HIPAA

HIPAA

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has set the stage for a lot of changes in Healthcare in the U.S. in the last decade. When combined with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, organizations dealing with electronic Protected Health Information (ePHI, also referred to as the “the information” in this document) need to put technical controls in place to ensure the security and privacy of patient data or face severe consequences ranging from making public acknowledgement of data exposure and paying steep fines (currently up to $1.5 million for noncompliance), to the loss of government payments for care (such as from Medicare or Medicaid).

AlertSec provides a solid foundation on which you can build your compliance program. Today, most organizations that deal with medical information use some sort of electronic health care system that combines the many facets of patient care, from intake and visits to follow-up care and billing, and these systems are generally designed for compliance. To provide complete coverage of the ePHI technical protection needed for HIPAA compliance, you need to protect more than just the Healthcare System itself. Any systems where patient data could be accessed or stored must be protected, and this is where the AlertSec Service plays a critical part.

AlertSec Service features:

  • Protect – Safeguard all ePHI on computers and removable media (USB sticks/drives etc.)
  • Comply – with HIPAA and HITECH Enforcement Rule through Policy Control
  • Manage – Deploy and monitor compliance through a cloud management tool

Building HIPAA Compliance

When approaching HIPAA Compliance for your organization it is important to look at your overall compliance “story”. The HIPAA and HITECH Acts lay out the penalties for ePHI disclosure but also provide mechanisms for Safe Harbor against breaches when certain conditions are met.

To claim an Affirmative Defense the key is to be able to show the overall compliance coverage within your organization, explaining the Administrative, Physical and Technical Safeguards you have put in place to protect the information. .

Both HIPAA and HITECH are more about what you need to do and what you need to protect, rather than how. As a result ensuring your organization is compliant can be complicated. The complexity of systems involved in today’s highly technical medical settings means there is no silver-bullet solution that can solve all your compliance concerns. Instead you must diligently select various components with the goal of protecting your systems that access or store patient data so that you can ensure the security and privacy of your patient information.

In hospitals, pharmacies and other healthcare organizations, doctors and other staff often use mobile devices to access ePHI at work in the practice, at remote sites (such as a partner facility or a patient home) or after-hours work (such as working from home). Central or cloud based healthcare systems are generally designed to be compliant but do not provide protection of ePHI that is downloaded or stored on devices such as laptops, or even on the desktops in the office that never leave.

Who Needs to be HIPAA Compliant

If you store or access any information that could be classified as ePHI, you are subject to the requirements of HIPAA and HITECH. Clearly that includes organizations such as hospitals, doctor’s offices and pharmacies, but it also covers other organizations, for example companies that perform billing services, or IT services such as cloud-hosted email or patient portals. Any system that can touch ePHI needs to be HIPAA compliant.

If a HIPAA covered organization (a Covered Entity) engages a business associate to help carry out its health care activities and functions, there should be a Business Associate Agreement (BAA) between the two organizations. So if you have a signed BAA, then your business is also subject to HIPAA requirements for data protection.

HIPAA Rules

There are three main rule sets that come into play for HIPAA compliance: the Administrative Rules, the Privacy Rules and the Security Rules.

Administrative Rules

The Administrative Rules cover the general policies and procedures regarding the securing of information. In some cases these may be borderline technical requirements, like the requirement to guard against malicious software, but the administrative rules are really focused on establishing security best practices as a baseline for the Privacy and Security Rules to build on.

Privacy Rules

The Privacy Rules focus on ensuring that PHI is protected from exposure outside the proper confines of use. These rules state the permitted uses and disclosures of PHI, regardless of the format (for example, paper, oral or electronic) and the types of controls that must be enforced for their protection.

Security Rules

The Security Rules focus on what safeguards must be in place. The Security Rules are divided into Administrative (section 164.308), Physical (section 164.310) and Technical Safeguards (section 164.312) to protect ePHI. The Security Rules are written so that they provide flexibility in implementation whilst ensuring the overall goals of ePHI protection are met.

When combined, these rules detail what needs to be protected and provide guidance about the minimum requirements for protection.

AlertSec HIPAA Safeguards

The AlertSec Service provides a solid foundation for compliance with HIPAA requirements. With the AlertSec Service you are able to provide many of the Administrative Safeguards required in section 164.308 and most of the Technical Safeguards required in section 164.312. It is important to understand that full HIPAA compliance for all systems will require combining AlertSec with other tools to build a complete compliance picture.

Section 164.308 Administrative Safeguards (a)(1) Standard: Security Management Process

The AlertSec Service can assist with the following Security Management Process requirements:

Specification Description AlertSec Support

Risk Management (Required)

Implement security measures to reduce risks to a reasonable level

The AlertSec Service provides multiple modules to secure computers against many types of risk.

