[ISN] Wireless security entangles HIPAA

From: InfoSec News (isnat_private)
Date: Fri Jun 20 2003 - 01:45:13 PDT

  • Next message: InfoSec News: "[ISN] Frank Abagnale Jr. Exposes Security Enigmas at Chicago Confab"

    http://www.fcw.com/geb/articles/2003/0616/web-hipaa-06-18-03.asp
    
    By Dibya Sarkar 
    June 18, 2003
    
    Although most health organizations still have another 22 months to 
    comply with new federal security standards, securing wireless networks 
    may pose a problem as they near the deadline.
    
    "There are so many security issues around wireless and the [security] 
    rule gives you no substantial guidance on how to secure wireless," 
    said Marne Gordon, director of regulatory affairs at TruSecure Corp., 
    referring to the Health Insurance Portability and Accountability Act 
    of 1996 guidelines on security. 
    
    HIPAA, as it's known, is a far-reaching federal law that, among other 
    things, is supposed to strengthen privacy procedures involvinb 
    personal patient health and medical information, simplify 
    administrative codes and standards for electronic data interchange and 
    improve security of networks handling such data. 
    
    "Privacy is all about the rights to use information and how 
    information is used. Security is about how to protect the 
    confidentiality, availability and integrity of the information," said 
    W. Holt Anderson, executive director of the North Carolina Healthcare 
    Information and Communications Alliance Inc., a nonprofit consortium 
    of public- and private-sector groups working on HIPAA issues.
    
    "The really hot buttons in security right now are secure e-mail and 
    wireless. So we'll be spending a lot of time in the next couple of 
    years as the security regulation gets ready for April 2005. But it's 
    really kicking into gear now because people need some of the security 
    measures to implement privacy and they're still implementing those," 
    he said, adding the consortium has developed a gap analysis tool for 
    security. 
    
    The final published security rule was issued in February and does not 
    provide specific solutions to affected health care agencies because 
    they are varied in terms of their technology.
    
    Gordon, whose company provides consulting on HIPAA-related practices, 
    said wireless wasn't even a factor when standards were being 
    considered several years ago.
    
    "I know a lot of doctors in their own hospitals are looking to see 
    what steps wireless can save them. There are so many security issues 
    around wireless and the rule gives you no substantial guidance on how 
    to secure wireless. A lot of organizations are looking for 'How do I 
    secure that,' because that's the weakest link," she said.
    
    Aldona Valicenti, chief information officer for Kentucky, said states 
    also have to consider whether their cybersecurity measures will be 
    compliant with what they need to do for HIPAA.
    
    "You've got to understand we're making security investments now," she 
    said. "What I think we don't want to happen is make security 
    investments now that are inappropriate. 
    
    "So that's really sort of our challenge right now," she continued. "We 
    are in a very depressed fiscal situation, we're going to lose workers 
    or positions or both, and we have a continued requirement to. . .beef 
    our security up, make sure that we're compliant, make sure we deal 
    with homeland security, and by the way, what we're doing is going to 
    comply with HIPAA." 
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Fri Jun 20 2003 - 04:16:49 PDT