• No results found

THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "THE HITECH ACT - THE TEETH AND CLAWS OF HIPAA"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

AND CLAWS OF HIPAA

Produced on behalf of New Net Technologies by

STEVE BROADHEAD

BROADBAND TESTING

(2)

The HITECH Act - Some Background

The Health Information Technology for Economic & Clinical Health (HITECH) act really does ‘up the ante’ for HIPAA enforcement.

In theory, Health organizations have had to comply with the Health Insurance Porta-bility and AccountaPorta-bility Act (HIPAA) since its introduction in 1996. Originally HIPAA was introduced by congress to protect the health insurance rights of employees made redundant. Additional ‘Titles’ to the act were introduced including ‘Title 2’ which was designed to protect electronically stored data relating to patient health information – often referred to as ‘Protected Health Information’ (PHI)

The problem with HIPAA has been the broad interpretation adopted by many health-care providers and insurers. In fact, many providers require the waiver of HIPAA rights as a condition of service. This has undoubtedly resulted in a varying degree of adoption among providers leaving many unsure as to whether they are or are not considered compliant. But how could you blame them? The requirements aren’t specific and there has been little enforcement to speak of.

What is the Impact of HITECH on HIPAA?

The HITECH act as part of the American Recovery and Reinvestment Act aims to change all that with increased penalties for non compliance.

A breach that exposes a patient’s confidential data could have serious and lasting consequences. Unlike credit cards for example, which can be cancelled and changed if they are exposed – health care records can’t just be changed or re-set. According to data from Forrester Research criminals are increasingly targeting health care organiza-tions. For security teams within health organizations HITECH’s increased penalties may well assist in the justification of funding needed to sure up security and compliance projects that may otherwise have languished under the previously ambivalent and poorly defined HIPAA enforcement.

It is open to debate as to how the federal government will audit compliance with HIPAA’s security requirements from here on in, but it widens the number of enforcers by giving State Attorney General’s the ability to file federal civil action for harmful disclosures of protected health information (PHI).

There are already cases of lawsuits underway for alleged HIPAA violations due to exposed or breached PHI, likely to end with heavy financial compensation payments being ordered.

many [healthcare

and insurance]

pro-viders require the

waiver of HIPAA

rights as a

condi-tion of service

(3)

Some Good News...

Like all things in life there’s usually a process to follow and HIPAA and HITECH are no different. The main headings that will need to be addressed are:

 Administrative Safeguards – specifically written evidence of measures

adopted to ensure compliance. Internal auditing in particular change man-agement processes, approvals and documentation to provide evidence that systems and process is properly governed

 Physical Safeguards – including access controls, restrict and control access

to equipment containing PHI information. This will include the use of Fire-walls, Intrusion Protection technology and with particular focus on worksta-tion, mobile/remote worker security

 Technical Safeguards - Configuration ‘hardening’, to ensure that known

threats and vulnerabilities are eliminated from all systems, with a zealous patch management process combined with anti-virus technology, regularly tested and verified as secure. Strong Monitoring for security incidents and events, with all event logs being securely retained is also a key measure to safeguard IT system security

Sounds Familiar...?

In fact, the scope of the standard is quite similar in respect of its approach and its measures to the PCI DSS (The Payment Card Industry Data Security Standard), which is another security standard all healthcare providers will now be familiar with.

The PCI DSS is concerned with the secure governance of Payment Card data, and any ‘card merchant’ i.e. an organization handling payment card transactions.

Therefore it makes sense to consider measures for HIPAA compliance in the context of PCI DSS also, since the same technology that helps deliver HIPAA compliance should be relevant for PCI DSS. Or to put it another way – compliance with one will signifi-cantly assist compliance with the other.

the scope of the

standard is quite

similar in respect

of its approach and

its measures to the

PCI DSS (The

Pay-ment Card Industry

Data Security

Stan-dard)...

the same

technol-ogy that helps

de-liver HIPAA

com-pliance should be

relevant for PCI

DSS...compliance

with one will

signif-icantly assist

com-pliance with the

other

(4)

What Do NNT Provide?

