HIPAA Security StandardsWhat’s happening in your office?

Agenda

• Industry Statistics• Review Rules• Assessment -What needs to be

done?• Physical and Technical

Safeguards• Technical terminology• Next Steps• Questions – Open Discussion

Statistics

Statistics

IT security will always be a balancing act between risk and cost.

Security StandardsRequired or Addressable

HIPAA Security Standards

• Administrative Safeguards (55%)– 12 required, 11 Addressable

• Physical Safeguards (24%)– 4 required, 6 Addressable

• Technical Safeguards (21%)– 4 required, 5 Addressable

The final rule has been modified to increaseFlexibility as to how protection is

accomplished.

Addressable Implementation Specifications

• Covered entities must assess if an implementation specification is reasonable and appropriate based upon factors such as:– Risk analysis and mitigation

strategy– Costs of implementation– Current security controls in place

• Key concept: “reasonable and appropriate”

• Cost is not meant to free covered entities from their security responsibilities

Addressable Implementation Specifications

“In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following:

a. Implement one or more of the addressable implementation specifications;

b. Implement one or more alternative security measures;

c. Implement a combination of both; or d. Not implement either an addressable

implementation specification or an alternative security measure.”

Must document!

Administrative Safeguards

Standard: Sections: Specifications: (R)=

Required

(A)=

Addre

ssable

Security Management Process 164.308.a1 Risk Analysis xRisk Management xSanction Policy xInformation System Activity Review x

Assigned Security Responsibility 164.308.a2 xWorkforce Security 164.308.a3 Authorization and/or Supervision x

Workforce Clearance Procedure

Termination Procedures x

Information Access Management 164.308.a4 Isolating Health Care Clearinghouse Function x

Access Authorization xAccess Establishment and Modification x

Security Awareness andTraining 164.308.a5 Security Reminders x

Protection from Malicious Software xLog-in Monitoring xPassword Management x

Security Incident Procedures 164.308.a6 Response and Reporting xContingency Plan 164.308.a7 Data Backup Plan x

Disaster Recovery Plan xEmergency Mode Operation Plan xTesting and Revision Procedure xApplication and Data Criticality Analysis x

Evaluation 164.308.a8 xBusiness Associate Contracts and Other Arrangements 164.308.b1 Written Contract or Other Arrangement x

Physical Safeguards

Physical Safeguards:

Standard: Sections: Specifications: (R)=

Re

qu

ired

(A)=

Ad

dre

ssab

le

10 Facility Access Controls 164.310.a1 Contingency Operations xFacility Security Plan x

Access Control and Validation Procedures x

Maintenance Records x11 Workstation Use 164.310.b x12 Workstation Security 164.310.c x13 Device and Media Controls 164.310.d1 Disposal x

Media Re-use xAccountability xData Backup and Storage x

Technical Safeguards

Technical Safeguards:

Standard: Sections: Specifications: (R)=

Re

qu

ire

d

(A)=

Add

ressab

le

14 Access Control 164.312.a1 Unique User Identification xEmergency Access Procedure xAutomatic Logoff xEncryption and Decryption x

15 Audit Controls 164.312.b x

16 Integrity 164.312.c1Mechanism to Authenticate Electronic Protected Health Information x

17 Person or Entity Authentication 164.312.d x18 Transmission Security 164.312.e1 Integrity Controls x

Encryption x

Terminology

Security• Refers to techniques for ensuring that data stored

in a computer cannot be read or compromised. Most security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible without a deciphering mechanism. A password is a secret word or phrase that gives a user access to a particular program or system.

firewall• A system designed to prevent unauthorized

access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

TerminologyThere are several types of firewall techniques: • Packet filter: Looks at each packet entering or

leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing.

• Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation.

• Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking.

• Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses.

• In practice, many firewalls use two or more of these techniques in concert.

• A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.

TerminologyVPN• Short for virtual private network, a network that is

constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted.

Antivirus program• A utility that searches a hard disk for viruses and

removes any that are found. Most antivirus programs include an auto-update feature that enables the program to download profiles of new viruses so that it can check for the new viruses as soon as they are discovered.

Secure server• A Web server that supports any of the major security

protocols, like SSL, that encrypt and decrypt messages to protect them against third party tampering. Making purchases from a secure Web server ensures that a user's payment or personal information can be translated into a secret code that's difficult to crack. Major security protocols include SSL, SHTTP, PCT, and IPSec.

Next Steps

• Assign responsibility to one person

• Conduct a risk analysis• Deliver security awareness in

conjunction with privacy• Develop policies, procedures, and

documentation as needed• Review and modify access and

audit controls• Establish security incident

reporting and response procedures

Helpful sites:

• www.hipaadvisory.com – Phoenix Health System

• www.himss.org – Health Information Management Systems

Society

• www.sans.org/resources/policies/ - SysAdmin,

Audit, Networks, Security Institute

• www.hipaacomply.com - Beacon Partners

• www.cms.gov/hipaa/ - Center for Medicare and

Medicaid Services

• www.aha.org – American Hospital Association

• www.aamc.org/members/gir/gasp/ -

Guidelines for Academic Medical Centers on Security and Privacy

• http://dirm.state.nc.us.hipaa.hippa2002/

security/security.html - North Carolina DHHS HIPAA