Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance

(1)

Solutions for Health Insurance Portability

and Accountability Act (HIPAA) Compliance

Troy Herrera

Sr. Field Solutions Manager

Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 USA 408 745 2000 or 888 JUNIPER www.juniper.net

(2)

Introduction

Juniper provides reliable Secure and Assured networking solutions for the healthcare market to help customers meet their HIPAA compliance requirements while improving patient care and business productivity. Our solutions are market leading and enable customers to better protect private healthcare information. We not only help to secure healthcare networks, we also better enable a productive healthcare environment through secure and scalable remote access, reduced network outages and support of network-based compliance auditing. In addition, Juniper provides highly reliable and scalable routing for the healthcare market with the Juniper Networks M-Series and J-Series routers and can greatly improve application performance with Wide Area Network and Data Center acceleration products.

Our technologies, products, and solutions are widely recognized as some of the most innovative and category market leaders. Therefore, if your network performance is business critical in providing the highest quality of patient care, gaining productivity advantages, and ensuring HIPAA compliance, read more to see how Juniper can provide your healthcare organization with a business advantage based upon our capabilities and the enhanced performance of your network.

HIPAA Overview

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was passed to protect the rights and privacy of healthcare patients within the United States. This law enforces strict requirements on how healthcare providers, health insurance organizations, and healthcare payment clearinghouses use and disclose electronic private health information (PHI). With the emergence of the Internet to facilitate communications and electronic transactions, this law was intended to ensure the integrity and confidentiality of PHI shared electronically. As such, not only have internal electronic processing procedures been put in place and maintained, but new processes, equipment and technologies have been deployed to help ensure the privacy and security of this information and HIPAA compliance.

Although healthcare organizations subject to HIPAA have taken steps to operate within compliance of the law, threats are changing rapidly in today’s networking environment. The healthcare organization’s HIPAA

Compliance Officer must re‐evaluate needs and requirements on an ongoing basis. Many originally established

HIPAA compliance processes are no longer valid given new and emerging threats to the integrity and security of the network. The most sophisticated threats, which previously resided at the network layer, have become more sophisticated and attack at the application layer. Furthermore, the trends in healthcare are adjusting the network access needs of doctors, nurses, and additional medical staff as well as enabling the burgeoning work‐ at‐home segment within healthcare insurance and payment clearinghouse organizations as well. These powerful trends have combined to radically alter the requirements and burden upon healthcare IT organizations to ensure not only HIPAA compliance, but the productivity of healthcare workers and the quality of patient care as a whole.

(4)

HIPAA Compliance Requirements

HIPAA security standards specify network security standards with implementation specifications. There are two types of Implementation Specifications: Required and Addressable. It is not our intention to interpret the HIPAA security standard requirements; therefore, for information specific to these requirements we refer you to the HIPAA Final Ruling. Those familiar with the HIPAA Final Ruling will recognize the Security Standards matrix below as taken from the HIPAA documentation. These security standards are categorized into three broad safeguard categories: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Circled on the matrix are implementation specifications where Juniper Networks provided solutions are able to support HIPAA compliance implementations for the stated security standards. In some cases a Juniper Networks solution may enhance the implementation specification while in other areas of the compliance requirement, a Juniper Networks solution may be the primary means by which the security standard requirement can be met. The solutions offered by Juniper to help achieve HIPAA compliance typically address three categories of solutions: Secure Remote Access, Securing HIPAA Security Zones, and Provide HIPAA Compliance Accountability with Threat Mitigation.

Source: 45 CFR Parts 160, 162, and 164 - Health Insurance Reform: Security Standards; Final Rule, 2/20/2003.

IDP assist with Risk Management assessments. IDP assist with Risk Management assessments.

Secure Remote Access ensures authorization for accessed locations of the network. IDP adds supervision on the network..

HIPAA Security Zones limit access to those with authorization.

IDP identifies and protects against malicious software. IDP identifies and protects against malicious software. Secure Remote Access and IDP provide log-in monitoring. Secure Remote Access and IDP provide log-in monitoring. IDP provides response and reporting for security incidents.

IDP provides response and reporting for security incidents.

Secure Remote Access facilitates use of the network when operating under emergency contingency plans at remote locations.

