This document provides an overview of the key aspects of the Health Insurance Portability and Accountability Act (HIPAA) Privacy and Security Rules. It discusses who and what organizations are affected by HIPAA, the standards it sets for electronic health information transactions, and the penalties for non-compliance. It also summarizes the requirements of the HIPAA Privacy Rule regarding use and disclosure of protected health information and the HIPAA Security Rule regarding safeguarding electronic protected health information.
it's a presentation about Audit and security application. that was my internship subject in within Leoni Wiring System Tunisia. I hope you like it and get benefits from it. please leave any likes or comments if you need any things ! All the best !
it's a presentation about Audit and security application. that was my internship subject in within Leoni Wiring System Tunisia. I hope you like it and get benefits from it. please leave any likes or comments if you need any things ! All the best !
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
The physical infrastructure is the foundation on which all enterprise systems operate – power, communication, computing, control, and security. Research shows that faults within the physical infrastructure cause a majority of system downtime.
My presentation at 7th Business Security Conference in Warsaw. Describes ON Semiconductor approach to implement Physical Security Management system globally.
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Information security management best practiceparves kamal
ISO 17799 is an internationally recognized Information Security Management Standard, first published by the International Organization for Standardization, or ISO (www.iso.ch), in December 2000.
A to Z of Information Security ManagementMark Conway
The purpose of information security is to protect an organisation’s valuable assets, such as information, Intellectual property, hardware, and software.
Through the selection and application of appropriate safeguards or controls, information security helps an organisation to meet its business objectives by protecting its physical and financial resources, reputation, legal position, employees, and other tangible and intangible assets.
In this A to Z I’d like to outline some of the key focus areas for organisations wishing to pursue compliance to the ISO27001 Information Security standard.
ISO 27001 Awareness IGN Mantra 2nd Day, 2nd Session.IGN MANTRA
ISO 27001:2013 Awareness, Seminar & Workshop Indonesia Honeynet Project IHP, Badan Siber dan Sandi Negara BSSN, Universitas Syiah Kuala Unsyiah, 23-24 Oktober 2018
The physical infrastructure is the foundation on which all enterprise systems operate – power, communication, computing, control, and security. Research shows that faults within the physical infrastructure cause a majority of system downtime.
My presentation at 7th Business Security Conference in Warsaw. Describes ON Semiconductor approach to implement Physical Security Management system globally.
Information Security between Best Practices and ISO StandardsPECB
Main points covered:
• Information Security best practices (ESA, COBIT, ITIL, Resilia)
• NIST security publications (NIST 800-53)
• ISO standards for information security (ISO 20000 and ISO 27000 series)
- Information Security Management in ISO 20000
- ISO 27001, ISO 27002 and ISO 27005
• What is best for me: Information Security Best Practices or ISO standards?
Presenter:
This webinar was presented by Mohamed Gohar. Mr.Gohar has more than 10 years of experience in ISM/ITSM Training and Consultation. He is one of the expert reviewers of CISA RM 26th edition (2016), ISM Senior Trainer/Consultant at EGYBYTE.
Link of the recorded session published on YouTube: https://youtu.be/eKYR2BG_MYU
Describe one safeguard that should be in place to protect the confid.pdfmohammedfootwear
Describe one safeguard that should be in place to protect the confidentiality of health information
when a health care organization uses a home-based medical transcriptionist and one safeguard
that should be in place to protect the security of that health information.Please support your
answer with APA references.Thanks
Solution
This is a summary of key elements of the Security Rule including who is covered, what
information is protected, and what safeguards must be in place to ensure appropriate protection
of electronic protected health information. Because it is an overview of the Security Rule, it does
not address every detail of each provision.
Introduction
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) required the
Secretary of the U.S. Department of Health and Human Services (HHS) to develop regulations
protecting the privacy and security of certain health information.1 To fulfill this requirement,
HHS published what are commonly known as the HIPAA Privacy Rule and the HIPAA Security
Rule. The Privacy Rule, or Standards for Privacy of Individually Identifiable Health Information,
establishes national standards for the protection of certain health information. The Security
Standards for the Protection of Electronic Protected Health Information (the Security Rule)
establish a national set of security standards for protecting certain health information that is held
or transferred in electronic form. The Security Rule operationalizes the protections contained in
the Privacy Rule by addressing the technical and non-technical safeguards that organizations
called “covered entities” must put in place to secure individuals’ “electronic protected health
information” (e-PHI). Within HHS, the Office for Civil Rights (OCR) has responsibility for
enforcing the Privacy and Security Rules with voluntary compliance activities and civil money
penalties.
