Forum for Information Security

For first timers trying to understand the voluminous HIPAA and its implications to their business, the following information may prove useful.

In a nutshell, HIPAA addresses privacy and security concerns with Electronic Patient Health Information (EPHI), and requires anyone involved in the generation, processing and managing of patient data to implement adequate security controls.

Examples of Systems where patient records are stored include (but are not limited to) Patient Admissions / Registrations; Laboratory Information Systems, Pathology Information Systems, Clinical Documentation Systems, Emergency Department Systems, Patient Safety Systems, Physician Practice Management Systems, Pharmacy Systems, Surgical Systems, Risk Management Systems, Data Warehouses, Medical Devices.

The next step is identifying who accesses the EPHI records from these systems.

Again, examples of personnel and entities accessing patient records are Unit Staff, Patient Care Staff, Physicians and Physicians’ Assistants, Laboratory and Radiology Staff, Quality Improvement Staff, Utilization Department Staff, Medical Records Staff, Medical Transcriptionists, Coders, Information Systems Staff and Revenue Function Staff.

EPHI records are transmitted to Reference Labs, Home Healthcare Providers, Physicians’ Offices, Pharmacies, Billing Administrators, Auditors and Consultants, Payers, Collection Agencies, Transcriptionists, Coding Firms, Information Systems Vendors, Regulatory Agencies and Physician / Patient Information Portals.

Now that the systems and personnel who access and process patient information have been identified, information controls - logical and physical, need to be developed and implemented.

HIPAA specifies 14 mandatory implementation specifications and 22 optional guidelines (depending on operating environment) - sections 308, 310 and 312 specifically deal with these specifications.

In brief, controls for Access Control, Physical Security, Incident Response, Disaster Recovery, Training and Monitoring will need to be designed, tested for compliance and finally implemented.

While HIPAA does not specifically nominate any technology solution, in practice several standard security solutions are used as part of any Defense in Depth approach towards Information Security, to be able to enforce and monitor the controls which have been developed.

This is a very basic description of a HIPAA compliance approach - suggested reading should include:

1. www.hipaa.org
2. www.hipaadvisory.com

Later, I will discuss a couple of real world scenarios as well as evaluate vendor solutions for HIPAA compliance.

Rion

Word on the street is that there are some changes to be made to BS7799 - recently, Ted Humphries, author of BS7799, in a talk given at the UK ISACA Annual ISSA Day, announced that the standard has been tweaked a fair bit for relevance and applicability, keeping in mind industry developments and requirements since the standard was last updated. This means all BS7799 LAs will have to undergo training on the changes within the next few months.
Watch this space - I will be posting more on the specific changes with information on how these impact the audit and assurance process. Rion

The other day, I was discussing the topic of managed security alerts, as a service to the community and whether it could be built into a business case - if you visit www.warp.gov.uk you can see an step to step approach to creating a filtered discussion board for the community to share threat alerts and action taken as part of an early warning system. NISCC (www.niscc.gov.uk) has published a WARP toolbox that gives you information on how to set up an active WARP. Essentially, the value prposition of a WARP is that the entire community benefits from early warnings, elimination of false positives and verified and filtered advisories and information on response mechanisms, but it also makes it easier to justify Return on Security Investment (RoSI). Many organizations are involved with WARPs - watch this space, I’ll post additional information in the days ahead. Cheers Rion