Information System Activity Review (Required)

System activity must be reviewed on a regular basis for activity that could be considered malicious

The AlertSec Service provides audit records for all its services as part of the activity tracking that needs to be monitored

Table 1 – Security Management Process Support

Security Awareness and Training

The AlertSec Service can help address the following Security Awareness and Training requirements:

Specification Description AlertSec Support

Protection from Malicious Software (Addressable)

Detect and prevent malicious software

The AlertSec Anti-Malware service provides protection against malicious applications

Log-in Monitoring (Addressable)

Login attempts must be logged and monitored

The AlertSec Service provides audit records for all authentication attempts to the AlertSec FDE and the Lock Screen in Windows

Password Management (Addressable)

Policies to manage password use and changes

The AlertSec Service provides password management capabilities to ensure strong passwords and scheduled password changes

Table 2 – Security Awareness and Training Support

Access Control

The Access Control requirements are divided into four implementation specifications:

Specification Description AlertSec Support

Unique User Identification (Required)

Each user must be uniquely identified relative to every other user

With AlertSec FDE, each user can be configured to login with a unique account

Emergency Access Procedure (Required)

There must be a capability to access information in an emergency

Administrator access can be used to ensure the system or media is accessible in an emergency where regular users may not be available

Automatic Logoff (Addressable)

The system should automatically log out the user after a period of inactivity

AlertSec FDE can be configured to automatically lock the system after a pre-defined period of inactivity

Specification Description AlertSec Support

Encryption and Decryption (Addressable)

Data should be encrypted to ensure only the authorized users can access it

AlertSec FDE encrypts the entire drive on the PC and only allows logged in users access to any OS, applications or data on it

AlertSec Media Encryption allows the secure use of removable media by enforcing the use of encryption of any data stored to the media

AlertSec Port Control can block access to removable media, ensuring that ePHI cannot leave the system and also blocking potentially malicious applications from gaining access to the system

Table 3 – Access Control Support

Audit Controls

The Audit Control requirement specifies that access to ePHI be recorded for review. While the AlertSec Service does not directly protect the ePHI application, but does support the requirement for audit records related to activity on the systems where the protected information will be accessed. The AlertSec Service provides a record of any authentication attempts and access to the system itself so you can review when the system/device was used (based upon successful logins) as well as any attempts to gain access (based on authentication failures).

This information is supplemental to the specific Audit Controls mandated by HIPAA. The additional information provided by the AlertSec Service provides a broader coverage story about your compliance efforts and enhances your access to Affirmative Defense (as explained under Safe Harbor in the Building HIPAA Compliance section above).

Person or Entity Authentication

The Person or Entity Authentication requirement specifies that in addition to each user having a unique identifier (as required in the Access Control requirements), they must also have unique authentication credentials paired with the unique identifier. In normal terms, this means a user has to enter a password (or token or biometric, etc.) to validate their identity.

AlertSec FDE and AlertSec Media Encryption both require the user to authenticate with a username and password to access the system or any encrypted media, providing assurance about who is accessing applications dealing with ePHI.

AlertSec Service Features

The AlertSec Service provides compliance security as a service. Instead of requiring the purchase of several individual components and needing to manage them separately, the AlertSec Service provides a single, comprehensive, policy based, cloud-managed package of vital components to secure and make your systems compliant. The following compliance modules are available:

Compliance Module Description

Full Disk Encryption (FDE)

Ensures that only authorized users can access data on protected computers. A user must provide a valid ID and password before the operating system will boot and any ePHI will automatically be stored encrypted.

Media Encryption/Port Control

Media Encryption automatically encrypts any ePHI data stored on removable storage media such as USB sticks and external hard drives based on policy. Data remains transparent to authorized users. Port control prevents use of unknown/unauthorized media.

Compliance Check

All endpoints are scanned for compliance with pre- defined security policies that can verify the security software is up to date.

Anti-Malware/Program Control

Malware detection and prevention using signatures, behavior blockers and heuristic analysis. Policy controlled Program (application) Control can be configured to limit the applications that can be run on the system to only those that have been explicitly approved.

Firewall

Providing proactive policy based protection: the firewall blocks targeted attacks and stops unwanted traffic, keeping data and systems safe.

Table 4 – AlertSec Service Compliance Modules

Summary

The AlertSec Service provides a solid foundation for building a complete ePHI security solution for your Electronic Health Record (EHR) system. The HIPAA act does not expect that a single application or service alone will provide all the security safeguards necessary to protect the information, and therefore provides the flexibility for an organization to design a complete security infrastructure using components that best meet its needs.

With the AlertSec Service your organization can ensure the security of endpoint devices, providing a solid layer of technical security surrounding ePHI that is unobtrusive whilst also being highly effective. By minimizing the possibility of unsecured access on endpoint devices, AlertSec helps to achieve “Safe Harbor”, mitigating the need for breach notifications that would otherwise be mandatory whenever unsecured ePHI is accessed. Complete encryption of ePHI, as provided by AlertSec, is considered a primary way to achieve Safe Harbor.

Implementing AlertSec FDE on endpoint devices within your organization ensures that any copies of ePHI, such as offline copies for remote work, data in Word® or Excel® documents, or cached data from applications, are always secured on the endpoint device. AlertSec Media Encryption can enable your organization to securely utilize removable media when transporting ePHI between systems (for example, when large volumes of data need to be backed up or delivered directly to another location, or where secure network transfers are not available or possible). And AlertSec Port Control and Application control provide your organization with the ability to block access to removable media ports and block unwanted applications in order to prevent any ePHI from being removed from the device.

References

The following selection of websites provide more information about HIPAA and HITECH.

http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html

http://www.hipaasurvivalguide.com/hipaa-compliance.php