HIPAA DATA SECURITY & PRIVACY COMPLIANCE

HIPAA

DATA SECURITY &

PRIVACY COMPLIANCE

This paper explores how iSheriff Cloud Security enables

organizations to meet HIPAA compliance requirements

with technology and real-time data identification.

Introduction

This white paper examines the data security and privacy compliance requirements of the Healthcare Insurance Portability and Accountability Act (HIPAA). It examines the purpose and objectives of specific portions of the Act related to information security and the privacy of data transfers and communications.

Finally, this paper explores how iSheriff Cloud Security enables organizations to meet HIPAA compliance requirements with technology and real-time data identification.

The Healthcare Insurance Portability and Accountability Act is US federal law, enacted in 1996.

IT ADDRESSES:

a) Healthcare insurance access, portability of healthcare insurance from one employer to

another and affects the exclusion period for certain pre-existing health conditions when enrolled in a group health plan.

b) Civil and criminal penalties for healthcare related offences such as fraud.

c) Standards for improving the efficiency of healthcare administration and how health information is disseminated.

d) Data security and privacy standards for

Protected Health Information (PHI) and Electronic Protected Health Information

ORGANIZATIONS AFFECTED BY HIPAA HIPAA affects any organization in the US

handling Protected Health Information. Typically, organizations that handle PHI are issued with a National Provider Identifier (NPI) number by the Centers for Medicare and Medicade Services

COMMON EXAMPLES OF COVERED ENTITIES INCLUDE:

Health insurers

Healthcare clearing houses » Hospitals

Nursing homes

Pharmacies

Laboratories

Physicians, physiotherapists and general practitioner’s offices

HIPAA REQUIREMENTS

HIPAA stipulates a range of requirements for organizations handing healthcare insurance and PHI. This white paper is primarily concerned with HIPAA requirements governing data security and privacy.

HIPAA IS STRUCTURED IN THREE MAIN AREAS:

1: TITLE I - HEALTHCARE ACCESS

Title I regulates the availability of healthcare insurance and the portability of insurance across employers and group healthcare plans. note: this white paper does not address this area of the Act in detail.

2: TITLE II - FRAUD, PRIVACY, SECURITY AND ADMINISTRATION

Title II defines various offences relating to healthcare such as fraud and sets criminal and civil penalties for these crimes. It also stipulates a series of standards and controls regarding the handling of PHI, termed Administrative Simplification. Title II sets out five rules regarding

a) Covered entities must ensure the confidentiality of communications with individuals.

b) Covered entities must disclose PHI to the individual concerned within 30 days upon request.

c) Covered entities must make reasonable efforts to disclose only the minimum necessary information required to achieve its purpose, after authorization is obtained from the individual.

d) Covered entities are required to notify an Individual of users of their PHI. They must also keep a record of who PHI has been disclosed to, what was disclosed and when.

e) Covered entities must appoint a Privacy Official responsible for establishing PHI security policies and procedures internally, be the contact point for PHI-related complaints and be responsible for internal workforce training for procedures relating to PHI.

2) Transactions and Code Sets Rule - stipulates standards for electronic healthcare claims, billing and transactions required by HIPPA compliance.

3) SecurIty Rule - similar and complementary to the Privacy Rule, but solely concerned with

Electronic Protected Healthcare Information (EPHI).

The Security Rule specifies three types of security safeguards for EPHI:

a) ADMINISTRATIVE SAFEGUARDS

i) Covered entities must adopt a written set of privacy procedures and appoint a Privacy Officer.

ii) Clearly identify employees or roles authorized to access EPHI and restrict access to only those employees who require it to perform their job function.

iii) Covered entities must adopt a written set of privacy procedures and appoint a Privacy Officer.

iv) Outsourced third-parties who require access to EPHI in their business process must comply

with HIPAA requirements and the covered entity is responsible for ensuring this.

v) Establish data disaster recovery and backup procedures for EPHI.

vi) Document the scope, frequency and procedures for internal EPHI and administrative audits.

vii) Document procedures for EPHI security breaches.

