Академический Документы
Профессиональный Документы
Культура Документы
S ECURITY
®
E SS E NTIAL G U I D E TO
HIPAA
,
Electronic health records are a cornerstone of President Obama’s
national healthcare reform. But in order to succeed, healthcare
organizations need to ensure consumer privacy.
As a result, changes to the Health Insurance Portability
and Accountability Act were recently enacted. We’ll
explain the regulation, the new requirements, and
how to prepare for an audit.
INSIDE
6 Laying the Groundwork: The Basics of HIPAA
11 New Changes to HIPAA
15 Key Elements of a HIPAA Compliance Checklist
20 How to Survive a HIPAA Audit
INFOSECURITYMAG.COM
How Can Healthcare and Related
Organizations Streamline the Audit Process
and Ensure Continuous Compliance?
Does your organization have multiple databases containing
AppDetectivePro
TM
sensitive information? Are your data protection policies subject
to regular HIPAA compliance audits?
DbProtect
TM
compliance where
the data lives – in
the database.
For Enterprise Organizations
AppSecInc solutions
facilitate compliance
DbProtect is a software-based, centrally-managed,
and proactively
enterprise solution for comprehensive database
secure enterprise
security, risk and compliance. Based on proven
applications at more than
technology, the DbProtect platform integrates
1,600 organizations around the world. database asset management, vulnerability
AppSecInc’s products combine data discovery, vulnerability management, audit and threat management, policy
scanning, user access rights review, real-time activity management, reporting and analytics into a complete
monitoring, and privileged user activity auditing to enable our enterprise solution.
clients to dramatically reduce risk, remediate vulnerabilities,
identify threats, and demonstrate compliance. DbProtect enables organizations with complex,
heterogeneous environments to optimize database
For more information, or to download a free demo, security, manage risk, and bolster regulatory
go to: www.appsecinc.com compliance.
350 Madison Avenue, 6th Floor, New York, NY 10017 TOLL FREE 866 9APPSEC MAIN +1 212 912 4100 FAX +1 212 947 8788
Copyright © 2009 Application Security Inc. All rights reserved. AppDetectivePro and DbProtect are trademarks of Application Security Inc. All other company and product names are trademarks of their
respective companies.
contents ESSENTIAL GUIDE
F E AT U R E S
25 Advertising Index
Learn why leading healthcare providers and payers, as well as the United States Department of Health and
Human Services – who itself mandates HIPAA – rely on ArcSight to protect their organizations. For more
information about healthcare security solutions by ArcSight go to www.arcsight.com/hipaalifeline
Getting Serious
with HIPAA BY KELLEY DAMORE
w
TABLE OF CONTENTS
WHILE HIPAA HAS BEEN AROUND for more than a decade, the regulation has been
EDITOR’S DESK viewed by many in the industry as a toothless legislative mandate. The lack of
enforcement caused many in the healthcare industry to take a wait-an-see attitude
toward HIPAA compliance. As risk managers, it makes perfect sense. The risk was
HIPAA BASICS low and the investment was high when it came to meeting HIPAA. So many health-
care organizations did nothing.
Well that has all changed in the last year. First, we’ve seen some highly-publicized
NEW CHANGES incidents where healthcare workers were abusing their access and viewing patient
TO HIPAA records of celebrities such as George Clooney and Britney Spears. More recently
15 employees where fired from Kaiser Permanente for accessing medical records
of Nadia Suleman, the octuplet mother.
HIPAA COMPLIANCE Then the U.S. Department of Health and Human Services (HHS) started to get
CHECKLIST
very serious about HIPAA compliance and issued a number of hefty fines, most
notably to Providence Health & Services and CVS Caremark Corp. The perception
today: HIPAA is no longer deemed optional and organizations need to take the
SURVIVING A
HIPAA AUDIT regulation far more seriously.
Add to the increased enforcement, the Obama Administration’s vision of health
care reform and the need to move to and invest in electronic health records. HIPAA
SPONSOR is the linchpin here. Earlier this year HHS greatly expanded the scope of HIPAA
RESOURCES with the HITECH Act. The original HIPAA legislation stated that the covered entity
was responsible for evaluating and policing its business associates and the penalties
would be applied to the covered entity. But now the new law stipulates that business
associates must follow notification standards for breaches and can be sued or prose-
cuted directly. This broadens the breadth and the scope of the regulation and a
renewed interest in how to become HIPAA compliant.