Prior to HIPAA, no generally accepted set of security standards or general requirements for
protecting health information existed in the health care industry. At the same time, new
technologies were evolving, and the health care industry began to move away from paper
processes and rely more heavily on the use of electronic information systems to pay claims,
answer eligibility questions, provide health information and conduct a host of other
administrative and clinically based functions.
Today, providers are using clinical applications such as computerized physician order entry
(CPOE) systems, electronic health records (EHR), and radiology, pharmacy, and laboratory
systems. Health plans are providing access to claims and care management, as well as member
self-service applications. While this means that the medical workforce can be more mobile and
efficient (i.e., physicians can check patient records and test results from wherever they are), the
rise in the adoption rate of these technologies increases the potential security risks.
A major goal of the Security Rule is to protect th.
An Overview of the Major Compliance RequirementsDoubleHorn
In this blog, we will explore some of the US government’s compliance standards that are helpful for many federal, state and local agencies while procuring technology and related services.
Patching software is a constant challenge. The Equifax hack and subsequent FTC investigation has shown us that required patches aren’t limited to those published by commercial vendors. Open source updates are just as critical; tracing new vulnerabilities and updates to applications in which those components are used isn’t just a good practice, it’s a regulatory requirement.
A focused approach to managing open source risk is essential as the legal landscape quickly evolves, including requirements under the FTC Act, HIPAA, and the European Union’s General Data Protection Regulation (GDPR). Coupled with heightened regulatory enforcement, these requirements increase the pressures on companies to maintain data privacy and security. This session will cover common misconceptions about these requirements, and explain why open source management is essential to your overall security strategy.
The increase level of awareness and training is also very important as is the culture impact of the CE’s environment. How you proceed to successfully train and change the culture depends on the choice of an external HIPAA-HITECH privacy and security auditor. Simply stated, your external auditor should possess the skills and knowledge to comprehensively evaluate all aspect of the HIPAA-HITECH impact on your practice. Upon completion of an audit each area should address its findings, impact and corrective action plan. The action plan should incorporate the training requirements and a training plan to address the specific requirements of each staff member’s relevance to their job function within the practice.
MPCA HIPAA Compliance/Meaningful Use Requirements and Security Risk Assessment Series: HIPAA/HITECH Requirements for FQHCs and the New Omnibus Rule (Part 1)
HIPAA, Privacy, Security, and Good BusinessStephen Cobb
HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.
Get information on the HIPAA Omnibus rule and how the revised regulations will impact not only healthcare organization but also covered entities and other IT providers - OConnor Davies - NYC CPA Firm.
Multi-cluster Kubernetes Networking- Patterns, Projects and GuidelinesSanjeev Rampal
Talk presented at Kubernetes Community Day, New York, May 2024.
Technical summary of Multi-Cluster Kubernetes Networking architectures with focus on 4 key topics.
1) Key patterns for Multi-cluster architectures
2) Architectural comparison of several OSS/ CNCF projects to address these patterns
3) Evolution trends for the APIs of these projects
4) Some design recommendations & guidelines for adopting/ deploying these solutions.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
ER(Entity Relationship) Diagram for online shopping - TAEHimani415946
https://bit.ly/3KACoyV
The ER diagram for the project is the foundation for the building of the database of the project. The properties, datatypes, and attributes are defined by the ER diagram.
1. TransformingLives. InventingtheFuture. www.iit.edu
I ELLINOIS T UINS TI T
OF TECHNOLOGY
ITM 578 1
HIPAA - Privacy & Security in Heath Care IT
Ray Trygstad
ITM 478/578
Spring 2004
Master of Information Technology & Management Program
CenterforProfessional Development
2. ITM 578 2
ILLINOIS INSTITUTE OF TECHNOLOGY
Learning Objectives:
Upon completion of this lesson the
student should be able to:
– Discuss information security implications of
the Health Insurance Portability and
Accountability Act (HIPPA)
– Discuss information security impact of the
HIPAA Privacy Rule
– Describe key components and
implemetation of the HIPAA Security Rule
3. ITM 578 3
ILLINOIS INSTITUTE OF TECHNOLOGY
What is HIPAA?