b) PHYSICAL SAFEGUARDS

i) Controls must be implemented to ensure the physical security of EPHI and protect against unauthorized access

ii) Controls must govern the introduction or removal of hardware and software on the network.

iii) Access to equipment storing EPHI must be restricted to authorized personnel.

iv) Workstations capable of accessing EPHI should be located in private areas and out of direct view of the public or unauthorized people.

v) If a covered entity uses an external contractor, they must be given training and made aware of HIPAA responsibilities.

c) TECHNICAL SAFEGUARDS

i) Controls must be implemented to control access to computer system and ensure that covered entities protect communications containing PHI and prevent anyone other than the intended recipient from intercepting them.

ii) EPHI information systems must be protected against intrusion or hacking.

iii) When EPHI is transmitted over an open network, some form of data encryption must be applied. If the network is closed, data encryption is considered to be optional.

iv) Covered entities are responsible for ensuring that EPHI is not changed or erased without appropriate authoriza- tion.

v) Data corroboration such as the use of digital signatures, check sums, and message authentication should be used to ensure data integrity and anti-tampering.

vi) Covered entities must authenticate with other entities which they communicate EPHI with.

Covered entities must ensure that entities are indeed who they claim to be.

vii) Covered entities must document their HIPAA compliance practices around the Security Rule and provide these to appropriate government regulators upon request to help determine HIPAA compliance.

viii) Covered entities must also carry out and document EPHI security risk assessments and risk management programs. The Security Rule is considered to be a mandatory, minimum standard for EPHI security and covered entities are obligated to make specific assessments of their own security risks and take reasonable additional precautions necessary to protect EPHI within the covered entity’s specific environment.

4) UNIQUE IDENTIFIERS RULE - Covered entities governed by HIPAA must use only the National Provider Identifier (NPI) number to identify covered healthcare providers. Covered entities must not share PHI with entities that do not use an NPI - a 10 digit alphanumeric identification number.

5) ENFORCEMENT RULE - sets civil monetary penalties for covered entities that violate or fail to comply with HIPAA requirements. It also establishes how violations are investigated and prosecuted.

3: HITECH ACT

The HITECH Act (Health Information Technology for Economic and Clinical Health Act) was enacted as part of the American Recovery and Reinvestment Act of 2009. It addresses additional privacy and security issues relating to the electronic transmission of PHI.

It extends the data privacy and security requirements of HIPAA to business associates of covered entities and stipulates that these requirements be included in agreements and contracts between covered entities and business associates.

The Act also imposes additional notification requirements relating to PHI security breaches and extends these to not only covered entities, but business associates and vendors of personal health records. Lastly, the Act also implements changes in the rules governing disclosures of PHI when an organization uses an electronic health record (EHR).

iSheriff Cloud Security & HIPAA

iSheriff Cloud Security is a Web, Email and Endpoint protection service which complies with HIPAA regulations governing the security and privacy of Electronic Protected Healthcare Information.

The service provides real-time analysis of email and Web traffic to guard against HIPAA compliance breaches and accidental disclosure of EPHI. iSheriff automatically encrypts EPHI according to HIPAA procedures and provide data leakage protection to ensure the security and privacy of PHI.

360° HIPAA POLICY COMPLIANCE

iSheriff Cloud Security provides a complete solution to help your organization address a range of HIPAA security requirements, including technology protection, implementation of HIPAA policies, assisting with employee education and analyzing the compliant transmission of EPHI.

iSHERIFF APPLIES A 360 DEGREE SOLUTION WHICH ENABLES CORPORATIONS TO:

DEFINE PHI data security procedures.

Consistently MONITOR the transmission of EPHI and automatically enforce HIPAA

procedures in email and Web communications and ensure the security and privacy of

healthcare information.

DETECT policy breaches, automatically alert HIPAA Privacy Officers of procedural breaches

and help educate employees regarding HIPAA compliance.

ANALYZE Web, Email and Endpoint activity with reports that enable healthcare providers to

better educate employees and refine policies to maintain continued compliance with HIPAA

rules over time.