As a result we compiled this Essentials Guide to give you one place to get infor-
mation on the HIPAA regulation, the new changes taking hold next year, how to
tackle HIPAA compliance effectively and how to pass an audit. We hope you find
this useful.w
Kelley Damore is Editorial Director of the Security Media Group for TechTarget, which
includes Information Security magazine, SearchSecurity.com, SearchMidmarketSecurity.com,
SearchFinancialSecurity.com, SearchSecurityChannel.com. SearchSecurity.uk.co, Information
Security Decisions and Financial Information Security Decisions conference. Send feedback on
this column to feedback@infosecuritymag.com.
Copyright © 2009 Code Green Networks. All rights reserved. Code Green Networks and TrueDLP are trademarks of Code Green Networks. Blue Coat and the Blue Coat logo are registered trademarks of Blue Coat Systems, Inc.
Playstation is a registered trademark of Sony Computer Entertainment America, Inc.
COMPLIANCE
TABLE OF CONTENTS
EDITOR’S DESK
HIPAA BASICS
NEW CHANGES
TO HIPAA
LAYING THE GROUNDWORK:
HIPAA COMPLIANCE
CHECKLIST
The Basics
of HIPAA
SURVIVING A
HIPAA AUDIT
SPONSOR
RESOURCES
This regulation aims to protect patient records and ensure
the information is properly transmitted, shared and stored.
Here’s what the law says. BY S EAR C HS E C U RITY.C O M E D ITO R S
6
h HIPAA, short for the United States Health Insurance Portability and Accountability Act,
is a set of standards introduced by Congress in 1996 that aim to protect the privacy
of patient information in the healthcare industry by regulating how providers handle
patient data while conducting business, as well as ensuring the continuity of individuals’
healthcare coverage.
HIPAA created a set of universal standards for exchanging and securing personal data
via electronic data interchange (EDI), the goal being to protect all data that is personally
identifiable to a specific person, regardless if it is communicated orally, electronically or
in writing.
HIPAA COMPLIANCE
tive authority in charge of managing and
enforcing HIPAA compliance rules, regulations
HIPAA’s standards
CHECKLIST
and efforts. There should be a clear set of guide- require that all healthcare
lines in place regulating who is and isn’t permit-
SURVIVING A
ted to access patient information. All access to industries apply and
HIPAA AUDIT sensitive data and systems should be monitored.
• Documentation should be provided to
enforce certain protections.
patients informing them of their rights.
SPONSOR • All corporate systems, machines and buildings must have physical and technical
RESOURCES data and intrusion protection controls to prevent malicious hacker and
unauthorized access.
• There must be a traffic-monitoring device, such as a firewall, in place to examine
activity coming into and leaving the organization’s network.
• Management should practice risk assessments, data-handling policies, data loss
prevention (DLP) and record all security policies and procedures.
HIPAA COMPLIANCE
CHECKLIST
SURVIVING A
HIPAA AUDIT
SPONSOR
RESOURCES
Unparalleled Visibility
Automated
Compliance
Cost Efficiencies
Greater Agility
COMPLETE PROTECTION
for agile businesses
Today IT organizations are being asked to do more
with less, while at the same time global security threats
and compliance requirements are increasing every day.
How will successful CIOs navigate these converging
pressures? By optimizing their security architecture in a
way that balances the need for greater protection with
the need to control costs and support productivity. And
McAfee is here to help with an integrated defense for
every aspect of today’s dynamic businesses.
WHAT’S AHEAD
New
TABLE OF CONTENTS
Changes
EDITOR’S DESK
to HIPAA
HIPAA BASICS
In February 2010 an
NEW CHANGES
amendment to HIPAA,
TO HIPAA
dubbed HITECH, will be
HIPAA COMPLIANCE
enforced. Here’s how it
CHECKLIST
could affect you.
BY DAVID MORTMAN
SURVIVING A
HIPAA AUDIT
SPONSOR
a
RESOURCES
AS YOU MAY KNOW, changes to the Health Insurance Portability and Accountability
Act (HIPAA) were recently enacted under The Health Information Technology for
Economic and Clinical Health Act (HITECH) as part of the recent American Recovery
and Reinvestment Act. However, these changes don’t go into effect until February of
2010, meaning there’s time before companies need to be compliant. So like the cover
of the Hitchhiker’s Guide to the Galaxy says: “Don’t panic.”
Before delving into the changes, it’s important to understand that under HIPAA
there are three general groups of organizations: covered entities, business associates
and everyone else. Covered entities are generally health care organizations or health
insurance companies (though this gets complicated with companies that self-
insure). Business associates are organizations that support covered entities and
handle protected health information (PHI), such as online backup providers,
billing agencies and organizations that support eHealth products, and everyone
else is, well, everyone else.
