HIPAA Security Rule Compliance and Health Care
Information Protection
How SEA’s Solution Suite Ensures HIPAA Security Rule
Compliance
Legal Notice: This document reflects the understanding of Software Engineering of America of System i
Health Insurance Portability and Accountability Act of 1996
(HIPAA)
What is HIPAA?
HIPAA was enacted in 1996 with the goal of establishing a set of laws to protect individuals’ health information, document the rights of health providers and patients, and secure the overall healthcare system in the United States. Healthcare organizations must follow these regulations to ensure confidential information does not leak and to prevent heavy fines.
HIPAA is based on five Titles:
I. Health Care Access, Portability, and Renewability
II. Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform
III. Tax-Related Health Provisions
IV. Application and Enforcement of Group Health Plan Requirements V. Revenue Offsets
The full electronic HIPAA laws can be obtained from the Government Printing Office website.
http://frwebgate.access.gpo.gov/cgi-bin/getdoc.cgi?dbname=104_cong_public_laws&docid=f:publ191.104
On February 20, 2003, the Security Rule was issued as part of HIPAA and serves as one of the key components of the overall law. These guidelines cover all electronic health information. The Security Rule is broken down into three requirements:
1. Administrative Safeguards 2. Physical Safeguards 3. Technical Safeguards
ADMINISTRATIVE SAFEGUARDS
These policies focus on security measures to manage the protection of health care information. In this section, there are nine standards and under each standard are implementation specifications. These specifications include access authorization, log-in monitoring, protection from malicious software, and many more. These standards comprise 50% of the Security Rule.
Sections Standards Implementation Specifications
Risk Analysis Risk Management Sanction Policy 164.308(a)(1) Security Management Process
Information System Activity Review
164.308(a)(2) Assigned Security Responsibility
Authorization and/or Supervision Workforce Clearance Procedures 164.308(a)(3) Workforce Security
Termination Procedures Isolating Health care Clearinghouse Function Access Authorization 164.308(a)(4) Information Access Management
Access Establishment and Modification
Security Reminders Protection from Malicious Software
Log-In Monitoring 164.308(a)(5) Security Awareness and Training
Password Management 164.308(a)(6) Security Incident Procedures Response and Reporting
Data Backup Plan Disaster Recovery Plan
Emergency Mode Operation Plan Testing and Revision Procedure 164.308(a)(7) Contingency Plan
Applications and Data Criticality Analysis
164.308(a)(8) Evaluation
164.308(b)(1) Business Associate Contracts & Other Arrangements
PHYSICAL SAFEGUARDS
These standards pertain to the physical means of protecting electronic information and equipment. Examples include proper physical security plans and hardcopy data disposal. Although these requirements are important, SEA solutions cover the electronic security aspect of the Security Rule.
Sections Standards Implementation Specifications
Contingency Operations Facility Security Plan
Access Control and Validation Procedures
164.310(a)(1) Facility Access Controls
Maintenance Records 164.310(b) Workstation Use 164.310(c ) Workstation Security Disposal Media Re-use Accountability 164.310(d)(1) Device and Media Controls
Data Backup and Storage
TECHNICAL SAFEGUARDS
These guidelines refer to procedures pertaining to protecting technology policies. This section of the Security Rule is made up of five standards consisting of various implementation specifications. These include user identification, encryption, audit controls, and many more.
Sections Standards Implementation Specifications
Unique User Identification Emergency Access Procedure Automatic Logoff
164.312(a)(1) Access Control
Encryption and Decryption
164.312(b) Audit Controls
164.312(c)(1) Integrity Mechanism to Authenticate
Why is HIPAA Important?
Because the healthcare industry is gradually transforming its processes into electronic and digital formats for efficiency purposes, a greater need for strong security measures arises. Since information flows through different gateways from insurance companies, to employers, to health care providers, and to other entities, it is important to protect this data stream and be in compliance. Therefore, it is important for IT departments to incorporate secure and reliable mechanisms to protect their data flow networks and ensure compliance.
What if I’m Not Compliant?
Non-compliance of HIPAA may have serious consequences for an organization. Violations of the Act may result in heavy fines up to $250,000, imprisonment for up to ten years, lawsuits, and legal liability issues. Whether an incident is accidental or intentional, your company may still be subject to these lucrative penalties.
