[ISN] How to ensure security compliance with HIPAA

From: InfoSec News (isnat_private)
Date: Thu May 01 2003 - 22:18:56 PDT

  • Next message: InfoSec News: "[ISN] What's the difference between a viral attack and a scan?"

    Forwarded from: William Knowles <wkat_private>
    
    http://www.computerworld.com/securitytopics/security/story/0,10801,80812,00.html
    
    By Marcia J. Wilson
    MAY 01, 2003
    Computerworld 
    
    The Health Insurance Portability and Accountability Act (HIPAA) 
    Privacy Rule became effective April 14, which means it's time to pay 
    attention if you haven't done so already. 
    
    HIPAA is a set of federal regulations intended to protect and simplify 
    the exchange of health care data. Compliance deadlines have been 
    stretched out over the next few years. Compliance means doing 
    everything in your power to follow the letter and spirit of the law 
    without going out of business. 
    
    The HIPAA Privacy Rule is federal law, and anyone not in compliance 
    can face up to $250,000 in fines and jail time of up to 10 years. The 
    rule applies to electronic protected health information -- 
    essentially, patients' medical records and other personal health care 
    information. It affects companies that transmit protected health 
    information in electronic form, which includes health plans, health 
    care clearinghouses and health care providers. These organizations are 
    referred to as "covered entities." 
    
    Full compliance will require that these entities understand the 
    threats and liabilities to this protected data and that they implement 
    a wide variety of safeguards and security best practices. Where should 
    these health care companies start, if the urgent has driven out the 
    merely important? There are so many drivers in today's world that 
    compliance, however imminent, seems to be very far away. 
    
    Let's break it down so it's not so overwhelming. According to the law, 
    the entities must maintain reasonable and appropriate safeguards in 
    three areas: administrative, physical and technical. Let's take a 
    closer look. 
    
    Administrative 
    
    Start at the top. The administrative portion is 50% of the rule. 
    Advocates of top-down policy suggest that this is the right place to 
    begin. What is the security management process of the organization, 
    and who has responsibility for it? If the organization hasn't already 
    done so, establish a chief privacy officer. The chief privacy officer 
    would be responsible for establishing policy and procedure for 
    employees and others who have access to the health care data. 
    
    Security awareness and training is the critical next step. If 
    employees aren't aware of or don't understand the policy, it's of no 
    use. Incident-handling also needs to be factored into the equation. An 
    incident response team should be established in conjunction with the 
    position of privacy officer to develop policy and procedure. This team 
    can be responsible for contingency planning as well, depending on the 
    size of the organization. Contingency planning is needed to provide an 
    alternative plan once a breach has occurred. Document everything, plan 
    on keeping that data for six years plus, and you're almost there. 
    
    Physical safeguards 
    
    Physical safeguards include physical access to the facility, 
    workstation accessibility, workstation security, and device and media 
    control. Are you using wireless technology? Have you secured it? Is it 
    possible to join the network from the parking lot? The wireless issue 
    can fall under both physical and technical safeguards. Also, how do 
    you dispose of or move the electronic media, (the tape backups and the 
    disk storage) that contains this confidential data? 
    
    Technical 
    
    The technical standards address access, authentication, authorization, 
    auditing, integrity and the transmission of sensitive data. Here are 
    some questions to ask: 
    
    * Who gets access to data? 
    
    * How do you know that those with access are who they say they are? 
    
    * Do they have the appropriate level of authorization? 
    
    * Are you keeping track of who does what and when? 
    
    * Do you have assurance of data integrity? 
    
    * When you transmit data over an electronic communications network, 
      can anyone else get access to it? 
    
    * Are other parties (partners and other health organizations with 
      which you share information) in compliance?
    
    The chief privacy officer would be responsible for establishing clear 
    and consistent standards throughout the organization by understanding 
    which kinds of information are critical, how to maintain the 
    confidentiality of the information and how to support the integrity, 
    reliability and availability of the data. An independent information 
    security audit can provide a baseline from which to work toward 
    compliance. Understanding what is and what isn't working is a step in 
    the right direction. Consider these security best practices: 
    
    * Obtain an annual independent evaluation of information security and 
      practices. 
    
    * Ensure that information security policies are founded on a 
      continuous risk management cycle. 
    
    * Implement controls that assess information security risks. 
    
    * Promote continuing awareness of information security risks. 
    
    * Continually monitor and evaluate information security policy. 
    
    * Control the effectiveness of information security practices. 
    
    * Provide a risk assessment and report on the security needs of the 
      organization's systems.
    
    Before running off and hiring a big consulting firm to implement an 
    automated medical records systems that's supposed to make HIPAA go 
    away, take a step back and breathe deeply. Have an independent risk 
    assessment performed that will allow you to establish a baseline for 
    your company's general security posture, and work from there. 
    
    Remember that this rule is about reasonable and appropriate effort to 
    secure confidential health information. As we count down to HIPAA, we 
    can eat the elephant one bite at a time. 
    
    
    
    *==============================================================*
    "Communications without intelligence is noise;  Intelligence
    without communications is irrelevant." Gen Alfred. M. Gray, USMC
    ================================================================
    C4I.org - Computer Security, & Intelligence - http://www.c4i.org
    *==============================================================*
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri May 02 2003 - 01:03:18 PDT