As CSO-in-Residence, David Mortman is responsible for Echelon One’s research and analysis
program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and
TABLE OF CONTENTS his team were responsible for Siebel’s worldwide IT security infrastructure, both internal and
external. He also worked closely with Siebel’s product groups and the company’s physical security
team and led up Siebel’s product security and privacy efforts. A CISSP, Mr. Mortman sits on a
EDITOR’S DESK variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others.
He holds a BS in Chemistry from the University of Chicago.
HIPAA BASICS
NEW CHANGES
TO HIPAA
HIPAA COMPLIANCE
CHECKLIST
SURVIVING A
HIPAA AUDIT
SPONSOR
RESOURCES
www.thawte.com
© 2009 thawte, Inc. All rights reserved. thawte; the thawte logo; it’s a trust thing; thawte, and other trademarks, service marks, and designs are registered
or unregistered trademarks of thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are
property of their respective owners.
POLICIES AND PROCEDURES
Key ents
TABLE OF CONTENTS
EDITOR’S DESK
E l e m P A A
H I
of a pliance
HIPAA BASICS
NEW CHANGES
Com klist
TO HIPAA
HIPAA COMPLIANCE
CHECKLIST
C h e c d s y s t e m s
SURVIVING A
HIPAA AUDIT esses an o f p r o ing.
c h a l l e n g
g a se t a n b e c a r t.
B u i l d i n HI PA A c re t o s t
m e e t i n e w h e
SPONSOR
to o u t l . MACKE
Y
We’ll
RESOURCES
H A R D E
BY R I C
IN MARCH 2007, the U.S. Department of Health and Human Services audited
the information security practices of Atlanta’s Piedmont Hospital to determine
whether the facility met HIPAA requirements. The audit revealed several areas in
which the hospital failed to comply. That was just the beginning; recent HIPAA-
related fines imposed on Providence Health & Services and CVS Caremark Corp.
have caused many organizations, hospitals, healthcare clearinghouses and business
associates to take HIPAA compliance more seriously.
The requirements above reflect four security principles respectively: identity and
access management, system and environment configuration, monitoring and infor-
mation flow control and encryption. These practices are central to HIPAA compli-
ance and give rise to many critical process and technical controls, including network
configuration, data loss detection and backup. The key to remember is that each of
these important elements of compliance is part organizational process and part
technology. Technology, by itself, cannot succeed. Let’s take a closer look:
Identity management and access controls. A good example of the need for
HIPAA COMPLIANCE
trols, and ensure that the systems are adminis-
tered securely.
The underlying principle in
CHECKLIST There are several organizational and design
processes involved in achieving these goals.
controlling configuration is
First, the organization must establish responsi- the need to know the state
SURVIVING A bility for managing the systems and networks.
HIPAA AUDIT
Second, the organization should establish a of the critical systems in
clear demarcation separating systems contain-
ing EPHI from those that do not. This isolation
the regulated environment
SPONSOR
RESOURCES
reduces the number of systems to tightly man- at any time.
age, cuts down on the monitoring burden, and
demonstrates good practices to an auditor. Third, the organization needs to establish
strong vulnerability management practices for the environment.
Once the organizational processes are in place, technology can be a real boon. Fire-
walls can establish boundaries, vulnerability management systems can track operating
system and application versions and help to deploy fixes, while change control systems
can keep tabs on all the administrative activities affecting the regulated environment.
Richard Mackey has advised leading Wall Street firms on security architecture, VPNs, enterprise
wide authentication, and intrusion detection. Prior to joining the consultancy SystemExperts,
he was the director of collaborative development for The Open Group. Mackey is an original
member of the DCE Request for Technology technical evaluation team and was responsible for
the architecture of the Distributed Computing Environment Releases 1.1 and 1.2. Mackey has
been a frequent speaker at major conferences and has taught tutorials on developing secure
distributed applications.
nCircle Suite360
™
The Leader in Security & Compliance Auditing Solutions for Healthcare Organizations
nCircle and HITRUST have partnered to deliver an innovative SaaS solution to reduce the
complexities and costs of compliance with the HITECH Act, HIPAA and PCI.
