ABOUT HIPAA SECURITY - CONTINUED
 
What Our Customers Say....


"Finally a company that really knows

HIPAA, thanks."

-- IPA

Security Workbook
For
Covered Entities & Business Associates

No matter if you are a provider or employer, this manual is a must if yo want to make quick work of your security assessment and policies.

Click Here To Order

The Manual includes a step by step approach, plus every document you will need to create in order to become compliant - all in MS Word.




Powered by HIPAA Solutions Rx
   
 

7. Access control

Access to information and organizational processes should be controlled based on the business needs and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.

Compliance Tip: This is one of the more difficult areas to address to the mutual satisfaction of users and the security team. Unfortunately, many systems don't universally "talk" to each other and may have different levels of access controls and flexibility. Consider procedural controls in addition to technology driven solutions where practical & feasible. Training & enforcement of these procedures is critical to the success of this strategy.

8. System development and maintenance

Security should ideally be built at the time of inception of a system. Hence, security requirements should be identified and agreed to prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography.

A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation.

Compliance Tip: Many software vendors claim they are "HIPAA compliant". Be sure to test out their claims within the structure of how you intend to use the system. The way an application is actually implemented may completely invalidate those claims.

9. Business Continuity Management

A business continuity/disaster recovery management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategic plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances. This is a required component of the HIPAA Security Rule, so don't ignore it.

< Previous Page  1  2  3  4  Next Page >
     
     
© Copyright HIPAA Solutions RX | About HIPAA | Our Products | Contact Us | About Us | Site Map