Health Insurance Portability and
Accountability Act (HIPAA)
– Signed into law August 1996
Part of this Act, Administrative
Simplification, intends to reduce
administrative costs and burdens
in the health care industry
Requires Department of Health and Human
Services to adopt national uniform standards
for electronic transmission of certain health
information
4. ITM 578 4
ILLINOIS INSTITUTE OF TECHNOLOGY
Who is Affected? (“covered entities”)
All healthcare
organizations
All health care
providers (even
1-physician offices)
Health plans
Employers
Public health
authorities
Life insurers
Clearinghouses
Billing agencies
Information
systems vendors
Service organizations
Universities with
health care curricula
or even just student
health services
Anyone that transmits any health information in electronic
formin connection with healthcare transactions
5. ITM 578 5
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards for Electronic Transactions
Standards for electronic health information
transactions
Within 18 months HHS Secretary required to adopt
standards from among those already approved by
standards organizations for certain electronic health
transactions including:
– Claims
– Enrollment
– Eligibility
– Payment
– Coordination of benefits
Standards also must address security of electronic
health information systems.
6. ITM 578 6
ILLINOIS INSTITUTE OF TECHNOLOGY
(18 Months?)
It’s now been six years and standards
are still not fully in place!
Will not go into full effect until 2005!
Isn’t government wonderful?)
7. ITM 578 7
ILLINOIS INSTITUTE OF TECHNOLOGY
More on the HIPAA Bill
Providers and health plans required to use
standards for specified electronic transactions
24 months after adoption
Plans and providers may comply directly or
use a health care clearinghouse
HIPAA supersedes state laws except state
laws that impose more stringent
requirements
HIPPA imposes civil money penalties and
prison for certain violations
8. ITM 578 8
ILLINOIS INSTITUTE OF TECHNOLOGY
Penalties for Violations
Fines up to $25,000 for multiple
violations of the same standard in a
calendar year
Fines up to $250K and/or imprisonment
up to 10 years for knowing misuse of
individually identifiable health
information
!!!
9. ITM 578 9
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy
HIPAA Privacy Rule went into effect
in April 2003
Restricts how covered entities may use
and disclose individually identifiable
health information
Requires security for such data
Grants individuals certain rights to
access and correct their personal
health information
10. ITM 578 10
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
HIPAA requires covered entities to:
– Have written privacy procedures, including
• Description of staff granted access to protected
information
• How it will be used
• When it may be disclosed
• Business associates (including IT vendors!) with access
to protected information must agree to same limitations
on use and disclosure of that information
– Train employees in privacy procedures
– Designate someone responsible for ensuring
procedures are followed (the “HIPAA czar”)
11. ITM 578 11
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Privacy Requirements
Rule permits covered entities to disclose health
information for specific public responsibilities:
– emergency circumstances
– identification of the body of a deceased person, or the cause
of death
– public health needs
– research that with limited data or independently approved
by a Review Board or privacy board
– oversight of the health care system
– judicial and administrative proceedings
– limited law enforcement activities
– activities related to national defense and security
Equivalent Requirements exist for Government
12. ITM 578 12
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
First government-mandated framework
for an information security policy covering
non-governmental entities
Published in February 2003
Covered entities (CEs) must be in compliance
April 21, 2005
Portions of Security Rule that implement the
Privacy Rule were effective last April
13. ITM 578 13
ILLINOIS INSTITUTE OF TECHNOLOGY
HIPAA Security Rule
Covered entities required to observe
Privacy Rule requirements with
respect to all Patient Health
Information (PHI) in any form,
electronic or not, but the Security
Rule only applies to PHI in
electronic form
14. ITM 578 14
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements of HIPAA Security Rule
Maintain reasonable & appropriate
administrative, technical and physical
safeguards to
– Ensure the integrity and confidentiality of
information
– Protect against
• any reasonably anticipated threats or hazards to the
security or integrity of the information
• unauthorized uses or disclosures of the information,
i.e. any reasonably anticipated uses or disclosures not
permitted by Privacy Rule
– Otherwise to ensure compliance with this part by
officers & employees
15. ITM 578 15
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
The rule outlines 3 categories of
safeguards to establish a minimum
level of protection:
– Administrative safeguards
– Physical safeguards
– Technical safeguards
16. ITM 578 16
ILLINOIS INSTITUTE OF TECHNOLOGY
Three Categories of Safeguards
Administrative safeguards: Ensures that
formal policies for overseeing
implementation and management of security
measures are established and implemented
Physical safeguards: Ensures facilities where
electronic information systems are stored are
protected from intrusions and other hazards
Technical safeguards: Ensures only
authorized access to electronic personal
health information is permitted, through
implementation of firewalls, passwords, and
other measures
17. ITM 578 17
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
Scalability
– Any size healthcare entity must be able to comply
with the rule
Comprehensiveness
– Meant to result in a unified system of protection
for PHI
– CEs must use a defense in depth security
approach
Technology neutral
– No specific technology recommendations (e.g.,
specific type of firewall, IDS, access control
system).
