ecfirst Compliance Portal

Critical HIPAA Security Rule Reference Update

Wed, 11 Jun 2008 11:01:45 CST

Probably the most important reference for the HIPAA Security Rule, the NIST Draft 800-66 Revision 1 is now available for review and comment. The purpose of this publication is to help educate readers about the security standards included in the HIPAA Security Rule. The NIST 800-66 Draft provides a brief overview of the HIPAA Security Rule, directs the reader to additional NIST publications on information security, and identifies typical activities an agency should consider in implementing an information security program.

Business Continuity Planning - A Federal Requirement

Wed, 06 Jun 2008 13:52:45 CST

Contingency plan is a HIPAA Security standard. The objective of the contingency plan standard is to establish (and implement as needed) policies and procedures for responding to an emergency or other occurrence (for example, fire, vandalism, system failure, and natural disaster) that damages systems that contain electronic Protected Health Information (EPHI). As shown below, the Contingency Plan standard is defined within the Administrative Safeguards section of the HIPAA Security Rule. Has your organization addressed this mandatory HIPAA Security Standard?

Wireless Security Best Practices

Wed, 28 May 2008 10:52:45 CST

To secure critical business applications, servers and most important, sensitive information transmitted on a wireless infrastructure, healthcare organizations must: Conduct risk analysis, Develop security policies - Wireless - Mobile devices, - Encryption - Wireless protocols ...

Wireless Security Policy Tip

Wed, 21 May 2008 13:05:45 CST

The HIPAA Security Rule requires healthcare organizations to develop a comprehensive library of information security policies and procedures. Wireless security should be one of the policies that your organization should consider developing. The wireless security policy sets the dial tone for use of wireless components in your network infrastructure.

Wireless Assessment

Wed, 14 May 2008 11:02:45 CST

Healthcare organizations are rapidly deploying mobile computing capabilities across the infrastructure. From the perspective of regulations such as HIPAA Security as well as to ensure resilience in the infrastructure, organizations need to regularly evaluate their wireless architecture and configurations to identify points of exposure. For example, this includes locating unauthorized access points which may be rogue devices that can be exploited.

CMS Requirements for a HIPAA Security Audit

Wed, 07 May 2008 11:12:45 CST

In 2008, CMS is initiating a sincere audit effort to audit for HIPAA Security compliance. It has been reported that CMS will begin audits by reviewing 10 to 20 hospitals in 2008 for compliance with the HIPAA Security Rule. Is your organization ready for a HIPAA Security audit?

SSO Best Practices Tip

Wed, 23 Apr 2008 11:01:45 CST

In this compliance and security tip, let us examine best practices to guide initiatives for enterprise SSO solutions. Any SSO solution being designed should take into account the following best practice recommendations:

Getting Started With SSO

Wed, 16 Apr 2008 11:08:45 CST

Organizations need to address several challenges related to enforcing strong password policies. Key solution requirements include:

Strengthen password protection of applications to support compliance
Reduce burden on help-desk staff managing password problems
Streamline the login/logout process to minimize time spent on this activity by staff
Ensure periodic password changes across the organization

Single Sign-On

Wed, 09 Apr 2008 11:03:45 CST

User authentication can compromise the security of sensitive information and systems and cost your organization money and lost productivity. Studies have shown that when users are required to change their passwords often, or remember more than three different passwords, they either record them insecurely, such as a post-it note on their monitor, or forget them and place calls to your Help Desk. Single Sign On (SSO) technology allows users of enterprise, middleware or web applications to log on once with a single authentication action and get access to all authorized resources.

Identity & Access Management (I&AM)

Wed, 02 Apr 2008 12:12:45 CST

The HIPAA Security Rule includes specific requirements for Person & Entity Authentication as well as specifications for Unique Identifiers. Also, the increasingly digital healthcare organization requires controls that; allow only authorized users to gain access to information, strictly control what users can do, monitor and track user activities and make users accountable for their actions. These controls are at the core of identity and access management (I&AM). I&AM is the broad area that healthcare organizations are looking at closely to address compliance requirements as well as challenges experienced by caregivers in quickly accessing necessary patient information.

The Last Time You Audited the Firewall Was?

Wed, 26 Mar 2008 11:04:45 CST

Within the scope of conducting vulnerability assessment to identify compliance and security gaps, be sure to include an audit of your firewall system, especially the internet firewall. For example, the firewall audit may result in findings such as:

Identifying Internal Threats: Vulnerability Assessment

Wed, 19 Mar 2008 13:22:45 CST

Compliance requirements such as those related to HIPAA, PCI DSS and others require organizations to also identify internal threats to vital assets. The objective of an internal vulnerability assessment is to identify security gaps in critical business servers, workstations, and network communication devices. The typical steps involved in an internal vulnerability assessment involve:

Managing External Threats: Data Surveillance

Wed, 12 Mar 2008 13:36:45 CST

To meet compliance requirements, healthcare organizations are conducting external network testing activities. This typically consists of attempting to access or electronically transgress external firewalls, routers and any such network perimeter devices protecting the business infrastructure. Key areas that are typically tested within the scope of managing external threats include:

Ready For a HIPAA Security Audit?

