ABOUT HIPAA SECURITY - CONTINUED

Security Workbook
For
Covered Entities & Business Associates

No matter if you are a provider or employer, this manual is a must if yo want to make quick work of your security assessment and policies.

Click Here To Order

The Manual includes a step by step approach, plus every document you will need to create in order to become compliant - all in MS Word.

Powered by HIPAA Solutions Rx

3. IT asset classification and control

One of the most laborious, but essential tasks is to manage inventory of all the IT assets. These include: information assets (databases), software assets (applications), and physical assets (servers, PDA's, etc). These IT assets need to be classified to indicate the desired degree of protection. The classification should result in appropriate information labeling to indicate whether it is sensitive or critical and what procedure is appropriate for copy, store, transmit or destruction of the IT asset.

4. Personnel Security

Human errors, negligence and greed are responsible for most thefts, frauds or misuse of IT assets. Various proactive measures that should be taken include:

• Development of personnel screening policies,
• Getting signed confidentiality agreements from all employees,
• Establishing terms and conditions of employment and
• Implementing information security education and training.

Alert and well-trained employees who are aware of what to look for can prevent future security breaches.

5. Physical and Environmental Security

Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves establishing a physical security perimeter which includes: physical entry & access controls; creating secure offices, rooms, and facilities; providing protection devices to minimize risks ranging from fire to electromagnetic radiation; providing adequate protection to power supplies and data cables. Cost effective design and constant monitoring are two key aspects towards maintaining adequate physical security control.

6. Communications and Operations Management

Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.

Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for managing remote equipment including equipment in user areas (or at homes of employees who telecommute). Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.

Exchange of information and software between external organizations should be controlled and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit needs to be secure and should not be vulnerable to unauthorized access, misuse or corruption. The HIPAA Security rule positions this as an addressable requirement, where the Covered Entity is responsible for determining what is the most reasonable way to implement this protection (if at all).

Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.

< Previous Page  1  2  3  4  Next Page >