ACHIEVING HIPAA COMPLIANCE

HIPAA lays out multiple security rules and requirements that covered entities must implement. iSheriff Cloud Security provides functionality which can meet or surpass all of these requirements:

HIPAA Requirement iSheriff Cloud Security Ensure the confidentiality

of communications with individuals

iSheriff Cloud Security provides easy to use security features such as email encryption, policy-based data and file-type controls and real-time EPHI detection to ensure that data is transmitted according to confidentiality procedures and block the unauthorized or non-compliant communication of EPHI.

Adopt a written set of privacy procedures for handling EPHI

iSheriff Cloud Security enables you to easily adapt written HIPAA privacy procedures into practical, plain-English security rules using an intuitive user interface. Pre-configured, example HIPAA policies are available to help streamline policy creation, save time and money. iSheriff Cloud Security can automatically secure information or trigger HIPAA policies based on:

Names, addresses, phone or fax numbers

Email addresses, IP addresses or domains

National Provider Identifier (NPI)

Social Security Numbers

Medical record numbers

Bank account numbers

Any alphanumeric pattern of interest for HIPAA compliance

Restrict access to EPHI to only those employees who require it to perform their job function

iSheriff Cloud Security is a policy-based, user authentication solution which enables healthcare providers to selectively apply EPHI communication privileges based on user ID, IP address, department, policy group or domain.

This means that unauthorized employees are always blocked from transmit- ting EPHI and authorized EPHI communications are automatically encrypted in accordance with HIPAA guidelines.

Third-parties utilized by covered entities must comply with HIPAA rules

iSheriff Cloud Security provides an easy to use and totally secure

communication environment, allowing your organization to communicate privately with individuals and business associates. You can collaborate and share information securely and without additional costs, special software or extensive training requirements.

Covered entities must protect communications containing PHI and prevent anyone other than the intended recipient from intercepting them

Policy-based authentication ensures that EPHI can only be shared with an authorized list of email addresses, domains or IP addresses. In addition, email S/MIME and 128-bit SSL encryption prevents interception of EPHI or accidental disclosure to unintended recipients.

Covered entities must protect information systems against intrusion or hacking

iSheriff Cloud Security helps safeguard email and Web communications, and keep endpoints free from malware and other malicious Web attacks.

ACHIEVING HIPAA COMPLIANCE

HIPAA Requirement iSheriff Cloud Security PHI must be encrypted

when transmitted over an open network

Email communications are protected by 128-bit SSL connections and/or S/

MIME PKI encryption over open networks. HTTPS content inspection ensures that EPHI is only transmitted via the Web by autho- rized

Data corroboration such as digital signatures,check sums, and message authentication should be used to ensure data integ- rity and anti-tampering

iSheriff Cloud Security provides detailed Web and email security reporting.

This enables you to monitor and evaluate the disclosure of NPI, who has accessed NPI, and adjust security measures or implement new policies as needed.

Covered entities must authenticate with other entities which they communicate EPHI with

iSheriff Cloud Security supports Public Key Infrastructure (PKI) that employs trusted x.509 certificates and S/MIME cryptography for strong authentication and encryption.

Covered entities must keep a record of who PHI has been disclosed to, what was disclosed and when

iSheriff Cloud Security reports provide a detailed log of communications and HIPAA-related events such as email, file uploads or downloads and identification of users and email addresses that EPHI has been disclosed to.

FOR WEB, EMAIL AND ENDPOINT DEVICE SECURITY, iSHERIFF CLOUD SECURITY OFFERS HEALTHCARE PROVIDERS CONSIDERABLE BENEFITS AND ADVANTAGES:

A hosted security solution which cleans and secures email and Internet use.

No need to purchase or manage appliances or software - all infrastructure is provided and managed for you.

A single vendor for endpoint anti-virus, email security, encryption and/or Internet filtering.

Predictable fixed cost structure with the flexibility to let you grow or shrink your user licensing as and when you need it.

No tedious maintenance or administration.

» Accessible policy tuning and reporting via a secure Web console enables you to manage your security if you wish and view reports anytime, anywhere.