– Each CE must choose appropriate technology to
protect PHI.
18. ITM 578 18
ILLINOIS INSTITUTE OF TECHNOLOGY
Principles of the Security Rule
Internal and external security threats
– Must protect PHI against both internal and
external threats
Minimum standard
– Defines the least that CEs must do to protect
PHI (they may choose to do more)
Risk analysis
– Requires CEs to conduct thorough & accurate
risk analysis that considers “all relevant losses”
that would be expected if specific security
measures are not in place
– “Relevant losses” include losses caused by
unauthorized use and disclosure of data and
unauthorized modification of data
19. ITM 578 19
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
Principle based
– Presents a series of security best practices and
principles with which CEs must comply
– Step by step checklists not provided
Reasonableness
– CEs must do everything appropriate to avert
all reasonably anticipated risks to PHI
– CEs must balance resources and business
requirements against risks to PHI
Full compliance
– All CE staff, including management and those
working at home, must comply
20. ITM 578 20
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Rule Key Concepts
Developed from multiple security guidelines and
standards
– Those creating the rule found no existing single security
standard or best practice that described how to
comprehensively protect PHI
– Therefore the rule is based on many different security
guidelines, standards, and best practices
Documentation
– CEs must document a variety of security processes, policies,
and procedures
– CEs must document Security Rule implementation decisions
Ongoing compliance
– CEs must regularly train employees
– CEs must revise security policies and procedures as needed
21. ITM 578 21
ILLINOIS INSTITUTE OF TECHNOLOGY
Standards & Specifications
Rule breaks down into 18 standards and
36 implementation specifications
A standard explains what a CE must do
An implementation specification explains
how to do it
12 standards have associated
implementation specifications; 6 do not
14 implementation specifications are
required; 22 are addressable
22. ITM 578 22
ILLINOIS INSTITUTE OF TECHNOLOGY
Requirements & Structure
Requirements (Physical, Administrative, Technical Safeguards)Requirements (Physical, Administrative, Technical Safeguards)
StandardsStandardswithwith ImplementationImplementation
Specifications (12)Specifications (12)
witho utwitho ut ImplementationImplementation
Specifications (6)Specifications (6)
Implementation SpecificationsImplementation Specifications
Required (14)Required (14)
Addressable (22)Addressable (22)
Source: Weil, Steven HIPAAConsensus ResearchProject SANS Institute, 2003; http://www.sans.org/projects/hipaa.php
23. ITM 578 23
ILLINOIS INSTITUTE OF TECHNOLOGY
Required and Addressable
Required specifications are, well, required
and must be implemented
Addressable implementation specifications
leave CEs with three possible choices
– Implement specification if reasonable and
appropriate
– Implement an alternative security measure to
accomplish purposes of the standard
– Implement nothing if specification is not
reasonable & appropriate and the standard
can still be met
24. ITM 578 24
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
If implementation specification is reasonable
& appropriate, CE must implement it
If implementation specification not
reasonable & appropriate, but standards
cannot be met without an appropriate
security measure, CE must
– Document why it would not be reasonable &
appropriate to implement
– Implement & document alternative security
measure(s) that accomplishes the same purpose
25. ITM 578 25
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
If implementation specifications not
reasonable & appropriate, but standards
can be met without an appropriate
security measure, CE must
– Document decision not to implement
– Document why it would not be reasonable &
appropriate to implement
– Document how the standard is being met
26. ITM 578 26
ILLINOIS INSTITUTE OF TECHNOLOGY
Addressable Specification Choices
Factors to take into account when deciding
how to respond to addressable
specifications:
– Size, complexity, & capabilities of the
organization
– Existing technical infrastructure, hardware,
and software security capabilities
– Costs of security measures
– Likelihood & seriousness of potential risks to
PHI
27. ITM 578 27
ILLINOIS INSTITUTE OF TECHNOLOGY
Implementing HIPAA
Specifications can be implemented in
any order, as long as standards are met
by the deadline
May use any security measures
allowing the CE to reasonably and
appropriately implement the rule
29. ITM 578 29
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security management process
– Risk analysis (R)
– Risk management (R)
– Sanction policy (R)
– Information system activity review (R)
Assigned security responsibility
– One individual (not an organization)
with responsibility (R)
30. ITM 578 30
ILLINOIS INSTITUTE OF TECHNOLOGY
Risk Assessment / Analysis
Each CE must:
– Assess security risks
– Determine risk tolerance or risk aversion
– Devise, implement, and maintain appropriate
security to address business requirements
• Does not imply that organizations are given complete
discretion to make their own rules
– Document security decisions
31. ITM 578 31
ILLINOIS INSTITUTE OF TECHNOLOGY
Assigned Security Responsibility
Chief Information Security Officer (CISO) or
Information Security Officer (ISO)
Large organizations may have site-security
coordinators working with CISO/ISO
Security standards extend to CE employees
even if they work at home as do many
transcriptionists
33. ITM 578 33
ILLINOIS INSTITUTE OF TECHNOLOGY
Workforce Security
Authorization controls verify identity
of employees permitted to access PHI
Clearance procedure describes types
of background checks that will be
conducted for employees
Termination procedures include
collecting access control devices or
changing door locks, etc.