When using electronic surveillance to ensure accountability of physical safeguards, Security Zones and Secure Remote Access and protect the accountability of the surveillance network. When using electronic surveillance to ensure accountability of physical safeguards, Security Zones and Secure Remote Access and protect the accountability of the surveillance network. HIPAA Security Zones support access control compliance. Secure Remote Access with dual token authentication and single concurrent login provides unique user identification. Emergency access and automatic logoff is supported with Secure Remote Access. A wide variety of sophisticated encryption techniques are supported to ensure privacy of information. Special techniques are implemented to ensure active and post transaction security. HIPAA Security Zones support access control compliance. Secure Remote Access with dual token authentication and single concurrent login provides unique user identification. Emergency access and automatic logoff is supported with Secure Remote Access. A wide variety of sophisticated encryption techniques are supported to ensure privacy of information. Special techniques are implemented to ensure active and post transaction security. IDP provides intelligent logs for Audit Control enforcement.

IDP provides intelligent logs for Audit Control enforcement.

Security Zones, Secure Remote Access, and Unified Access Control can be used independently or combined to support integrity, authentication, and transmission security for the HIPAA Compliance process. Security Zones, Secure Remote Access, and Unified Access Control can be used independently or combined to support integrity, authentication, and transmission security for the HIPAA Compliance process. Standards Sections Implementation Specifications (R)=Required, (A)=Addressable

Security Management Process………… 164.308(a)(1) Risk Analysis (R) Risk Management (R) Sanction Policy (R)

Information System Activity Review (R) Assigned Secuirty Responsibility…….. 164.308(a)(2) (R)

Workforce Security……… 164.308(a)(3) Authorization and/or Supervision (A) Workforce Clearance Procedure Termination Procedures (A)

Information Access Management……… 164.308(a)(4) Isolating Health care Clearinghouse Function (R) Access Authorization (A)

Access Establishpment and Modification (A) Security Awareness and Training………. 164.308(a)(6) Response and Reporting (R)

Protection from Malicious Software (A) Log-in Monitoring (A)

Password Management (A) Security Incident Procedures………….. 164.308(a)(6) Response and Reporting (R) Contingency Plan……….. 164.308(a)(7) Data Backup Plan (R)

Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Evaluation……….. 164.308(a)(1) (R)

Business Associate Contracts and Other Arrangement.

164.308(b)(1) Written Contract or Other Arrantement (R)

Facility Access Controls……….. 164.310(a)(1) Contingency Operations (A) Facility Security Plan (A)

Access Control and Validation Procedures (A) Maintenance Records (A)

Workstation Use……….. 164.310(b) (R) Workstation Security……… 164.310(c) (R) Device and Media Controls………. 164.310(d)(1) Disposal (R)

Media Re-use (R) Accountability (A) Data Backup and Storage (A) Access Control……… 164.312(a)(1) Unique User Identification (R)

Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls………. 164.312(b) (R)

Integrity……… 164.312(c)(1) Mechanism to Authenticate Electronic Protected Health Information (A) Person or Entity Authentication……….. 164.312(d) (R)

Transmission Security……….. 164.312(e)(1)

Integrity Controls (A) Encryption (A)

Administrative Safeguards

Physical Safeguards

Technical Safeguards (see § 164.312)

(5)

Secure Remote Access solutions can be a significant part of the process in ensuring compliance by supporting

Authorization and/or Supervision for the Workforce Security Standard, providing remote access Log‐in Monitoring

for the Security Awareness and Training Standard, becoming a significant part of the Contingency Plan Standard, providing Accountability for the Device and Media Controls Standards, and being a large part of the Access Control standard in any HIPAA compliance process.

For those on the healthcare network ‐ doctors, nursing staff, contractors, administration, suppliers or business partners‐ not all should have access to stored and transmitted PHI. For this reason, HIPAA Security Zones go a long way in addressing many of the security standards in the areas of Administrative Safeguards with

Authorization and/or Supervision, Access Authorization, Physical Safeguards in the area of Device and Media Controls Accountability, and in the area of Technical Safeguards with Access Control, Integrity, Person or Entity Authentication, and Transmission Security. With respect to many of the HIPAA security standards, Secure Access

and HIPAA Security Zones solutions work together to provide a comprehensive and robust HIPAA compliance mechanism.

