Академический Документы
Профессиональный Документы
Культура Документы
ii
contents
overvieW . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 aDDressing tHe unique issues of HealtHcare . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 tHe consequences of not complying . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 tHe risk of a Data BreacH . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 partnering to acHieve enD-to-enD compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
carpatHia.com
overvieW
As those that work in healthcare IT know, the healthcare industry has some of the most complex IT needs of all industries that exist today. However, HIPAA and related healthcare IT requirements are some of the most nonprescriptive in the IT space, especially when compared to other standards such as PCI, which is used to protect payment card information in financial services organizations.
With more then 10 million individuals employed in the industry in the United States, protecting the privacy and confidentiality of a patients electronic medical health records from unauthorized access is paramount to achieving compliance with federal regulatory laws such as the Healthcare Insurance Portability and Accountability Act (HIPAA), the Health Information Technology for Economic and Clinical Health (HITECH) Act, the American Recovery and Reinvestment Act and other laws that apply to healthcare organizations.
carpatHia.com
organizations subject to Hipaa, referred to as covered entities, or organizations delivering services to covered entities, known as business associates per the HitecH act include:
Healthcare providers such as doctors, hospitals, etc. Healthcare insurance and health plan clearing houses Businesses who self-insure Businesses that sponsor a group health plan and provide assistance to their employees on medical coverage Businesses that deliver services to other healthcare providers
per these regulatory laws, covered entities and business associates are required to ensure the following safeguards on patient data in order to remain compliant:
Administrative safeguards to protect data integrity, confidentiality and availability of electronic protected health information (PHI) Physical safeguards to protect data integrity, confidentiality and availability of electronic protected health information (ePHI) Technical safeguards to protect data integrity, confidentiality and availability of ePHI In addition, the HITECH Act was signed into law in 2009 and is intended to increase the use of Electronic Health Records (EHR) by physicians and hospitals. It stipulates that, as of 2011, healthcare providers will be offered financial incentives for demonstrating meaningful use of EHR. Incentives will be offered until 2015, after which time penalties may be levied for failing to demonstrate such use.
Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ePHI is guaranteed, all while EHR are beginning to be used.
Meeting this array of requirements demands healthcare entities set up strong processes, methods and controls to assure auditors that security and integrity of PHI and ePHI is guaranteed, all while EHR are beginning to be used. Maintaining the security of patient data is a complex proposition that affects every employee of a healthcare facility, every area of its IT system, and all vendors, partners and insurers that work with the healthcare provider. These requirements become even more complex when organizations work with the single largest healthcare program in the world, TRICARE. TRICARE is the healthcare program serving uniformed service members, retirees and their families worldwide. Now, not only are healthcare organizations required to protect PHI and ePHI, theyre also required to support civilian and DoD IT requirements FISMA and DIACAP.
carpatHia.com
26. Testing and Revision Procedure 27. Applications and Data Criticality Analysis 28. Evaluation 29. Business Associate Contracts and Other Arrangements
carpatHia.com
Describes what the organization should do to appropriately limit physical access to the information systems contained within its facilities, while ensuring that properly authorized employees can physically access such systems. Identifies what the organization should do to have formal, documented procedures for allowing authorized employees to enter its facility to take necessary actions as defined in its disaster recovery and emergency mode operations plans. Discusses what the organization should do to establish a facility security plan to protect its facilities and the equipment therein. Discusses what the organization should do to appropriately control and validate physical access to its facilities containing information systems having ePHI or software programs that can access ePHI. Defines what the organization should do to document repairs and modifications to the physical components of its facilities related to the protection of its ePHI. Indicates what the organization should do to appropriately protect its workstations. Reviews what the organization should do to prevent unauthorized physical access to workstations that can access ePHI while ensuring that authorized employees have appropriate access. Discusses what the organization should do to appropriately protect information systems and electronic media containing PHI that are moved to various organizational locations. Describes what the organization should do to appropriately dispose of information systems and electronic media containing ePHI when it is no longer needed. Discusses what the organization should do to erase ePHI from electronic media before re-using the media. Defines what the organization should do to appropriately track and log all movement of information systems and electronic media containing ePHI to various organizational locations. Discusses what the organization should do to backup and securely store ePHI on its information systems and electronic media. Indicates what the organization should do to purchase and implement information systems that comply with its information access management policies. Discusses what the organization should do to assign a unique identifier for each of its employees who access its ePHI for the purpose of tracking and monitoring use of information systems. Discusses what the organization should do to have a formal, documented emergency access procedure enabling authorized employees to obtain required ePHI during the emergency. Discusses what the organization should do to develop and implement procedures for terminating users' sessions after a certain period of inactivity on systems that contain or have the ability to access ePHI. Discusses what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of its ePHI. Discusses what the organization should do to record and examine significant activity on its information systems that contain or use ePHI. Defines what the organization should do to appropriately protect the integrity of its ePHI. Discusses what the organization should do to implement appropriate electronic mechanisms to confirm that its ePHI has not been altered or destroyed in any unauthorized manner. Defines what the organization should do to ensure that all persons or entities seeking access to its ePHI are appropriately authenticated before access is granted. Describes what the organization should do to appropriately protect the confidentiality, integrity and availability of the ePHI it transmits over electronic communications networks. Indicates what the organization should do to maintain appropriate integrity controls that protect the confidentiality, integrity and availability of the ePHI it transmits over electronic communications networks. Defines what the organization should do to appropriately use encryption to protect the confidentiality, integrity and availability of ePHI it transmits over electronic communications networks. Defines what the requirements are relative to establishing organizational policies and procedures. Discusses what the organization should do to appropriately maintain, distribute and review the security policies and procedures it implements to comply with the HIPAA Security Rule. Purpose is to implement policies and procedures that protect the electronic protected health information of the clearinghouse from unauthorized access by the larger organization. The purpose is to ensure that reasonable and appropriate safeguards are maintained on electronic protected health information created, received, maintained or transmitted to or by the plan sponsor on behalf of the group health plan. The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of the wireless infrastructure. The purpose is to establish management direction, procedure, and requirements to ensure safe and successful delivery of e-mail. The purpose is to explains Company's analog and ISDN line acceptable use and approval policies and procedures.