34. ITM 578 34
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Security Awareness and Training
– Security Reminders (A)
– Protection from Malicious Software (A)
– Log-in Monitoring (A)
– Password Management (A)
Security Incident Procedures
– Response and Reporting (R)
35. ITM 578 35
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Contingency Plan
– Data Backup Plan (R)
– Disaster Recovery Plan (R)
– Emergency Mode Operation Plan (R)
– Testing and Revision Procedure (A)
– Applications and Data Criticality
Analysis (A)
36. ITM 578 36
ILLINOIS INSTITUTE OF TECHNOLOGY
Awareness & Training
“Security awareness training is a critical
activity, regardless of an organization’s size.”
Training, Education and Awareness (TEA)
– Awareness training for all personnel (including
management)
– Periodic security reminders
– User education concerning virus protection
– User education in importance of monitoring login
success or failure, and how to report discrepancies
– User education in password management
37. ITM 578 37
ILLINOIS INSTITUTE OF TECHNOLOGY
Security Incident Procedures
Provides methods for users to report
unusual security occurrences or
breaches to patient confidentiality
Goals:
– Identify
– Contain
– Correct
– Prevent
38. ITM 578 38
ILLINOIS INSTITUTE OF TECHNOLOGY
Administrative Safeguards
Evaluation
– Periodic review of technical controls and
procedural review of the security program
Business Associate contracts
– Written Contract or Other Arrangement (R)
•Identify business associates who receive or
have access to PHI
•Tie efforts with Privacy initiative
•Establish rules for vendor remote access
39. ITM 578 39
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Facility Access Controls
– Contingency operations (A)
– Facility Security Plan (A)
– Access Control and Validation
Procedures (A)
– Maintenance Records (A)
Workstation Use
– Includes portable devices
40. ITM 578 40
ILLINOIS INSTITUTE OF TECHNOLOGY
Facility Access Control
Goal is to protect buildings, systems,
and data media from natural and
environmental hazards and
unauthorized access or intrusions
Ensure records are kept of all
maintenance, especially locksmith
work
41. ITM 578 41
ILLINOIS INSTITUTE OF TECHNOLOGY
Physical Safeguards
Workstation Security
Device and Media Controls
– Disposal (R)
– Media re-use (R)
– Accountability (A)
– Data backup and Storage (A)
42. ITM 578 42
ILLINOIS INSTITUTE OF TECHNOLOGY
Workstation Use & Security
Both standards could be covered in
one policy
Ensure workstation locations will not
allow casual viewing by unauthorized
personnel
Audit systems to ensure all PCs/laptops
have latest version of virus definitions
installed
43. ITM 578 43
ILLINOIS INSTITUTE OF TECHNOLOGY
Device & Media Controls
“Device” was included to address
storage devices such as PDAs
Media re-use requires sanitization of
media using DOD-style standards
(overwriting an entire disk with ones
and zeros repeatedly)
44. ITM 578 44
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Access Control
– Unique user identification (R)
– Emergency access procedure (R)
– Automatic logoff (A)
– Encryption and decryption (A)
Audit Controls
45. ITM 578 45
ILLINOIS INSTITUTE OF TECHNOLOGY
Technical Safeguards
Integrity
– Mechanism to Authenticate Electronic
PHI (A)
Person or entity authentication
Transmission security
– Integrity controls (A)
– Encryption (A)
46. ITM 578 46
ILLINOIS INSTITUTE OF TECHNOLOGY
Access Control
Unique user identification for accountability
is critical for clinical applications
– Disallows use of Windows 98/ME
(weak user identification & controls)
Automatic logoff permits an equivalent
measure to restrict access (Password
protected screen saver? XP user switching?)
