Guide To HIPAA Security
Overview
Most covered entities will have until April 21, 2005 to comply with the HIPAA Security Standards. In the final Security Rule there are three main components which you will need to address:
Administrative Safeguards
Physical Safeguards and
Technical Safeguards
The regulation outline a realistic model for security management that is flexible however, covered entities should not take the flexibility provisions of the rule as a reason to ignore security.
So, where should you begin?
A covered entity should perform an initial risk analysis to assess the state of security for that facility. This whitepaper will help you think through the elements of that risk analysis and assessment.
Understand the Importance of Information Security
Every organization is unique with its own set of requirements and concerns and must interpret the HIPAA Security standard in light of the human, procedural, environmental, technical and cultural impacts that can occur. The organization's IT assets are exposed to various threats. It is estimated that more than 70% of the threat comes from internal sources. Therefore we should start our assessments from the inside - out.
However, that does not preclude the outside world from being as equally threatening. The very moment we connect to the Internet, transmit data, communicate via wireless technology and send an email -- hackers, former employees, contractors, suppliers, competitors and customers all become threats to our IT environment.
If you work in a high tech environment, you would hear constant threats about virus's, worms, hackers and the like. However, if you are not in high tech, these issues are closely held secrets. Management is tight lipped about incidents and may push matters under the carpet due to the fear of losing credibility with clients or patients. In a competitive environment where IT systems are a critical component to business operations, one cannot afford to loose data and have a break down.
Building Awareness Is The Starting Point For A Stronger IT Security Culture
Educating top management on the need for effective Information Security Management and the possible benefits is crucial for the success of a project.
What Should We Consider While Implementing The Standard
Here are 10 elements, which address key areas of Information Security Management.
1. Information Security Policy for the organization
Do we have one? The policy cannot be a theoretical exercise. It should reflect the needs of the actual users. It must be something that can be implemented, easy to understand and must balance the level of protection with productivity. The policy should cover all the important areas like personnel, physical, procedural and technical.
2. Creation of information security infrastructure
A management structure needs to be established to initiate, implement and control information security within the organization. There needs to be proper procedures for approval of the information security policy, assignment of the security roles and coordination of security across the entire organization. This could be a new position - Security Officer -- or a combined role with the Privacy Officer, depending on the size and complexity of the organization.
3. IT asset classification and control
One of the most laborious, but essential tasks is to manage inventory of all the IT assets. These include: information assets (databases), software assets (applications), and physical assets (servers, PDA's, etc). These IT assets need to be classified to indicate the desired degree of protection. The classification should result in appropriate information labeling to indicate whether it is sensitive or critical and what procedure is appropriate for copy, store, transmit or destruction of the IT asset.
4. Personnel Security
Human errors, negligence and greed are responsible for most thefts, frauds
or misuse of IT assets. Various proactive measures that should be taken include:
Development of personnel screening policies,
Getting signed confidentiality agreements from all employees,
Establishing terms and conditions of employment and
Implementing information security education and training.
Alert and well-trained employees who are aware of what to look for can prevent future security breaches.
5. Physical and Environmental Security
Designing a secure physical environment to prevent unauthorized access, damage and interference to business premises and information is usually the beginning point of any security plan. This involves establishing a physical security perimeter which includes: physical entry & access controls; creating secure offices, rooms, and facilities; providing protection devices to minimize risks ranging from fire to electromagnetic radiation; providing adequate protection to power supplies and data cables. Cost effective design and constant monitoring are two key aspects towards maintaining adequate physical security control.
6. Communications and Operations Management
Properly documented procedures for the management and operation of all information processing facilities should be established. This includes detailed operating instructions and incident response procedures.
Network management requires a range of controls to achieve and maintain security in computer networks. This also includes establishing procedures for managing remote equipment including equipment in user areas (or at homes of employees who telecommute). Special controls should be established to safeguard the confidentiality and integrity of data passing over public networks. Special controls may also be required to maintain the availability of the network services.
Exchange of information and software between external organizations should be controlled and should be compliant with any relevant legislation. There should be proper information and software exchange agreements, the media in transit needs to be secure and should not be vulnerable to unauthorized access, misuse or corruption. The HIPAA Security rule positions this as an addressable requirement, where the Covered Entity is responsible for determining what is the most reasonable way to implement this protection (if at all).
Electronic commerce involves electronic data interchange, electronic mail and online transactions across public networks such as Internet. Electronic commerce is vulnerable to a number of network threats that may result in fraudulent activity, contract dispute and disclosure or modification of information. Controls should be applied to protect electronic commerce from such threats.
7. Access control
Access to information and organizational processes should be controlled based on the business needs and security requirements. This will include defining access control policy and rules, user access management, user registration, privilege management, user password use and management, review of user access rights, network access controls, enforcing path from user terminal to computer, user authentication, node authentication, segregation of networks, network connection control, network routing control, operating system access control, user identification and authentication, use of system utilities, application access control, monitoring system access and use and ensuring information security when using mobile computing and tele-working facilities.
Compliance Tip: This is one of the more difficult areas to address to the mutual satisfaction of users and the security team. Unfortunately, many systems don't universally "talk" to each other and may have different levels of access controls and flexibility. Consider procedural controls in addition to technology driven solutions where practical & feasible. Training & enforcement of these procedures is critical to the success of this strategy.
8. System development and maintenance
Security should ideally be built at the time of inception of a system. Hence, security requirements should be identified and agreed to prior to the development of information systems. This begins with security requirements analysis and specification and providing controls at every stage i.e. data input, data processing, data storage and retrieval and data output. It may be necessary to build applications with cryptographic controls. There should be a defined policy on the use of such controls, which may involve encryption, digital signature, use of digital certificates, protection of cryptographic keys and standards to be used for cryptography.
A strict change control procedure should be in place to facilitate tracking of changes. Any changes to operating system changes, software packages should be strictly controlled. Special precaution must be taken to ensure that no covert channels, back doors or Trojans are left in the application system for later exploitation.
Compliance Tip: Many software vendors claim they are "HIPAA compliant". Be sure to test out their claims within the structure of how you intend to use the system. The way an application is actually implemented may completely invalidate those claims.
9. Business Continuity Management
A business continuity/disaster recovery management process should be designed, implemented and periodically tested to reduce the disruption caused by disasters and security failures. This begins by identifying all events that could cause interruptions to business processes and depending on the risk assessment, preparation of a strategic plan. The plan needs to be periodically tested, maintained and re-assessed based on changing circumstances. This is a required component of the HIPAA Security Rule, so don't ignore it.
10. Auditing & Monitoring
Auditing and monitoring of your security compliance infrastructure is key to
the long-term success and effectiveness of your program. Requirements will change
over time (due to regulatory and business changes) and your privacy & security
program should change with them. Implementing a process or procedure that doesn't
work operationally creates a false sense of security. Create a feedback loop
that allows you to quickly identify dysfunctional processes, so you can evaluate
how to get the same results another way.