A trend, not limited to healthcare, is the fact that the attacks are becoming more sophisticated and more personally intrusive. As we have witnessed recently in the press, personal information theft has been high profile and costly. Businesses have lost their credibility with relaxed network security and risk the potential of being forced out of business from bad publicity. Healthcare networks may face the same predicament with the risk of having to make public disclosures of the compromise of highly sensitive and private information stored and transacted on a daily basis if a similar breach were to occur. The confidentiality of PHI on the network and the creditability of the healthcare institution as a whole are placed at great risk without proper security implementations of the HIPAA security standards. This is an area of concern that can be addressed in part with network accountability and threat mitigation.

Combined with HIPAA Security Zones and Secure Remote Access, the network can be made very resilient and secure to address the wide range of threats while addressing the HIPAA security standards. Juniper Network’s Threat Mitigation and Compliance Auditing solutions can be implemented within the HIPAA compliance process to enable healthcare networks to provide Risk Management for the Security Management Process Standard,

Authorization and/or Supervision for the Workforce Security Standard, Protection from Malicious Software and Log‐in Monitoring for the Security Awareness and Training Standard, Response and Reporting for the Security Incident Procedures Standard, and support the Technical Safeguards by being an integral part of the Audit Controls Standard.

Problems and Solutions for Supporting Secure Remote Access

The most common healthcare networking problem is a result of the combination of an increasingly mobile workforce and the increasing threat of attack. As a result of the mobile workforce that is enabled to electronically transmit confidential information, the threat of the mobile communications being attacked is increasing. Furthermore, healthcare providers do not operate within a closed environment, but rather they must communicate and share PHI with other “covered entities”. As such, additional steps must be taken to ensure the integrity and confidentially of mobile PHI communications and PHI transmitted to and from distributed covered entities. The traditional methods of securing the network with firewalls at the perimeter are no longer sufficient in this new healthcare provider environment. The new perimeter is now one that is very dynamic as mobile workers log onto the network with various devices and transmit PHI to other covered entities over a patchwork of connected networks.

(6)

Secure Virtual Private Networks (VPNs) must be established for the mobile workforce and distributed covered entities to enable productivity while being mobile and conducive to business while ensuring the privacy of information being transacted. However, there are many problems and limitations to the way VPNs have been deployed. Through inherent difficulties in configuring many VPNs, those working from home have given up on their VPN implementations to communicate with network resources and retrieve or input data base information. The result is that remote workers either do not communicate with healthcare network resources and become less productive or they communicate via unsecured communications, placing the security of PHI and HIPAA compliance at risk.

No one VPN solution is the “right” solution for every unique mobile worker or distributed site situation. This is one reason why there are so many VPN options to choose from. For fixed remote locations, IPSec as a technology for VPN implementation is perhaps the preferred method of deploying VPNs. IPSec can operate with low latency for applications that require high performance. Although they may be more cumbersome to configure than SSL VPNs, once they are configured and “in place” for fixed locations, they typically do not need to be reconfigured and can usually operate without manual intervention.

For the work‐at‐home and mobile workforce however, IPSec VPN configurations are often difficult and too cumbersome to configure for many users. As the organization increases and becomes more dependent upon using a VPN for communicating securely with network resources, the burden of configuring VPNs becomes a significant burden on IT support and help desk resources. The burden often becomes overwhelming from a time and cost perspective to justify the supported VPN services.

The ideal alternative for a work‐at‐home and mobile workforce is to use SSL VPNs. SSL VPNs can use a clientless platform which requires little or no manual configuration on behalf of the user. This makes VPN access seamless to the remote user, robust, and combines security of the communications with ease of use. These characteristics make SSL VPNs one of today’s highest technology growth segments within the VPN market. This is a market where Juniper has distinguished itself with leading innovation and the ability to execute upon customer requirements.

