1 / 18

HIPAA Security Standards

HIPAA Security Standards. What’s happening in your office?. Agenda. Industry Statistics Review Rules Assessment -What needs to be done? Physical and Technical Safeguards Technical terminology Next Steps Questions – Open Discussion. Statistics. Statistics.

devaki
Download Presentation

HIPAA Security Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. HIPAA Security Standards What’s happening in your office?

  2. Agenda • Industry Statistics • Review Rules • Assessment -What needs to be done? • Physical and Technical Safeguards • Technical terminology • Next Steps • Questions – Open Discussion

  3. Statistics

  4. Statistics

  5. IT security will always be a balancing act between risk and cost.

  6. Security Standards Required or Addressable

  7. HIPAA Security Standards • Administrative Safeguards (55%) • 12 required, 11 Addressable • Physical Safeguards (24%) • 4 required, 6 Addressable • Technical Safeguards (21%) • 4 required, 5 Addressable The final rule has been modified to increase Flexibility as to how protection is accomplished.

  8. Addressable Implementation Specifications • Covered entities must assess if an implementation specification is reasonable and appropriate based upon factors such as: • Risk analysis and mitigation strategy • Costs of implementation • Current security controls in place • Key concept: “reasonable and appropriate” • Cost is not meant to free covered entities from their security responsibilities

  9. Addressable Implementation Specifications “In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: a. Implement one or more of the addressable implementation specifications; b. Implement one or more alternative security measures; c. Implement a combination of both; or d. Not implement either an addressable implementation specification or an alternative security measure.” Must document!

  10. Administrative Safeguards

  11. Physical Safeguards

  12. Technical Safeguards

  13. Terminology Security • Refers to techniques for ensuring that data stored in a computer cannot be read or compromised. Most security measures involve data encryption and passwords. Data encryption is the translation of data into a form that is unintelligible without a deciphering mechanism. A password is a secret word or phrase that gives a user access to a particular program or system. firewall • A system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in both hardware and software, or a combination of both. Firewalls are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets. All messages entering or leaving the intranet pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

  14. Terminology There are several types of firewall techniques: • Packet filter: Looks at each packetentering or leaving the network and accepts or rejects it based on user-defined rules. Packet filtering is fairly effective and transparent to users, but it is difficult to configure. In addition, it is susceptible to IP spoofing. • Application gateway: Applies security mechanisms to specific applications, such as FTP and Telnet servers. This is very effective, but can impose a performance degradation. • Circuit-level gateway: Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been made, packets can flow between the hosts without further checking. • Proxy server: Intercepts all messages entering and leaving the network. The proxy server effectively hides the true network addresses. • In practice, many firewalls use two or more of these techniques in concert. • A firewall is considered a first line of defense in protecting private information. For greater security, data can be encrypted.

  15. Terminology VPN • Short for virtual private network, a network that is constructed by using public wires to connect nodes. For example, there are a number of systems that enable you to create networks using the Internet as the medium for transporting data. These systems use encryption and other security mechanisms to ensure that only authorized users can access the network and that the data cannot be intercepted. Antivirus program • A utility that searches a hard disk for viruses and removes any that are found. Most antivirus programs include an auto-update feature that enables the program to download profiles of new viruses so that it can check for the new viruses as soon as they are discovered. Secure server • A Web server that supports any of the major security protocols, like SSL, that encrypt and decrypt messages to protect them against third party tampering. Making purchases from a secure Web server ensures that a user's payment or personal information can be translated into a secret code that's difficult to crack. Major security protocols include SSL, SHTTP, PCT, and IPSec.

  16. Next Steps • Assign responsibility to one person • Conduct a risk analysis • Deliver security awareness in conjunction with privacy • Develop policies, procedures, and documentation as needed • Review and modify access and audit controls • Establish security incident reporting and response procedures

  17. Questions?

  18. Helpful sites: • www.hipaadvisory.com– Phoenix Health System • www.himss.org– Health Information Management Systems Society • www.sans.org/resources/policies/- SysAdmin, Audit, Networks, Security Institute • www.hipaacomply.com - Beacon Partners • www.cms.gov/hipaa/- Center for Medicare and Medicaid Services • www.aha.org– American Hospital Association • www.aamc.org/members/gir/gasp/- Guidelines for Academic Medical Centers on Security and Privacy • http://dirm.state.nc.us.hipaa.hippa2002/security/security.html- North Carolina DHHS HIPAA

More Related