Thu, 06 Mar 2008 09:27:45 CST

GovernmentHealthIT reported on January 16, 2008 at a workshop on HIPAA Security, that CMS announced it will begin audits by reviewing 10 to 20 hospitals in the next nine months for compliance with the HIPAA Security Rule. Is your organization ready for a HIPAA Security audit?

PCI DSS Control Objectives 5 and 6

Wed, 27 Feb 2008 13:42:45 CST

The Payment Card Industry (PCI) Data Security Standard (DSS) Control Objectives 5 and 6 include requirements that must be met as defined below:

PCI DSS Control Objectives 3 and 4

Wed, 20 Feb 2008 11:36:45 CST

The Payment Card Industry (PCI) Data Security Standard (DSS) Control Objectives 3 and 4 include requirements that must be met as defined below:

PCI DSS Control Objectives 1 and 2

Wed, 13 Feb 2008 14:13:45 CST

The Payment Card Industry (PCI) Data Security Standard (DSS) Control Objectives 3 and 4 include requirements that must be met as defined below:

Compliance Requirements and Security

Wed, 06 Feb 2008 12:51:45 CST

Organizations today are challenged with compliance requirements with legislations, both state and federal, as well as governance standards and international frameworks. Failure to comply with established requirements only increases the risk for the business as regulatory requirements are increasingly tied into best practices for securing the business information infrastructure. The regulatory compliance requirements and associated frameworks provide a unique opportunity for organizations to align their technology initiatives with legislative requirements to meet business objectives.

Sarbanes-Oxley and Security

Wed, 23 Jan 2008 14:37:45 CST

The Board of Directors of healthcare organizations is increasingly looking at Sarbanes-Oxley (SOX) as the framework for internal controls over financial reporting systems. SOX impacts technology as well as security priorities within organizations.

ISO 27001 and 27002

Wed, 16 Jan 2008 15:10:45 CST

The two standards that influence information security initiatives worldwide are ISO/IEC 27001 and ISO/IEC 27002. This is an important security standard that must be referenced in any organization’s information security strategy document.

Payment Card Industry (PCI) Data Security Standard (DSS)

Wed, 09 Jan 2008 15:06:45 CST

Many healthcare organizations are beginning to realize that they need to comply with not just HIPAA, but also the Payment Card Industry’s Data Security Standard (DSS). This requirement may seriously influence your information security strategy as well as priorities and initiatives.

Information Security Strategy

Wed, 02 Jan 2008 11:18:45 CST

The December 11th, 2007 issue of The Wall Street Journal had a full page article on information security. The core topic addressed was “Beyond the Firewall: As a new breed of professional hackers emerges, companies are finding new tools to protect their networks.” The article states that in 2007 more than 270 organizations have lost sensitive information such as consumer credit card or employee social security numbers, as well as bank account numbers. This directly impacts the healthcare industry that is so rich in processing identifiable information on its systems and networks.

Wireless Security

Wed, 26 Dec 2007 15:16:45 CST

The security of defending today’s organization is largely based on protocols and technologies that support a wired infrastructure. The proliferation of mobile devices and wireless communication is introducing new security gaps that must be addressed. As the saying goes, security is only as good as your weakest link, and wireless systems are the weak links in the digital information infrastructure.

Transmission Security Encryption

Wed, 19 Dec 2007 12:47:45 CST

Encryption is an address implementation specification defined in the Transmission Security Standard in the HIPAA Security Rule. This implementation specification requires that organizations implement a mechanism to encrypt EPHI whenever deemed appropriate.

Transmission Security Policy

Wed, 12 Dec 2007 12:26:45 CST

As you know, the objective of the Transmission Security (§ 164.312(e)(1)) HIPAA Standard is for covered entities to implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. This requires that organizations develop policies and procedures to address this HIPAA Security Standard.

