HIPAA Security Standards

1
HIPAA Security Standards

• Whats happening in your office?

2
Agenda

• Industry Statistics
• Review Rules
• Assessment -What needs to be done?
• Physical and Technical Safeguards
• Technical terminology
• Next Steps
• Questions Open Discussion

3
Statistics
4
Statistics
5

• IT security will always be a balancing act
  between risk and cost.

6
Security Standards

• Required or Addressable

7
HIPAA Security Standards

• Administrative Safeguards (55)
• 12 required, 11 Addressable
• Physical Safeguards (24)
• 4 required, 6 Addressable
• Technical Safeguards (21)
• 4 required, 5 Addressable
• The final rule has been modified to increase
• Flexibility as to how protection is accomplished.

8
Addressable Implementation Specifications

• Covered entities must assess if an implementation
  specification is reasonable and appropriate based
  upon factors such as
• Risk analysis and mitigation strategy
• Costs of implementation
• Current security controls in place
• Key concept reasonable and appropriate
• Cost is not meant to free covered entities from
  their security responsibilities

9
Addressable Implementation Specifications

• In meeting standards that contain addressable
  implementation specifications, a covered entity
  will ultimately do one of the following
• a. Implement one or more of the addressable
  
  implementation specifications
• b. Implement one or more alternative security
  measures
• c. Implement a combination of both or
• d. Not implement either an addressable
  implementation specification or an alternative
  security measure.
• Must document!

10
Administrative Safeguards
11
Physical Safeguards
12
Technical Safeguards
13
Terminology

• Security
• Refers to techniques for ensuring that data
  stored in a computer cannot be read or
  compromised. Most security measures involve data
  encryption and passwords. Data encryption is
  the translation of data into a form that is
  unintelligible without a deciphering mechanism.
  A password is a secret word or phrase that gives
  a user access to a particular program or system.
• firewall
• A system designed to prevent unauthorized access
  to or from a private network. Firewalls can be
  implemented in both hardware and software, or a
  combination of both. Firewalls are frequently
  used to prevent unauthorized Internet users from
  accessing private networks connected to the
  Internet, especially intranets. All messages
  entering or leaving the intranet pass through the
  firewall, which examines each message and blocks
  those that do not meet the specified security
  criteria.

14
Terminology

• There are several types of firewall techniques
• Packet filter Looks at each packet entering or
  leaving the network and accepts or rejects it
  based on user-defined rules. Packet filtering is
  fairly effective and transparent to users, but it
  is difficult to configure. In addition, it is
  susceptible to IP spoofing.
• Application gateway Applies security mechanisms
  to specific applications, such as FTP and Telnet
  servers. This is very effective, but can impose a
  performance degradation.
• Circuit-level gateway Applies security
  mechanisms when a TCP or UDP connection is
  established. Once the connection has been made,
  packets can flow between the hosts without
  further checking.
• Proxy server Intercepts all messages entering
  and leaving the network. The proxy server
  effectively hides the true network addresses.
• In practice, many firewalls use two or more of
  these techniques in concert.
• A firewall is considered a first line of defense
  in protecting private information. For greater
  security, data can be encrypted.

15
Terminology

• VPN
• Short for virtual private network, a network that
  is constructed by using public wires to connect
  nodes. For example, there are a number of
  systems that enable you to create networks using
  the Internet as the medium for transporting data.
  These systems use encryption and other security
  mechanisms to ensure that only authorized users
  can access the network and that the data cannot
  be intercepted.
• Antivirus program
• A utility that searches a hard disk for viruses
  and removes any that are found. Most antivirus
  programs include an auto-update feature that
  enables the program to download profiles of new
  viruses so that it can check for the new viruses
  as soon as they are discovered.
• Secure server
• A Web server that supports any of the major
  security protocols, like SSL, that encrypt and
  decrypt messages to protect them against third
  party tampering. Making purchases from a secure
  Web server ensures that a user's payment or
  personal information can be translated into a
  secret code that's difficult to crack. Major
  security protocols include SSL, SHTTP, PCT, and
  IPSec.

16
Next Steps

• Assign responsibility to one person
• Conduct a risk analysis
• Deliver security awareness in conjunction with
  privacy
• Develop policies, procedures, and documentation
  as needed
• Review and modify access and audit controls
• Establish security incident reporting and
  response procedures

17
Questions?
18
Helpful sites

• www.hipaadvisory.com Phoenix Health System
• www.himss.org Health Information Management
  Systems Society
• www.sans.org/resources/policies/ - SysAdmin,
  Audit, Networks, Security Institute
• www.hipaacomply.com - Beacon Partners
• www.cms.gov/hipaa/ - Center for Medicare and
  Medicaid Services
• www.aha.org American Hospital Association
• www.aamc.org/members/gir/gasp/ - Guidelines for
  Academic Medical Centers on Security and Privacy
• http//dirm.state.nc.us.hipaa.hippa2002/security/s
  ecurity.html - North Carolina DHHS HIPAA