel: +44 8456 585 005 US Office - 5633 Strand Blvd, Suite 306, Naples Florida 34110 Tel: +1 239 592 9638 event log correlation file integrity monitoring NNT Change Tracker and Log Tracker Enterprise - Compliance Clarified Audit Configuration Settings - The core function of NNT Change Tracker Enterprise is to first understand how your IT estate is configured Compare Audited Settings Against Policy - Configuration settings are assessed for compliance with any policy or standard relevant to your organization and deviations highlighted Continuously Monitor Configuration Settings - Configuration attributes are then monitored continuously for all changes, both from a compliance standpoint and from a general change management/control standpoint Change Management Process Underpinned - Authorized changes which have been approved via the formal change management process are reconciled with the original RFC to ensure the correct changes were implemented accurately The Change Management Safety Net - All unplanned changes are flagged up for review immediately to mitigate security integrity or service delivery performance SIEM Event Log Correlation - Centralize and correlate event logs messages from all windows, unix/linux, firewall and IPS systems TO REQUEST A FREE TRIAL OR DISCUSS ANY AREA COVERED IN THIS WHITEPAPER, PLEASE CONTACT US AT info@nntws.com www.nntws.com page 5

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information