HIPAA Security Standards

Download Report

Transcript HIPAA Security Standards

HIPAA Security Standards
What’s happening in your office?
Agenda
• Industry Statistics
• Review Rules
• Assessment -What needs to be
done?
• Physical and Technical
Safeguards
• Technical terminology
• Next Steps
• Questions – Open Discussion
Statistics
Statistics
IT security will always
be a balancing act
between risk and
cost.
Security Standards
Required or Addressable
HIPAA Security Standards
• Administrative Safeguards (55%)
– 12 required, 11 Addressable
• Physical Safeguards (24%)
– 4 required, 6 Addressable
• Technical Safeguards (21%)
– 4 required, 5 Addressable
The final rule has been modified to increase
Flexibility as to how protection is
Addressable Implementation
Specifications
• Covered entities must assess if an
implementation specification is
reasonable and appropriate based
upon factors such as:
– Risk analysis and mitigation strategy
– Costs of implementation
– Current security controls in place
• Key concept: “reasonable and
appropriate”
• Cost is not meant to free covered
entities from their security
responsibilities
Addressable Implementation
Specifications
“In meeting standards that contain
addressable implementation
specifications, a covered entity will
ultimately do one of the following:
a. Implement one or more of the
addressable
implementation specifications;
b. Implement one or more alternative
security measures;
c. Implement a combination of both; or
d. Not implement either an addressable
implementation specification or an
alternative security measure.”
Must document!
Sections:
Specifications:
Security Management Process
164.308.a1
Risk Analysis
Risk Management
Sanction Policy
Information System Activity Review
Assigned Security Responsibility
Workforce Security
164.308.a2
164.308.a3
(A)=Addressable
Standard:
(R)=Required
Administrative Safeguards
x
x
x
x
x
Authorization and/or Supervision
x
Workforce Clearance Procedure
Termination Procedures
Information Access Management
Security Awareness andTraining
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate Contracts and Other
Arrangements
x
164.308.a4
Isolating Health Care Clearinghouse Function
164.308.a5
Access Authorization
Access Establishment and Modification
Security Reminders
x
x
x
Protection from Malicious Software
Log-in Monitoring
Password Management
x
x
x
164.308.a6
164.308.a7
Response and Reporting
Data Backup Plan
Disaster Recovery Plan
Emergency Mode Operation Plan
Testing and Revision Procedure
Application and Data Criticality Analysis
164.308.a8
164.308.b1
x
x
x
x
x
x
x
x
Written Contract or Other Arrangement
x
Physical Safeguards
Sections:
164.310.a1
Specifications:
Contingency Operations
Facility Security Plan
x
x
Access Control and Validation Procedures
x
Maintenance Records
11 Workstation Use
12 Workstation Security
13 Device and Media Controls
164.310.b
164.310.c
164.310.d1
Disposal
Media Re-use
Accountability
Data Backup and Storage
(A)=Addressable
Standard:
10 Facility Access Controls
(R)=Required
Physical Safeguards:
x
x
x
x
x
x
x
Technical Safeguards
14 Access Control
15 Audit Controls
16 Integrity
17 Person or Entity Authentication
18 Transmission Security
Sections:
Specifications:
164.312.a1
Unique User Identification
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
164.312.b
164.312.c1
164.312.d
164.312.e1
(A)=Addressable
Standard:
(R)=Required
Technical Safeguards:
x
x
x
x
x
Mechanism to Authenticate Electronic Protected
Health Information
x
x
Integrity Controls
Encryption
x
x
Terminology
Security
• Refers to techniques for ensuring that data stored in
a computer cannot be read or compromised. Most
security measures involve data encryption and
passwords. Data encryption is the translation of
data into a form that is unintelligible without a
deciphering mechanism. A password is a secret
word or phrase that gives a user access to a
particular program or system.
firewall
• A system designed to prevent unauthorized access to
or from a private network. Firewalls can be
implemented in both hardware and software, or a
combination of both. Firewalls are frequently used
to prevent unauthorized Internet users from
accessing private networks connected to the
Internet, especially intranets. All messages entering
or leaving the intranet pass through the firewall,
which examines each message and blocks those that
do not meet the specified security criteria.
Terminology
There are several types of firewall techniques:
• Packet filter: Looks at each packet entering or
leaving the network and accepts or rejects it based
on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to
configure. In addition, it is susceptible to IP spoofing.
• Application gateway: Applies security mechanisms to
specific applications, such as FTP and Telnet servers.
This is very effective, but can impose a performance
degradation.
• Circuit-level gateway: Applies security mechanisms
when a TCP or UDP connection is established. Once
the connection has been made, packets can flow
between the hosts without further checking.
• Proxy server: Intercepts all messages entering and
leaving the network. The proxy server effectively
hides the true network addresses.
• In practice, many firewalls use two or more of these
techniques in concert.
• A firewall is considered a first line of defense in
protecting private information. For greater security,
data can be encrypted.
Terminology
VPN
• Short for virtual private network, a network that is
constructed by using public wires to connect nodes. For
example, there are a number of systems that enable you to
create networks using the Internet as the medium for
transporting data. These systems use encryption and other
security mechanisms to ensure that only authorized users
can access the network and that the data cannot be
intercepted.
Antivirus program
• A utility that searches a hard disk for viruses and removes
any that are found. Most antivirus programs include an
auto-update feature that enables the program to
download profiles of new viruses so that it can check for
the new viruses as soon as they are discovered.
Secure server
• A Web server that supports any of the major security
protocols, like SSL, that encrypt and decrypt messages to
protect them against third party tampering. Making
purchases from a secure Web server ensures that a user's
payment or personal information can be translated into a
secret code that's difficult to crack. Major security protocols
include SSL, SHTTP, PCT, and IPSec.
Next Steps
• Assign responsibility to one
person
• Conduct a risk analysis
• Deliver security awareness in
conjunction with privacy
• Develop policies, procedures,
and documentation as needed
• Review and modify access and
audit controls
• Establish security incident
reporting and response
Helpful sites:
• www.hipaadvisory.com
• www.himss.org
– Phoenix Health System
– Health Information Management Systems
Society
• www.sans.org/resources/policies/
- SysAdmin,
Audit, Networks, Security Institute
• www.hipaacomply.com • www.cms.gov/hipaa/
Beacon Partners
- Center for Medicare and Medicaid
Services
• www.aha.org
– American Hospital Association
• www.aamc.org/members/gir/gasp/
- Guidelines
for Academic Medical Centers on Security and Privacy
• http://dirm.state.nc.us.hipaa.hippa2002/sec
urity/security.html
- North Carolina DHHS HIPAA