32. Facility Security Plan 33. Access Control and Validation Procedures 34. Maintenance Records 35. Workstation Use 36. Workstation Security 37. Device and Media Controls 38. Disposal 39. Media Re-use 40. Accountability 41. Data Backup and Storage 42. Access Control 43. Unique User Identification 44. Emergency Access Procedure 45. Automatic Logoff 46. Encryption and Decryption 47. Audit Controls 48. Integrity 49. Mechanism to Authenticate Electronic Protected Health Information 50. Person or Entity Authentication 51. Transmission Security 52. Integrity Controls 53. Encryption 54. Policies and Procedures 55. Documentation 56. Isolating Healthcare Clearinghouse Function 57. Group Health Plan Requirements
58. Wireless Security Policy 59. Email Security Policy 60. Analog Line Policy
carpatHia.com
61. Dial-in Access Policy 62. Automatically Forwarded Email Policy 63. Remote Access Policy 64. Ethics Policy 65. VPN Security Policy 66. Extranet Policy 67. Internet DMZ Equipment Policy 68. Network Security Policy
The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of dial-in connections to the enterprise infrastructure. The purpose is to prevent the unauthorized or inadvertent disclosure of sensitive company information. The purpose is to implement security measures sufficient to reduce risks and vulnerabilities of remote access connections to the enterprise infrastructure. The purpose is to establish a culture of openness, trust and integrity in business practices. The purpose is to implement security measures sufficient to reduce the risks and vulnerabilities of the VPN infrastructure. The purpose is to describes the policy under which third party organizations connect to Company's networks for the purpose of transacting business related to Company. The purpose is to define standards to be met by all equipment owned and/or operated by Company located outside Company's corporate Internet firewalls. The purpose is to establish requirements for information processed by computer networks.
carpatHia.com
According to a recent study by the Ponemon Institute, 96 percent of all healthcare providers say they have had at least one data breach in the last two years, and the frequency of data breaches in healthcare have increased 32 percent in the past year.1 The economic impact of an incident tends to cost an average of $2.2 million per organization.
However, not all data breaches are the result of malicious intent. Rather, the vast majority are the result of unintentional actions of employees or thirdparty vendors. From lost or stolen laptops, to misdirected emails and faxes, sensitive information can be exposed at any point in the process. And while the cost of healthcare data breaches has been hard to quantify, the economic impact of an incident tends to cost an average of $2.2 million per organization, up 10 percent year over year. In addition to the actual loss of money, most organizations also suffer from time and productivity loss, brand or reputation diminishment and/or loss of patient goodwill, thus resulting in patient churn. Unfortunately, while almost half of IT respondents in the survey said they were confident in their ability to identify major data breaches involving patient information and determine the root causes of the breaches, only 29 percent said they were confident that they could prevent or curtail major data breaches involving patient information.
http://www2.idexpertscorp.com/ponemon-study-2011
carpatHia.com
carpatHia.com
fit of systems that meet both FISMA and DIACAP requirements should the organization start delivering services to the government. Carpathia has historical precedence in engineering and hosting HIPAA compliant systems for medium and small companies, system integrators, development companies and small A8 business. Clients such as INRange Systems and Portal | Ascend rely on Carpathias compliance experience and expertise to ensure their information systems achieve and maintain healthcare compliance mandates throughout the lifecycle of their systems. Carpathias suite of services is designed for organizations seeking scalable, secure, robust and enterprise-grade hosting solutions that can be quickly provisioned or tailored to meet unique requirements. From fully managed environments, to cloud solutions, to colocation services, Carpathias comprehensive solutions portfolio helps healthcare entities of all sizes meet their application performance and operational support requirements. Our services platform blends people, process and technology to provide a unified delivery platform, allowing us to deliver colocation, managed and cloud services in an integrated customer solution across all of our data centers. This dynamic delivery platform scales to meet customer demand for managed services and is built on top of a private cloud computing platform, utilizing the latest advances in virtualization technology. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. For more information, visit www.carpathia.com/healthcare.
Carpathia Hosting is a leading provider of managed hosting services, providing secure, reliable and compliant IT infrastructure and management for some of the worlds most demanding enterprises and federal agencies. Founded in 2003, Carpathia is a growing, profitable business run by a seasoned management team with deep experience in delivering enterprise hosting solutions including colocation, managed services and cloud computing. Carpathias suite of services is designed for organizations seeking scalable, secure, robust and enterprise-grade hosting solutions that can be quickly provisioned or tailored to meet unique requirements. Backed by its E3 Promise, Carpathia consistently delivers an experience that exceeds customers expectations. Carpathia was named to the Inc. Magazine 500|5000 list in 2011 as one of Americas fastest-growing companies. Contact Carpathia at 1.888.200.9494, or visit Carpathia.com for more information.
carpatHia.com
703.840.3900 / 1.888.200.9494