The Health Insurance Portability & Accountability Act (HIPAA), enacted 8/21/96, was created to protect the use, storage and transmission of patients healthcare information. This protects all forms of patients healthcare information from paper to electronic format. The primary goal of HIPAA is to: 1. Ensure health insurance portability 2. Reduce healthcare fraud and abuse (medical identify theft) 3. Guarantee security and privacy of healthcare information 4. Enforce standards for healthcare information. The HIPAA Administrative Simplification is an attempt to improve the efficiency and effectiveness of the healthcare system by standardizing electronic transmission of certain health care transactions. The HIPAA Administrative Simplification includes the following three components: 1. Transactions, Code Sets, & Identifiers 2. Privacy Standards 3. Security Standards The Health Information Technology for Economic and Clinical Health (HITECH) regulations under the American Recovery and Reinvestment Act of 2009 has increased the requirements around the protection of protected health information (PHI). The HITECH regulations apply to both electronic and paper records. The breach notification and penalties which only applies to PHI that is unsecured, have been increased and now includes civil and criminal penalties for HIPAA violations to business associates. Additional benefits of the HITECH Act include reimbursements for meaningful use of electronic medical records (EMRs) and patients rights to obtain copies of EMRs. Symantec can provide the tools and solutions to support the privacy and security requirements of Meaningful Use of EMRs. Who Must Comply? All entities that create, receive, maintain, or transmit patients healthcare information must comply, including but not limited to the following entities; Healthcare Insurance Providers Hospitals Healthcare Clearinghouses Physician s Private and Group Practices Healthcare Clinics Business Associates Breach Notification When a breach occurs, the entity involved or business associate involved must comply with the following requirements: Must determine and notify individuals and Health and Human Services (HHS) of the breach within 60 calendar days without unreasonable delay. Page 1 of 7
If a breach involves greater than 500 affected individuals, the Secretary of HHS must be notified immediately, the breach must be posted on the HHS website and the covered entity must notify prominent media outlets. If the breach involves less than 500 affected individuals, the covered entity may maintain a log of documented breaches occurring during the year and submit the log to the Secretary of HHS annually. NIST HIPAA Security Rule There are 2 types of Standards; Required and Addressable Required Standard these are control requirements that all applicable entities MUST implement. Addressable Standards these are control requirements that applicable entities must perform an assessment to determine whether the implementation specification is a reasonable and appropriate safeguard. The HIPAA Security Standard is grouped into three distinct Safeguards; Administrative, Physical and Technical. The following details how solutions from Symantec can assist in meeting each type of safeguard. Page 2 of 7
Page 3 of 7
Page 4 of 7
The Breadth Of Symantec Solutions Symantec Control Compliance Suite (CCS) CS) assists organizations in assessing the degree of non-compliance with the organizations established Information Security Policies, Standards, Industry Best Practices and numerous regulatory requirements like HIPAA and the HITECH Act. Risk mitigation recommendations are provided as part of the CCS Standards Management module. The CCS Standards Management module also verifies mitigating controls were implemented. CCS Policy Manager assists organizations in the creation, management and distribution of written Security and Compliance policies and procedures. The Policy Manager allows procedures to be distributed and accepted by designated end-users. CCS allows organizations to maintain the documentation required for various retention regulations. CCS Response Assessment Manager (RAM) enables organizations to automate the validation of procedural checks and automate the distribution of security awareness training content along with providing an online test to assess the users knowledge of the material. The RAM component enables organizations to complete three key steps to security awareness: 1. Educate the user community 2. Evaluate users understanding of security topics 3. Provide evidentiary support for compliance and auditing purposes Symantec Data Loss Prevention (DLP) enables organizations to discover PHI data exposed on file servers, databases, content and email repositories, web servers, laptops and desktops, and other data repositories. It also proactively monitors and protects PHI usage across the network, storage media and endpoints. Identified risks are reported using pre-built HIPAA compliance reports and role-based dashboards. The proactive notification of violations directly to end users facilitates awareness of the organizations security policies. Symantec DLP assists organizations in answering the following key questions: Where is confidential data/phi being stored, and How is the PHI data being used? Symantec DLP can assist organizations in reducing the risk of penalties associated with the new HITECH Breach Notification requirements. The use of the Symantec DLP Protect functionality prevents the transmission of non-encrypted PHI data outside an organization s network, to help reduce the risk of a declared breach and associated penalties. Symantec Security Information Manager (SSIM) is a real-time security incident tracking tool that assists organizations in collecting, aggregating and correlating Information Security Events from an organization s logged security events. The tool contains a incident ticketing system that can be integrated with an organization s existing Service Desk application. The comprehensive SSIM management console provides quick, easy, and flexible log management of all events, including over 400 pre-configured analysis queries and flexible compliance reporting and log retention policies. It enables healthcare organizations to collect, store, and analyze log data, as well as monitor and respond to security events to meet IT risk and