Dear Folks -
We would like to extend a warm welcome to all the infosec professionals who use this forum on behalf of MIEL’s Information Security Training Institute.
From hereon, we will be posting topics relevant to infosec training here.
Feel free to post your comments and feedback.
Happy blogging!
Abigail and RiOn
In an earlier post, I have outlined a basic 3 step approach to Implementing HIPAA within your organization.
http://mielesecurity.blogsome.com/2005/07/02/hipaa-compliance-a-basic-3-step-approach/
This information is provided for an audience seeking an overview of the Information Security requirements, as outlined in HIPAA. I hope this will be useful as a starting point towards compliance, particularly if you are in the heathcare outsourcing business (claims processing, clinical records management and analysis, customer service, helpdesk, etc).
The Act:
The Health Insurance Portability and Accountability Act (HIPAA), signed into law by President Clinton on August 21, 1996, was established to improve the overall efficiency and effectiveness of the healthcare system by ensuring continued healthcare coverage for individual workers and their families in the event that they change employment. The law includes additional provisions for healthcare systems which address the management of health information, the simplification of administrative aspects of healthcare, as well as rulings which address the privacy and the security of health information.
Key Sections That Pertain to System Security
HIPAA security regulations are intentionally vendor and technology neutral, and consequently are both broad and open to interpretation based on the individual circumstances of the healthcare entity. The Security Rule contains three measures that must be addressed in order to protect and assure the confidentiality of electronic protected health information:
• Administrative Safeguards: Implement and maintain policies and procedures to prevent, detect, contain and correct security violations.
• Physical Safeguards: Implement and maintain policies and procedures to limit physical access to computer systems and their facilities, while ensuring that properly authorized access is allowed.
• Technical Safeguards: Implement and maintain policies and procedures that protect and monitor information access and prevent unauthorized access to data transmitted over a network.
• Technical Safeguards: These standards describe the technical processes of the systems which will be used to enforce the administrative standards. Stated differently, how will you execute your security plan, including the electronic creation, updating, managing and transmittal of the data? At a minimum, each of the following must be addressed:
• Access Controls Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights.
• Privacy Controls Ensure that confidential data is secured in transit.
• Audit Controls Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
• Integrity Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
• Person or Entity Authentication Implement procedures to verify that a person or entity seeking access to electronic protected health information is the one claimed.
Best Practices Approach
• The following is a “best practices” approach to securing the “inner” network from internal threats, thereby achieving regulatory compliance. These steps, coupled with an adequate external perimeter defense, will establish and maintain a secure “trusted” internal network environment.
• Define which security relationships are needed.
• Segregate the network into security zones to facilitate easier management.
• Enforce the established security relationships within and across the security zones.
• Perform regular network audits to ensure security relationships are enforced.
• Update security relationships as business needs or compliance issues dictate.
• Provide an audit trail and reporting to satisfy regulatory compliance audits.
If anyone has questions / comments, do post them here.
RiOn