 Event Log messages forwarded from hosts/devices

 Security Incidents and Key Events correlated and alerted

 Any breach of Compliance Rules reported, including File Integrity Changes

 All platforms and environments supported, all devices and appliances

 Devices are also tracked for Configuration Changes

 Planned Changes and all Unplanned Changes are detected

 Device Hardening Templates can be applied for all Security and Gover-nance Policies, providing a fast Compliance Audit of all Devices

(5)

Conclusion - The NNT View

The HITECH Act brings with it a renewed focus for HIPAA and places the onus for secure governance of patient data back with the healthcare and insur-ance providers. However, this initiative should be embraced, not just because there is additional legislation behind it, but because the potential cost of los-ing the trust of your customers and patients as a result of a security breach would be more devastating than any fine or lawsuit.

NNT can help – using our Change Tracker Enterprise and Log Tracker Enter-prise solution set will provide a complete set of measures to ensure you are provenly secure for HIPAA compliance

NNT HIPAA Compliance solutions cover the following  configuration hardening

 change management  event log correlation  file integrity monitoring

NNT Change Tracker and Log Tracker Enterprise - Compliance Clarified

 Audit Configuration Settings - The core function of NNT Change Tracker Enterprise is to first understand how your IT estate is configured  Compare Audited Settings Against Policy - Configuration settings are

assessed for compliance with any policy or standard relevant to your organization and deviations highlighted

 Continuously Monitor Configuration Settings - Configuration attributes are then monitored continuously for all changes, both from a compliance standpoint and from a general change management/control standpoint  Change Management Process Underpinned - Authorized changes which

have been approved via the formal change management process are rec-onciled with the original RFC to ensure the correct changes were imple-mented accurately

About NNT

NNT build the world’s best solutions for tracking and managing change, managing and protecting users, maintaining system performance and ensuring availabil-ity across the entire enterprise. Understanding and managing the day to day changes within your environment is critical to establishing and maintaining reli-able service. NNT Solu-tions are affordable and easy to use. NNT help you establish and maintain a ‘known and compliant’ state for your IT systems. Including: PC,

References

Download now ( PDF - 5 Page - 646.30 KB )

Related documents

HIPAA Security and HITECH Compliance Checklist

This is not a required standard (addressable) Access to ePHI, should be based on the staff member's job responsibilities and qualifications. Authorization should be limited to

Telemedicine HIPAA/HITECH Privacy and Security

The organization installs newly released security patches, service packs, and hot fixes on the information system in a reasonable timeframe* (e.g., deployment complete within 30

HIPAA & HITECH AND THE DISCOVERY PROCESS

Law firms representing covered entities must now comply with the HIPAA Privacy and Security Rules as well as HITECH in all business dealings with their clients. The

CPR: Circumstances, Prevention and Response in Safeguarding Personal Healthcare Information

protecting sensitive data is of the utmost importance to healthcare organizations. ƒ Both HIPAA and the HITECH

The Symbiosis of Creativity and Wellness: A Personal Journey

The Symbiosis of Creativity and Wellness project explored how holistic personal wellness practices nurture creativity, and conversely, how creativity fosters personal wellness.

The Basics of HIPAA Privacy and Security and HITECH

• The Security Rule protects a subset of information covered by the Privacy Rule, which is all individually identifiable health information a covered entity creates,

Overview of the HIPAA Security Rule

•  Section 13411 of the HITECH Act requires HHS to provide for periodic audits to ensure covered entities and business associates are complying with the HIPAA Privacy and.

The Basics of Vocational Assessment. A Tool for Finding the Right Match Between People with Disabilities and Occupations

Abilities and aptitudes refer to natural talents or capacities, whereas skills refer to what a person has learned to do. Success in learning a skill is dependent on aptitudes