compliance requirements of HIPAA, HITECH and many State Privacy Laws. It can collect and normalize a broad scope of event data and correlate the impact of incidents based on the criticality to business operations or level of compliance to various regulatory mandates. The solution prioritizes incidents using its built-in asset management function, which is populated using scanning tools and allows confidentiality, integrity, and response ratings and policies to be assigned to help prioritize incidents. Integrating SSIM and Symantec Global Intelligence Network helps to identify external threats to the organization s infrastructure that stores and transmits PHI. SSIM is also integrated with third party EMR Privacy monitoring tools. Symantec Critical System Protection (SCSP) prevention techniques shield operating systems, applications, and services by defining acceptable behaviors for each authorized application running on the system. The solution then protects systems from misuse by unauthorized users and applications, and prevents the inappropriate copying or transferring of PHI through system Page 5 of 7
and device controls that lock down configuration settings, file systems, and the use of removable media. SCSP s monitoring, notification, and auditing features assist organizations in ensuring their regulatory compliance to HIPAA and HITECH. SCSP assists organizations in meeting various Administrative and Technical Safeguards of the HIPAA requirements. Many HIPAA related breaches that occur in the healthcare industry are done by well intended individuals through the use of USB storage devices. Hospitals can reduce the risk of such violations as well as the new HITECH Breach Notification requirements and penalties by using SCSP to limit the use of removable media on the workstations located throughout their facilities. Symantec Endpoint Encryption (SEE) enables an organization to reduce the risk associated with data breaches per the new HITECH Breach Notification regulations. The encryption of laptops and removable media reduces the risk of inappropriate exposure of PHI when such devices are lost. Did you know there are over 45 states that have passed data security laws that apply to companies that do business within the state that requires the businesses to encrypt data in storage and in transit to avoid the data breach notifications? Endpoints such as laptops and USB devices that are encrypted using SEE will reduce violations of State specific data security laws while providing auditable evidence that data on the device was encrypted. These audit trails are valuable evidence when a endpoint is lost or stolen. Limiting access to data by encrypting data on all endpoints also reduces the risk of identity theft. Additional benefits of SEE are achieved when integrated with other Symantec solutions like the Altiris Client Management solution. Symantec Services advocates an end-to-end risk management approach to help ensure security and privacy in the healthcare industry. A risk management approach focuses on; the assessment of information exposure and vulnerabilities, implementation of security controls and automation of compliance focused around various regulatory requirements such as HIPAA, HITECH, PCI to list a few. This approach not only identifies risks but it also finds operational and process efficiencies. Symantec provides leading services around all of our products and solutions including services ranging from architecting, designing, implementing and managing HIPAA compliant infrastructure to risk management services. Symantec architecture and design services leverages existing infrastructure while integrating both existing and future products into a solution that automates security and compliance functionality. Risk management services include HIPAA Risk Assessments, Vulnerability Assessment, PCI Assessments, Data Loss Prevention Assessments and more. Find Out More Join Symantec for one of our various Healthcare Specific Webinars, Executive Briefings or stop by our booth at various Healthcare Conferences to find how Symantec can proactively monitor and reduce your IT HIPAA risk, protect the PHI that you manage and help support the privacy requirements of Meaningful Use. See Symantec Healthcare Website at http://www.symantec.com/healthcare or contact your local Symantec Healthcare Sales Representative for more information of upcoming events. NO WARRANTY. The information contained in this document is being delivered to you AS-IS, and Symantec Corporation makes no without warranty as to its accuracy or use. Any use of the information contained herein is at the risk of the user. This document may include technical or other inaccuracies or typographical errors, and may be changed or corrected. Symantec reserves the right to make changes without prior notice. The information contained in this document is provided for informational purposes only and is not legal advice. The information may or may not reflect current legal developments. This information is not intended to constitute legal advice or to substitute for obtaining legal advice from an attorney licensed in your state, and is specifically not intended to provide advice Page 6 of 7
or counsel on compliance recommendations for the Health Insurance Portability & Accountability Act, the Health Information Technology for Economic and Clinical Health regulations, or other regulatory requirements. More Information Visit our website http://www.symantec.com/healthcare To speak with a Product Specialist in the U.S. Call toll-free 1 (800) 745 6054 To speak with a Product Specialist outside the U.S. For specific country offices and contact numbers, please visit our website. About Symantec Symantec is a global leader in providing security, storage and systems management solutions to help consumers and organizations secure and manage their information-driven world. Our software and services protect against more risks at more points, more completely and efficiently, enabling confidence wherever information is used or stored. Symantec World Headquarters 350 Ellis St. Mountain View, CA 94043 USA +1 (650) 527 8000 1 (800) 721 3934 www.symantec.com Copyright 2010 Symantec Corporation. All rights reserved. Symantec, the Symantec Logo, Altiris and Deepsight are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. 20988230 06/11 Page 7 of 7