For a print quality version of ISAC's HIPAA Solutions, click here.
On 21 April 2003, the Health Insurance Portability and Accountability Act (HIPAA) Security Rule became effective. Hospitals, doctors, HMOs, insurance, and billing companies are required protect patient healthcare information stored in their information systems against all reasonably anticipated risks. Risks include cyber attack from outsiders who penetrate computer networks and malicious insiders. Most medical companies must achieve compliance by April 21, 2005.
Compliance with the Security Rule is a complex, lengthy, and resource intensive process, that medical companies should begin now to meet the deadlines required by law. Implementation involves the establishment of safeguards to protect the confidentiality, integrity, availability, and authenticity of patient health care information.
What HIPAA Mandates
- The security rule requires medical companies and organizations to comply with IT security best practices and principles.
- All members of the workforce must comply.
- Medical organizations of all types and sizes must formally document and approve a wide variety of security processes, policies, and procedures.
- Medical companies and organizations must provide regular security training and awareness to its workforce and revise its security policies and procedures as needed.
About ISAC
ISAC is an information security company that specializes in the protection of some of the Department of Defense’s most sensitive national security systems. DoD system requirements are very similar to HIPAA. Our expertise makes us the ideal company to assist medical organizations with HIPAA security rule implementation. We can help your medical organization in the following ways:
- Develop a unified security approach based on the "defense in depth" security principle.
- Choose the appropriate security technologies to protect EPHI.
- Protect EPHI against both internal and external threats.
- Conduct thorough and accurate risk analysis.
- Develop security policy mandated by HIPAA for your organization.
- Provide security training for your workforce.
Security Rule Requirements
The Security Rule's requirements are organized into three categories: administrative safeguards, physical safeguards, and technical safeguards. Within these three categories are 18 standards, 12 of which have implementation specifications, six of which do not. A standard defines what a CE must do; implementation specifications describe how it must be done. The requirements are summarized below:
Administrative Safeguards
Administrative safeguards require documented policies and procedures for managing day-to-day operations, the conduct and access of workforce members to EPHI, and the selection, development, and use of security controls. The administrative safeguard standards are:
| Security management process | An overall requirement to implement policies and procedures to prevent, detect, contain, and correct security violations. |
| Assigned security responsibility | A single individual must be designated as having overall responsibility for the security of a CE's EPHI. |
| Workforce security | Policies, procedures, and processes must be developed and implemented that ensure only properly-authorized workforce members have access to EPHI. |
| Information access management | Policies, procedures, and processes must be developed and implemented for authorizing, establishing, and modifying access to EPHI. |
| Security awareness and training | A security awareness and training program for a CE's entire workforce must be developed and implemented. |
| Security incident procedures | Policies, procedures, and processes must be developed and implemented for reporting, responding to, and managing security incidents. |
| Contingency plan | Policies, procedures, and processes must be developed and implemented for responding to a disaster or emergency that damages information systems containing EPHI. |
| Evaluation | CEs must perform periodic technical and non-technical evaluations that determine the extent to which a CE's security policies, procedures, and processes meet the ongoing requirements of the Security Rule. |
| Business associate contracts and other arrangements | CEs must develop and implement contracts that ensure the business associate will appropriately safeguard the information. |
Physical Safeguards
The physical safeguards are a series of requirements meant to protect a CE's electronic information systems and EPHI from unauthorized physical access. CEs must limit physical access while permitting properly-authorized access. The specific standards are:
| Facility access controls | An overall requirement to implement policies, procedures, and processes that limit physical access only to authorized personnel. |
| Workstation use | Policies and procedures that specify appropriate use of workstations and the physical environment of workstations that can access EPHI. |
| Workstation security | Physical safeguards for all workstations that can access EPHI in order to limit access to only authorized users. |
| Device and media controls | Policies, procedures, and processes must be developed and implemented for the receipt and removal of hardware and electronic media that contain EPHI into and out of a CE, and the movement of those items within a CE. |
Technical safeguards
The technical safeguards are several requirements for using technology to protect EPHI. The specific standards are:
| Access control | Policies, procedures, and processes must be developed and implemented for EPHI electronic information systems to only allow access to persons or software programs that have appropriate access rights. |
| Audit controls | Mechanisms must be implemented to record and examine and review activity in information systems that contain or use EPHI. |
| Integrity | Policies, procedures, and processes must be developed and implemented that protect EPHI from improper modification or destruction. |
| Person or entity authentication | Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to EPHI are who they claim. |
| Transmission security | Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to EPHI that is being transmitted. |
Documentation Standard
CEs must maintain all documentation (e.g., policies, procedures) required by the Security Rule for a period of six years from the date of its creation or the date when it last was in effect, whichever is later. Such documentation must be made available to the workforce members responsible for implementing the policies and procedures. Additionally, CEs must periodically review such documentation and revise and update it as needed to ensure the confidentiality, integrity, and availability of EPHI.
