Download HIPAA Security Standards

Survey
yes no Was this document useful for you?
   Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

page
1
page
2
page
3
page
4
page
5
page
6
page
7
page
8
page
9
page
10
page
11
page
12
page
13
page
14
page
15
page
16
page
17
page
18
Document related concepts

Next-Generation Secure Computing Base wikipedia , lookup

Multilevel security wikipedia , lookup

Post-quantum cryptography wikipedia , lookup

Deep packet inspection wikipedia , lookup

Airport security wikipedia , lookup

Cracking of wireless networks wikipedia , lookup

Computer and network surveillance wikipedia , lookup

Medical privacy wikipedia , lookup

Wireless security wikipedia , lookup

Information security wikipedia , lookup

Cyber-security regulation wikipedia , lookup

Unix security wikipedia , lookup

Mobile security wikipedia , lookup

Distributed firewall wikipedia , lookup

Security-focused operating system wikipedia , lookup

Computer security wikipedia , lookup

Cybercrime countermeasures wikipedia , lookup

Transcript 
HIPAA Security Standards
What’s happening in your office?
Agenda
• Industry Statistics
• Review Rules
• Assessment -What needs to be
done?
• Physical and Technical
Safeguards
• Technical terminology
• Next Steps
• Questions – Open Discussion
Statistics
Statistics
IT security will always
be a balancing act
between risk and
cost.
Security Standards
Required or Addressable
HIPAA Security Standards
• Administrative Safeguards (55%)
– 12 required, 11 Addressable
• Physical Safeguards (24%)
– 4 required, 6 Addressable
• Technical Safeguards (21%)
– 4 required, 5 Addressable
The final rule has been modified to increase
Flexibility as to how protection is
Addressable Implementation
Specifications
• Covered entities must assess if an
implementation specification is
reasonable and appropriate based
upon factors such as:
– Risk analysis and mitigation strategy
– Costs of implementation
– Current security controls in place
• Key concept: “reasonable and
appropriate”
• Cost is not meant to free covered
entities from their security
responsibilities
Addressable Implementation
Specifications
“In meeting standards that contain
addressable implementation
specifications, a covered entity will
ultimately do one of the following:
a. Implement one or more of the
addressable
implementation specifications;
b. Implement one or more alternative
security measures;
c. Implement a combination of both; or
d. Not implement either an addressable
implementation specification or an
alternative security measure.”
Must document!
Sections:
Specifications:
Security Management Process
164.308.a1
Risk Analysis
Risk Management
Sanction Policy
Information System Activity Review
Assigned Security Responsibility
Workforce Security
164.308.a2
164.308.a3
(A)=Addressable
Standard:
(R)=Required
Administrative Safeguards
x
x
x
x
x
Authorization and/or Supervision
x
Workforce Clearance Procedure
Termination Procedures
Information Access Management
Security Awareness andTraining
Security Incident Procedures
Contingency Plan
Evaluation
Business Associate Contracts and Other
Arrangements
x
164.308.a4
Isolating Health Care Clearinghouse Function
164.308.a5
Access Authorization
Access Establishment and Modification
Security Reminders
x
x
x
Protection from Malicious Software
Log-in Monitoring
Password Management
x
x
x
164.308.a6
164.308.a7
Response and Reporting
Data Backup Plan
Disaster Recovery Plan
Emergency Mode Operation Plan
Testing and Revision Procedure
Application and Data Criticality Analysis
164.308.a8
164.308.b1
x
x
x
x
x
x
x
x
Written Contract or Other Arrangement
x
Physical Safeguards
Sections:
164.310.a1
Specifications:
Contingency Operations
Facility Security Plan
x
x
Access Control and Validation Procedures
x
Maintenance Records
11 Workstation Use
12 Workstation Security
13 Device and Media Controls
164.310.b
164.310.c
164.310.d1
Disposal
Media Re-use
Accountability
Data Backup and Storage
(A)=Addressable
Standard:
10 Facility Access Controls
(R)=Required
Physical Safeguards:
x
x
x
x
x
x
x
Technical Safeguards
14 Access Control
15 Audit Controls
16 Integrity
17 Person or Entity Authentication
18 Transmission Security
Sections:
Specifications:
164.312.a1
Unique User Identification
Emergency Access Procedure
Automatic Logoff
Encryption and Decryption
164.312.b
164.312.c1
164.312.d
164.312.e1
(A)=Addressable
Standard:
(R)=Required
Technical Safeguards:
x
x
x
x
x
Mechanism to Authenticate Electronic Protected
Health Information
x
x
Integrity Controls
Encryption
x
x
Terminology
Security
• Refers to techniques for ensuring that data stored in