Software Engineering of America offers a full line of solutions to help your organization stay compliant. Adopting SEA’s product suite can help ensure your company will keep medical information secure and reduce the risk of heavy fines. SEA offers solutions that will track all types of activity, monitor over users and resources, prevent security breaches, alert proper personnel automatically, and many more.
How Can SEA’s Solutions Ensure HIPAA Compliance?
Firewall
Firewall will protect and secure all types of access to and from the System i, keeping your company safe from intruders. Not only an easy to use filter for incoming and outgoing TCP/IP activity and intrusion prevention, it will also manage user profile status, password restrictions, sign-on time control, object access control, rule exceptions, and logging of all activity. Scripts can be created in real time to automatically respond to monitored activity with system commands, programs, to alert you via an email, AS/400 message, and/or by phone. Users can utilize the Java-based GUI in addition to the traditional green-screen interface to effectively monitor and analyze activity for any type of AS/400 environment.
Audit
Audit provides real-time monitoring and logging of system and user activities. Audit can also take action against these threats by triggering pro-active alerts. Monitored activity can be viewed, printed or obtained via an automatic report scheduler that can be sent to an administrator, senior managers, and auditors. Scripts can be created in real time to automatically respond to monitored activity with system commands or programs, to alert you via an email, AS/400 message, and/or by phone.
Antivirus
Antivirus will scan compressed files and protect against viruses found on your System i server. This application will run natively on your iSeries and scan your IFS and mail for viruses and will eliminate the requirement to download these files to your PC or server for scanning. This prevents unnecessary network traffic from tying up your LAN. In addition, Antivirus removes infected files from the system, scans emails through the Mail Alert scan feature and utilizes a user-friendly interface. On-access, On-Demand scanning and automatic updates are other key features of Antivirus that will keep your system safe.
Journal
This solution will allow you to monitor data modifications, providing you with before and after images of your data. Enterprises can see who made changes, what modifications were made, and when these changes took place. Data retrieval is simple and allows security administrators to have control over information flowing within their organization.
rules. Capture allows an organization to retrieve archived screenshots for definitive and accurate forensics for keeping your System i in compliance.
View
View gives administrators the ability to restrict access to specific fields and records while specifying user levels. System administrators can create rules that define which users are authorized to view or modify the contents of a database. This will ensure that users are not accessing information they shouldn’t be such as confidential patient data.
Assessment
Use assessment to test system vulnerabilities by monitoring ports, user privileges etc. View charted reports and ensure industry compliance. Assessment shows you detailed reports if your network is really protected, auditing policies are in place, exit points are open, and many more.
absCompress
absCompress compresses objects over 80% at high speeds to save space and reduce file transfer time. absCompress provides government approved AES encryption up to 256 bit. Users can enter a string as a password for strong security measures. In addition, the history console can track the details of all compression or decompression it performs.
absMessage
Examples of How SEA Will Help Your Company Comply with the Security Rule Administrative Safeguards
Security Rule Section Description SEA Solution
164.308(a)(1)(ii)(A) This is the risk analysis portion under the standard Security Management Process. It requires companies to assess vulnerabilities and potential risks of electronic health information.
Audit Assessment
These solutions will identify potential security risks through real-time monitoring (Audit) and test system vulnerabilities by checking for open ports etc. (Assessment). In addition, view detailed reports and charts (Assessment). 164.308(a)(3)(ii)(A) The Authorization and/or
Supervision implementation specification of the Workforce Security standard. This calls for determining user rights such as the ability to read a file or run a program.
View Assessment Firewall
Administrators can restrict user access and specify user levels to see specific fields (View). Users can also Utilize Assessment to view reports of user privileges. Manage user profiles, sign-on time control, and object access control thru Firewall. 164.308(a)(5)(ii)(B) Protection from Malicious
Software implementation specification of the Security Awareness and Training standard. This security measure calls for preventing harmful programs or viruses.
Antivirus
Technical Safeguards
HIPAA Security Rule Description SEA Solution
164.312(a)(2)(iv) This is the Encryption and Decryption implementation specification of the Access Control standard. A proper encryption tool will convert regular text into encoded data (must be opened with a proper key).
absCompress
absCompress will encrypt your data via government approved AES encryption up to 256 bit. In addition, absCompress can quickly compress your objects by 80% to save space.
164.312(b) This is the standard Audit
Controls (there are no implementation
specifications). This standard calls for implementing an audit report tool or other method for recording system activity.
Firewall Audit Journal Capture absMessage
All of the above solutions will record critical types of activity on the i5. Firewall will keep track of network activity