Survive HOW TO
TABLE OF CONTENTS
EDITOR’S DESK
HIPAA BASICS
a HIPAA Audit
Recent fines and
penalties prove
BY RANDY NASH
HIPAA compliance WATCH OUT FOLKS, it’s finally happened. The U.S. Depart-
NEW CHANGES
TO HIPAA
is not optional. ment of Health and Human Services (HHS) has levied
the first penalties against a healthcare agency. Providence
We’ll lay out the Health & Services, based in Seattle, has agreed to a six-
HIPAA COMPLIANCE
steps you can take figure settlement following HIPAA security and privacy
violations related to the loss of 386,000 patients’ personal
CHECKLIST
to pass your next health information. Settlements had previously been
resolved by demanding organizations to resolve their
audit successfully. privacy and security problems. It’s no longer sufficient,
SURVIVING A
HIPAA AUDIT however, to tell the auditors, “we’ll resolve that problem.”
The HHS settlement agreement states that disks
containing individuals’ HIPAA-protected health records were taken from employees’ cars
SPONSOR
on at least five occasions in 2005 and 2006. The agreement also mandates that Providence
RESOURCES Health and Services use encryption and other data protection policies to prevent the
opening of authorized files. Providence must also train employees on security processes
and issue compliance reports to HHS for three years.
NEW CHANGES
nately, while the overall security posture is stag-
nant across the healthcare industry, the number
A quick review of HHS
TO HIPAA
of complaints filed against an organization due compliance and enforce-
to the loss or exposure of sensitive information
continues to rise. Such a scenario will generally ment data shows that the
HIPAA COMPLIANCE
CHECKLIST
lead to a more focused audit of that particular
organization as trends develop and become
top five HIPAA compliance
recognized across the industry. For example, as and enforcement issues
more laptops have been lost and/or stolen, audits
SURVIVING A
HIPAA AUDIT have focused on the policies, procedures and during the past few
technical controls related to protecting mobile
devices and data.
years remain virtually
SPONSOR unchanged.
RESOURCES Pre-audit meeting
Auditors don’t show up without an invitation, so before meeting with them, plan to
gather your staff and key personnel and review the status of all outstanding projects.
Also let them know the purpose of the audit and what areas or functions the audi-
tors are expected to focus on. Common focus areas include the accuracy and com-
pleteness of documentation, current risk assessments, review of POAMs (plan of
action and milestones), current inventory, and security awareness and training.
Auditors expect key staff to know what’s going on in the organization. If people don’t
know that a security measure, like encryption for example, hasn’t been implemented,
the conflicting stories will be a red flag to the auditor.
Document everything
What will the auditors want to see when they arrive? Documentation and lots of it!
All documentation of security procedures needs to be properly maintained and
updated. In the eyes of the auditor, if it isn’t in writing, then it didn’t happen. All
staff should be aware of the existing security policies and processes. If not, then they
need proper training. You do have an awareness training program, don’t you? The
Randy Nash is CISSP with more than 25 years of professional experience in information security,
system security, network security, personnel security, and physical security. First certified in ADP
security and risk assessment in 1984, he has a long history of work with civilian, military and
government entities. Randy also maintains the security website @RISK Online, where he posts
projects and articles on a wide variety of security topics.
TABLE OF CONTENTS
ArcSight, Inc.
EDITOR’S DESK See ad page 3
• ArcSight Helps Healthcare Company Become HIPAA Compliant
• Healthcare Security Oversight for HIPAA Audit and Compliance
HIPAA BASICS
• Complete Security, Privacy, and Compliance Protection for Healthcare Providers
NEW CHANGES
TO HIPAA
Code Green Networks, Inc.
See ad page 5
HIPAA COMPLIANCE
CHECKLIST • Webmail and Web 2.0 Visibility and Control with
Code Green Networks and Blue Coat
• Protect Your Patient's Private Data from Accidental or Intentional Breaches
SURVIVING A • Quickly Identify Data Loss Risks at Your Organization
HIPAA AUDIT
SPONSOR
RESOURCES McAfee, Inc.
See ad page 10
• McAfee Application Control
• McAfee Change Control
• McAfee Integrity Monitor
nCircle
See ad page 19
• Automating HIPAA Compliance with Security
and Configuration Auditing
• nCircle and HITRUST: SaaS Solution for Securing Healthcare Information
• nCircleSuite360: Automated Security and Compliance Auditing
thawte Inc.
See ad page 14
• Extended Validation - the New Standard in SSL Security
• Sign your Code and Content for Secure Distribution Online
• Get a Free SSL Trial Certificate from Thawte
TABLE OF CONTENTS
EDITOR’S DESK
HIPAA BASICS
NEW CHANGES
TO HIPAA
HIPAA COMPLIANCE
CHECKLIST
SURVIVING A
HIPAA AUDIT
SPONSOR
RESOURCES