a computer cannot be read or compromised. Most
security measures involve data encryption and
passwords. Data encryption is the translation of
data into a form that is unintelligible without a
deciphering mechanism. A password is a secret
word or phrase that gives a user access to a
particular program or system.
firewall
• A system designed to prevent unauthorized access to
or from a private network. Firewalls can be
implemented in both hardware and software, or a
combination of both. Firewalls are frequently used
to prevent unauthorized Internet users from
accessing private networks connected to the
Internet, especially intranets. All messages entering
or leaving the intranet pass through the firewall,
which examines each message and blocks those that
do not meet the specified security criteria.
Terminology
There are several types of firewall techniques:
• Packet filter: Looks at each packet entering or
leaving the network and accepts or rejects it based
on user-defined rules. Packet filtering is fairly
effective and transparent to users, but it is difficult to
configure. In addition, it is susceptible to IP spoofing.
• Application gateway: Applies security mechanisms to
specific applications, such as FTP and Telnet servers.
This is very effective, but can impose a performance
degradation.
• Circuit-level gateway: Applies security mechanisms
when a TCP or UDP connection is established. Once
the connection has been made, packets can flow
between the hosts without further checking.
• Proxy server: Intercepts all messages entering and
leaving the network. The proxy server effectively
hides the true network addresses.
• In practice, many firewalls use two or more of these
techniques in concert.
• A firewall is considered a first line of defense in
protecting private information. For greater security,
data can be encrypted.
Terminology
VPN
• Short for virtual private network, a network that is
constructed by using public wires to connect nodes. For
example, there are a number of systems that enable you to
create networks using the Internet as the medium for
transporting data. These systems use encryption and other
security mechanisms to ensure that only authorized users
can access the network and that the data cannot be
intercepted.
Antivirus program
• A utility that searches a hard disk for viruses and removes
any that are found. Most antivirus programs include an
auto-update feature that enables the program to
download profiles of new viruses so that it can check for
the new viruses as soon as they are discovered.
Secure server
• A Web server that supports any of the major security
protocols, like SSL, that encrypt and decrypt messages to
protect them against third party tampering. Making
purchases from a secure Web server ensures that a user's
payment or personal information can be translated into a
secret code that's difficult to crack. Major security protocols
include SSL, SHTTP, PCT, and IPSec.
Next Steps
• Assign responsibility to one
person
• Conduct a risk analysis
• Deliver security awareness in
conjunction with privacy
• Develop policies, procedures,
and documentation as needed
• Review and modify access and
audit controls
• Establish security incident
reporting and response
Helpful sites:
• www.hipaadvisory.com
• www.himss.org
– Phoenix Health System
– Health Information Management Systems
Society
• www.sans.org/resources/policies/
- SysAdmin,
Audit, Networks, Security Institute
• www.hipaacomply.com • www.cms.gov/hipaa/
Beacon Partners
- Center for Medicare and Medicaid
Services
• www.aha.org
– American Hospital Association
• www.aamc.org/members/gir/gasp/
- Guidelines
for Academic Medical Centers on Security and Privacy
• http://dirm.state.nc.us.hipaa.hippa2002/sec
urity/security.html
- North Carolina DHHS HIPAA
Related documents
Marketing tools for microenterprises
Marketing tools for microenterprises
5_02
5_02
4193SNP Two-zone Input Expander
4193SNP Two-zone Input Expander
Addressable media
Addressable media
alpha intelligent addressable modules mix-100 series
alpha intelligent addressable modules mix-100 series
Policy level - African Development Bank
Policy level - African Development Bank
Firewall Configuration
Firewall Configuration
ADDRESSABLE INTERFACE UNITS
ADDRESSABLE INTERFACE UNITS
direct marketing goes digital
direct marketing goes digital
Massachusetts Highway Department NEW PRODUCT EVALUATION APPLICATION
Massachusetts Highway Department NEW PRODUCT EVALUATION APPLICATION
Instruction level architecture
Instruction level architecture
Computer Security and Safety, Ethics, and Privacy
Computer Security and Safety, Ethics, and Privacy