HIPAA Security Standards Administrative Safeguards (55%) –12 required, 11 Addressable Physical Safeguards (24%) –4 required, 6 Addressable Technical Safeguards (21%) –4 required, 5 Addressable The final rule has been modified to increase Flexibility as to how protection is accomplished.
Addressable Implementation Specifications Covered entities must assess if an implementation specification is reasonable and appropriate based upon factors such as: –Risk analysis and mitigation strategy –Costs of implementation –Current security controls in place Key concept: “reasonable and appropriate” Cost is not meant to free covered entities from their security responsibilities
Addressable Implementation Specifications “In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: a. Implement one or more of the addressable implementation specifications; b. Implement one or more alternative security measures; c. Implement a combination of both; or d. Not implement either an addressable implementation specification or an alternative security measure.” Must document!
Terminology Security Refers to techniques for ensuring that data stored in a computer cannot be read or compromised. Most security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible without a deciphering mechanism. A password is a secret word or phrase that gives a user access to a particular program or system. firewall A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.
Terminology There are several types of firewall techniques: Packet filter: Looks at each packet entering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. In practice, many firewalls use two or more of these techniques in concert. A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.
Terminology VPN Short for virtual private network, a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. Antivirus program A utility that searches a hard disk for viruses and removes any that are found. Most antivirus programs include an auto-update feature that enables the program to download profiles of new viruses so that it can check for the new viruses as soon as they are discovered. Secure server A Web server that supports any of the major security protocols, like SSL, that encrypt and decrypt messages to protect them against third party tampering. Making purchases from a secure Web server ensures that a user's payment or personal information can be translated into a secret code that's difficult to crack. Major security protocols include SSL, SHTTP, PCT, and IPSec.
Next Steps Assign responsibility to one person Conduct a risk analysis Deliver security awareness in conjunction with privacy Develop policies, procedures, and documentation as needed Review and modify access and audit controls Establish security incident reporting and response procedures
Helpful sites: www.hipaadvisory.com – Phoenix Health System www.himss.org – Health Information Management Systems Society www.sans.org/resources/policies/ - SysAdmin, Audit, Networks, Security Institute www.hipaacomply.com - Beacon Partners www.cms.gov/hipaa/ - Center for Medicare and Medicaid Services www.aha.org – American Hospital Association www.aamc.org/members/gir/gasp/ - Guidelines for Academic Medical Centers on Security and Privacy http://dirm.state.nc.us.hipaa.hippa2002/sec urity/security.html - North Carolina DHHS HIPAA