Transmission Security

Wed, 08 Dec 2007 13:44:45 CST

1) Monthly HIPAA Compliance Tip: Transmission Security 2) The Value of Provider-to-Provider Telehealth Technologies 3) AHA Solutions to Present at HIMSS Arkansas/Tennessee Chapter Meeting 4) Where IT Development Should Start 5) Health Care Compliance Association (HCCA) 12th Annual Compliance Institute April 13-16, 2008; New Orleans 6) HIPAA Privacy Rule Impacts Badly On Health Research, Say Two-thirds Of Clinical Scientists 7) Hospitalized Student Gets High-Tech Help

Malicious Software

Wed, 28 Nov 2007 12:18:45 CST

Protection from Malicious Software is defined as an addressable implementation specification in the Security Awareness and Training Standard of the HIPAA Security Rule, § 164.308(a)(5). Attacks related to malicious software can be very disruptive to any organization. Some of you may have experienced this recently. Organizations need to closely review their capability to defend against malicious software attacks.

Intrusion Detection

Wed, 21 Nov 2007 12:06:45 CST

Security is all about the deployment of multiple layers of defense. Firewall systems are the first layer of defense – and are typically deployed at the perimeter of the organization. Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are the next vital layers of defense. These are systems that are always ON with the objective of “detecting” and “preventing” threats to the enterprise. Security professionals will need to review their security policies to determine the role that IDS/IPS can play in strengthening the defenses of the enterprise.

Firewall System

Wed, 14 Nov 2007 12:06:45 CST

Firewall systems are the first line of defense for information security. It is a part of an organization’s network perimeter defense. Today’s firewall systems are intelligent and integrate several critical capabilities including prevention of various types of attacks, spam filtering, and content monitoring. An organization may deploy one or more firewall systems in various parts of its information infrastructure. For example firewall systems may be deployed at each of the clinics that connect to a hospital network from a remote location. There may be a firewall system between the wired and wireless network systems.

Single Sign-on (SSO) Challenges in Healthcare. Is Your Organization Compliant with Identity Management Requirements

Wed, 07 Nov 2007 13:11:15 CST

The challenge for many types of organizations is that users want easy and secure access to aggregated data across multiple systems. These systems include mainframe, distributed, Internet as well as mobile devices. Critical patient data typically resides on disparate systems and applications across multiple platforms. Employees want to review all relevant sensitive data before making decisions related to their job role and responsibility. There is a strong need to support the capability to centrally monitor and report (audit) access across all applications. This requirement can be met by using a combination of a single sign-on (SSO) and context management solution.

Network Perimeter: Edge to Core Defense

Wed, 07 Nov 2007 12:11:15 CST

When it comes to the network perimeter – the first line of defense for any organization – “integration” of capabilities at the perimeter is critical to a successful defense. Integration of security capabilities protects vital assets from malicious software such as viruses and worms, as well as capabilities to detect attacks on the infrastructure.

Audit Best Practices

Wed, 24 Oct 2007 11:56:36 CST

Audits provide insight into vulnerabilities of an organization. A secure computing infrastructure is a strategic business asset.

Incident Response

Wed, 17 Oct 2007 10:56:36 CST

The Security Incident Procedures (§ 164.308(a)(6)) Standard in the HIPAA Security Rule requires organizations to implement policies and procedures to address security incidents.

Audit Policy

Wed, 10 Oct 2007 16:43:36 CST

Organizations should develop an information security audit policy to address HIPAA compliance requirements and establish capabilities to review the state of systems and applications. Typically, this results in two policies that an organization may develop to address compliance requirements: Information Security Audit Policy and an Information System Activity Review Policy

Auditing and Monitoring

Wed, 3 Oct 2007 14:22:36 CST

Audit Controls is a Standard defined under Technical Safeguards in the HIPAA Security Rule that requires that an organization:

Access Control

Wed, 26 Sep 2007 10:30:36 CST

Access control generally requires some form of authentication. Authentication, the process of proving your identity, identifies a user to an application. A system needs to authenticate users to a degree appropriate for the level of risk or threat that an authenticated user represents. Authentication is about identification and verification, while access control is about the level of access to system resources, some of which are privileged.

HIPAA Tip - Access Control

Wed, 26 Sep 2007 10:30:36 CST

The Access Control standard in the HIPAA Security Rule (§ 164.312(a)(1)) requires covered entities to implement technical policies and procedures for electronic information systems that maintain electronic Protected Health Information (EPHI) to allow access only to those persons or software programs that have been granted access rights. The Access Control standard includes four implementation specifications:

SSO Best Practices

Wed, 19 Sep 2007 16:02:36 CST

As your organization gets ready to design a SSO solution, the following are important factors to consider Target Audience Application Types Application Access and Privilege Deployment Mode Account Management

HIPAA Tip - Single Sign-On (SSO)

Wed, 19 Sep 2007 16:02:36 CST

Compliance requirements such as those defined in the HIPAA Security Rule identifies Person or Entity Authentication as a Standard within the legislation (§ 164.312(d)) that requires covered entities to implement procedures to verify that a person or entity seeking access to electronic protected health information (EPHI) is the one claimed. There are two additional requirements in the HIPAA Security Rule that closely relate to this Standard.