» Reliable, effective security with real-time, patented content and threat analysis technology from a vendor with over 10 years of proven experience delivering best of breed protection.

» Eliminates spam and phishing from incoming email - removes offensive unsolicited messages which also contain malicious threats and links to compromised websites and benefit from considerable bandwidth savings.

» Secure your endpoints, email and Web connections against viruses, malware and the latest Web 2.0 threats such as botnets and compromised websites.

» Prevent access to pornographic and offensive Web content with website category filtering which is updated and driven by your usage. SafeSearch enforcement is also provided for search engines such as google, Yahoo and Bing as well as YouTube - ensures that inappropriate content is not returned by a search.

» Automatic email archiving to backup your important communications and aid in disaster recovery.

» Access easy to understand reports on demand and readily measure the cost savings and performance delivered by the services you are paying for.

BEYOND HIPAA

WHY iSHERIFF CLOUD SECURITY IS IDEAL FOR HEALTHCARE PROVIDERS

Other Key Features & Benefits

EASE OF USE

Powerful and intuitive Web console, with flexible “drag & drop” configurability

Full integration with all major directory services - for hassle-free set-up and group/user maintenance

Comprehensive and configurable reporting across all policies, security vectors and directory elements

Policy enforcement through real-time reporting and alerting

Lightweight endpoint anti-malware agent deployable on all current version of Windows, Mac and linux

COMPREHENSIVE SECURITY CONTROLS

Highly configurable content filtering, based on iSheriff’s proprietary uRl database and real-time dynamic page classification - ensuring that acceptable use policies are enforced

Highly flexible application controls, enabling policy enforcement for application permissions

Bandwidth controls, enabling management of bandwidth usage through policy

Data leak protection for data-in-motion across both Web and Email transport layers, to ensure that sensitive corporate information is kept secure

ADDITIONAL BENEFITS

Email archiving for 90 days, and e-discoverability

Multi-tenant management framework and dashboard, enabling management of deployment, policies and reporting for MsPs, VARs and distributed organizations through an integrated Web-based console

At iSheriff, our commitment to our customers is the driving force behind everything we do. In addition to all of the customer service functions offered by competitive companies, at iSheriff, you will be assigned your own Security Specialist.

iSheriff is the only internet security company that provides a trained, dedicated, knowledgeable single point of contact, whose job is to assist, guide and keep you informed about the best way to protect your most critical asset, your data.

A Security Specialist is an additional layer of service and support, trained to advise you in this new era of cybercrime. Our Security Specialists are dedicated to both customers and partners based on customer location.

Your Security Specialists Can:

Design a security solution customized to meet the needs of your business

Provide full security assessments as well as demos and trials of our solutions

Engage and manage any tech support, license or account management questions

Provide the latest info on current threats

Help select the right channel partner for your specific needs

Provide you with the highest levels of personal service in the industry

Develop a Cloud Security Strategy

Share Product Road Maps and Future release schedules

Provide competitive pricing , references and Free Trial copies upon Request Contact a iSheriff Security Specialist today at www.isheriff.com/specialist

iSheriff Security Specialists

iSheriff is the leading provider of content and endpoint security from the cloud. We keep organizations and individuals safe from cybercrime, malware and digital threats. Thousands of businesses across a wide array of industries have deployed our solutions, including some of the most sophisticated buyers of security technology worldwide. iSheriff has operations in New York, California, Ireland and Asia.

Free Trial

iSheriff’s services can be easily and freely evaluated. Just provide us with some simple details via an online sign-up form and we can have a free 15-day trial of iSheriff Cloud Security up and running for you within 24 hours. There is no obligation to subscribe and it is quick and easy to disconnect the service if you don’t wish to continue.

Sign up now at www.isheriff.com/cloudtrial

iSheriff Resources

CLOUD SECURITY OVERVIEW

CUSTOMER CASE STUDIES

FREE TRIAL

WHITEPAPERS

SECURITY SPECIALISTS

CUSTOMER SUPPORT

OFFICE LOCATIONS

About iSheriff