(7)

Problems and Solutions for Securing PHI on the Network

Not all information on the healthcare network is PHI and subject to HIPAA requirements. In fact, a large portion of the network accessed by healthcare workers is not HIPAA sensitive. However, many healthcare organizations have not taken the appropriate steps to segregate PHI subject to HIPAA and non‐PHI on the network. Within the healthcare organization, there are many individuals who should never have access to HIPAA sensitive information. In addition, as we have seen within the market and reported by industry analyst at large, the majority of today’s threats are coming from within the organization. For this reason, it is insufficient to deploy firewalls at the perimeter to protect the network that is being attacked from within.

As a best practice, multiple security zones should be established within the healthcare provider’s network. One or more of these secure zones, based on the configuration of the network, should be a HIPAA Compliance Zone. This provides additional separation and security from unknown threats and attacks which may emerge from within the secured external perimeter of the network as well as within secured areas of the network.

(8)

HIPAA Security Zones support the Administrative Safeguards by requiring appropriate Authorization and/or

Supervision with log‐in requirements to access secured zones. By enforcing granular access control that takes

into account the user device as well as the application attempting to access network resources, Physical

Safeguards in the area of Device and Media Controls Accountability can be supported. Furthermore, Technical Safeguards with respect to Access Control, Integrity, Person or Entity Authentication, and Transmission Security can

be enforced with the granular control of Juniper Networks’ firewalls combined with application layer security and VPN support with advanced encryption techniques being supported.

Problems and Solutions for Addressing Increasing Attack Sophistication and

Compliance Auditing

As mentioned above, attacks are increasingly becoming more sophisticated and increasingly attacking at the application layer. As a result, a layered security approach is demanded to provide the best available method of security. To enable this layered approach, many organizations are deploying Intrusion Detection and Prevention (IDP) to detect and prevent attacks in real‐time. An additional benefit of IDP for the HIPAA compliant healthcare provider is the ability to provide network auditing capabilities to ensure and demonstrate compliance.

(9)

for securing the network from new and emerging threats. The challenge with any IDP is to properly identify attacks while eliminating false positives. In addition, IDP must scale and operate at exceptionally fast speeds to analyze all communications which could potentially be an attack, and to do this as users and application demand increase to meet the anticipated needs of the largest healthcare facilities and most demanding users of network resources. The key to any successful IDP solution is to not sacrifice security for performance and to provide comprehensive detection network‐based attacks. Specifically, this is the area in which Juniper’s IDP solution differentiates itself and excels for market demanded performance in business critical networks.

Using the advanced network auditing capabilities of Juniper Networks’ IDP, the solution can become an integral part of the Risk Management process for the Security Management Process Standard as well as providing

Supervision for the Workforce Security Standard and Log‐in Monitoring across the enterprise for the Security Awareness and Training Standard. The solution may be configured to provide Protection from Malicious Software

by limiting un‐authorized and potentially illegal software downloads from the Internet. Furthermore, Juniper Networks’ Threat Mitigation and Compliance Auditing solution can become an integral part of supporting compliance with Response and Reporting for the Security Incident Procedures Standard.

(10)

Juniper’s Partners in Healthcare

Juniper has aligned itself with strategic

integration and healthcare solution providers to meet the demands and rapidly evolving needs within healthcare. Our partners for healthcare focus on delivering HIPAA compliant solutions and better enabling the healthcare workforce through purpose built innovative technology. In some cases, Juniper and our partners have developed custom integration of products to create joint solutions that specifically meet unique

healthcare demands and enhance the user experience. Juniper’s best‐of‐breed solutions enable our healthcare focused partners to provide the most advanced and capable solutions in the industry for the benefit of our mutual customers.

Why Juniper for Healthcare Solutions

As a company, Juniper has proven itself to be a thought and technology leader within both enterprise and service provider markets. Our innovation and technology is recognized by industry analysts and the market as a whole as market leading and well ahead of the competition in terms of features and capabilities. Our vision of the network for the enterprise is provided through the Enterprise Infranet, providing a new way of considering the emerging demands being placed upon the network and enabling the network to be leveraged as a business enabler and strategic competitive advantage.

The Enterprise Infranet adds Endpoint (user and device) intelligence to Application and Network intelligence. Through the combination of this intelligence, the Enterprise Infranet is able to dynamically respond to provide

Use, Delivery, and Threat Control across the enterprise. This dynamic and unprecedented control protects the

network and sensitive information while enabling the enterprise to be productive with network resources. The Enterprise Infranet is flexible to meet various enterprise network models from the Campus, Extended Enterprise, Distributed Enterprise, Data Center, and WAN Gateway and to support these appropriately with added intelligence and control.