Encryption serves as an access control
method for data at rest
47. ITM 578 47
ILLINOIS INSTITUTE OF TECHNOLOGY
Audit Controls
Risk assessment and analysis can be used
to determine necessary intensity of audit
trails
Audit trail trigger events must be jointly
determined by the data owners and the
Privacy and Security Officers
Store audit logs on a separate server
Do not allow system administrator access
to audit logs
48. ITM 578 48
ILLINOIS INSTITUTE OF TECHNOLOGY
Transmission Security
“…When electronic protected health
information is transmitted from one
point to another, it must be protected
in a manner commensurate with the
associated risk.”
There is no simple, interoperable
solution to encrypting e-mail
containing PHI; hopefully HIPAA
compliance will drive better solutions
49. ITM 578 49
ILLINOIS INSTITUTE OF TECHNOLOGY
Organizational Requirements
Business Associate (BA) Agreements
– Contractual agreements required before
BAs can access PHI
– BAs must follow HIPAA Business
Associate rules (next slide)
– Applies to subcontractors of BAs as well
A CE may require a business associate
to meet even higher security standards
50. ITM 578 50
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Implement safeguards that
reasonably and appropriately protect
the confidentiality, integrity and
availability of PHI they access on
behalf of the CE
Ensure that anyone else to whom
they provide PHI agrees to
implement reasonable and
appropriate safeguards
Report any security incident to the
CE
51. ITM 578 51
ILLINOIS INSTITUTE OF TECHNOLOGY
Rules for Business Associates
Make policies, procedures and
required documentation relating to
the safeguards available to HHS to
determine CE compliance with the
security rule
Authorize termination of the BA
contract by the CE if the CE
determines that the BA has violated
a material term of the contract
52. ITM 578 52
ILLINOIS INSTITUTE OF TECHNOLOGY
Policy & Procedure Documentation
Implement reasonable and
appropriate policies and procedures
Documentation
– Retain documents for 6 years
– Make documents available
– Review and update documentation
periodically
53. ITM 578 53
ILLINOIS INSTITUTE OF TECHNOLOGY
Resources
Works used in the preparation of this lecture:
– Beaver, Kevin (2003) HIPAA Security Rule FAQ. Principle Logic, accessed at
http://www.principlelogic.com/docs/HIPAA_Security_Rule_FAQ.pdf
– Birnbach, Deborah S. and Gametchu, Mayeti (2003) “How HIPAA's security rule
could affect IT” Computerworld April 30, 2003, accessed at
http://www.computerworld.com/securitytopics/security/story/0,10801,80816,00.html
– Higher Education Information Technology (HEIT) Alliance (undated) Privacy.
Accessed at http://www.heitalliance.org/issues/privacy.asp
– Hollander, Jay (2003) Medical Privacy: Understanding HIPAA's Security Rule.
Accessed at http://www.gigalaw.com/articles/2003-all/hollander-2003-04-all.html
– New Hampshire Developmental Disabilities Services System, Information
Technology Initiatives (undated) HIPAA Overview. Accessed at
http://www.nhdds.org/nhddsit/HIPAA/overview.html
– Walsh, Tom (2001) Developing an Effective Information Security Training and
Awareness Program. Healthcare Computing Strategies, Inc. , accessed at
http://www.himss.org/content/files/proceedings/2001/workshop/wslides/wksll.pdf
– Walsh, Tom (2003) HIPAA Security: Complying with the HIPAA Security Rule
Implementation Specifications – Are you Correctly Addressing Them? (Powerpoint
presentation) Tom Walsh Consulting LLC
– Weil, Steven (2003) HIPAA Consensus Research Project. The SANS Institute,
accessed at http://www.sans.org/projects/hipaa.php
Learning Objectives:
Upon completion of this material you should be able to:
Understand the conceptual need for physical security.
Identify threats to information security that are unique to physical security.
Describe the key physical security considerations for selecting a facility site.
Identify physical security monitoring components.
Grasp the essential elements of access control within the scope of facilities management.
Understand the criticality of fire safety programs to all physical security programs.
Describe the components of fire detection and response.
Grasp the impact of interruptions in the service of supporting utilities.
Understand the technical details of uninterruptible power supplies and how they are used to increase availability of information assets.
Discuss critical physical environment considerations for computing facilities.
Discuss countermeasures to the physical theft of computing devices.