Preparation for Compliance
CEs should prepare for compliance by focusing on four key steps. These are:
- Conduct regular and detailed risk analysis including threat and vulnerability assessments
- Develop and implement a unified, "defense in depth" security architecture
- Develop and implement formal, documented security policies and procedures
- Maintain security documentation to include establishing a security nbaseline
- Conduct regular workforce training
- Obtain senior management support and keep management informed
Organizations that do this will almost certainly have s smoother road to compliance with the Security Rule than an organizations who does not.
Definitions:
Risk Analysis
"Risk" can be simply defined as "the likelihood that a specific threat will exploit a certain vulnerability, and the resulting impact of that event." "Risk analysis" is a systematic and analytical approach that identifies and assesses risks and provides recommendations to reduce risk to a reasonable and appropriate level. Risk analysis enables a CE to identify and define its critical assets and the risks to them, and helps senior management allocate appropriate resources to mitigate those risks and reasonably protect that EPHI.
Vulnerability Assessment
A vulnerability assessment is a formal process of identifying specific system vulnerabilities. There are currently over 4,000 known IT system vulnerabilities and the number continues to increase. Trained vulnerability assessment teams have automated tools that can simplify the identification of critical vulnerabilities. Once identified, steps must be taken to reduce or eliminate them. Vulnerability specialists can help with remediation. Remediation may include software security patches, configuration changes, or implementation of physical security measures.
Defense-In-Depth Security Architecture
The security architecture defines the security components of an IT system from an operational, systems, and technical perspectives. Because no single security feature provides complete protection, a defense in depth architecture provides layered defenses that make it harder for attackers to penetrate. Defense in depth usually consists of gateway routers, firewalls, intrusion detection systems, access controls, passwords, and virus, spy-ware, ad ware and vulnerability scanners. Because of the complex nature of these capabilities, it is a good idea to use trained and certified security professionals to assist CEs with implementation.
Appropriate and Reasonable Security Measures
Risk analysis serves as basis for developing and implementing appropriate and reasonable protections for your organization's EPHI. The Security Rule does not expect CEs to protect their EPHI against all possible risks or to have "perfect" security or unlimited time and resources for protecting EPHI. Rather, the rule expects CEs to understand their EPHI and the reasonably anticipated risks to the EPHI. CEs then develop and implement security measures.
Penalties
CEs that do not comply with the Security Rule requirements are subject to the following penalties: Civil are $100 per violation, up to $25,000 per year for each requirement violated. Criminal penalties range from $50,000 in fines and one year in prison up to $250,000 in fines and 10 years in jail.
Conclusion
Health care consumers expect their medical information to be appropriately protected. The HIPAA Security Rule has arrived in an effort to address their concerns. Compliance will require CEs to (1) identify the risks to their EPHI and (2) implement a wide variety of security best practices. Complying with the Security Rule can require significant time and resources. Efforts must begin now to meet the mandated deadlines.
Where to Get Help:
ISAC, Inc. specializes in computer security and HIPAA compliance support. We can conduct risk assessments, develop and review HIPAA policy and implementation plans, design HIPAA compliant defense in depth architectures, provide intrusion detection monitoring and incidence response for your networks. To contact us, call Marilyn McAllister, 256-729-6786, marilyn@isac-usa.com or Andy Smith at 256-348-1724, andy.smith@isac-usa.com. Our web address is: http://www.isac-usa.com.
References: This fact sheet was derived primarily from an article written by Steven Weil located at http://www.securityfocus.com/infocus/1764, 1 March 2004.