Our vision of the Enterprise Infranet is guiding product development and enabling our customers to place trust in Juniper by knowing that they have made the “right” business decision in selecting Juniper as a partner for critical business needs. Those who achieve regulatory compliance with their network, compete for business with their network, or leverage the network for a business advantage have found that Juniper provides the greatest advantage to provide their businesses with a competitive edge. These businesses can create network‐ based compliance policies and implement and enable these policies with a network that dynamically responds to enforce policy and meet the needs of the organization.

(11)

Extending Secure and Assured remote access to the healthcare mobile workforce is a part of the Enterprise Infranet vision. By enabling the distributed healthcare enterprise and mobile healthcare workers, we are enabling the business to: • Provide the highest levels of responsive patient care with the network leveraged as a strategic resource to meet these needs. • Secure and Assure VPN access solutions for healthcare workers; enabling remote caregivers to obtain the information they need, when they need it, and to make diagnosis and provide proper care.

• Protect the network as a resource and to protect the privacy and rights of the private health information (PHI) as well.

Juniper does not recommend any one VPN solution, but considers your business to determine the “right” VPN solution for your needs. Based upon the needs of your business and patient care procedures, any one of Juniper’s popular VPN solutions may be right for your healthcare organization. Technology is an enabler of the solution; therefore the best solution for your needs may be: • IPSec for fixed office to office locations over public and/or distributed wide area networks and shared access networks. • SSL for a mobile workforce or to scale the VPN solution across the healthcare facility with minimal help desk resources and to support secure communications from medical devices to base station transceivers in a wireless local area network (WLAN) environment.

• MPLS for large campus environments and private wide area networks (WANs) where routing performance for real‐time and converged applications is as important as security for the applications. In theses scenario, Juniper can provide a robust VPN solution for the unique and custom requirements of your organization. When deploying HIPAA Security Zones, the firewall is the most important element of developing the security zone. As such, needs dictate a firewall that is capable of securing the network from Layer 3 of the OSI stack up to the application layer (Layer 7) with deep packet inspection and protocol anomaly detection. The firewall technology should:

• Support flexible configurations with advanced security capabilities to prevent sophisticated attacks and protect the HIPAA Compliance Zone from internal as well as external threats.

(12)

• Scale with respect to application and user performance demands to meet the needs of work‐at‐home and smaller branch offices as well as the needs of large centralized hospitals. Juniper can help to provide this level of security and network protection for HIPAA Security Zones in a family of firewall solutions that scale to meet the many diverse needs within healthcare. An Intrusion Detection and Prevention (IDP) platform should be deployed as a layered security solution for the compliance process. The IDP solution must: • Detect and prevent network‐based attacks as they occur with industry leading technology.

• Scale to meet the diverse sets of requirements within healthcare to provide high performance processing throughput while detecting attacks.

• Provide robust audit and reporting capabilities to support the auditing and accountability of compliance.

Not only does Juniper Network’s IDP protect against network‐based attacks, but it operates at high speed to minimize latency in the network. In addition to providing detection of attacks where deployed, Juniper Networks’ IDP is one of the best in the industry at identifying threats while eliminating false positives. Our ability to eliminate false positives makes Juniper Networks’ IDP operationally efficient to manage and support at scale in any healthcare provider’s network. It’s this level of support and functionality in Juniper Networks’ IDP solution that makes us a market leader in IDP.

Conclusion

The increasing trends of distributed covered entities and greater mobility among the healthcare workforce as well as increasing sophistication of attacks are dramatically changing the network‐based needs for the quality of patient care, business productivity, and HIPAA compliance. Healthcare providers and other covered entities should refer to the HIPAA Security Standards Final Ruling to asses compliance requirements and derive the necessary solutions for their organization based upon these requirements. Taking an extra step to ensure quality patient care, healthcare IT organizations should leverage the network as a business enabler to meet the goals of providing quality healthcare while maintaining the privacy of PHI.

(13)

Solutions for Health Insurance Portability and Accountability Act (HIPAA) Compliance