1 / 27

final hipaa security rule

Tom Walsh, CISSP. Senior Consultant, E-SecurityCertified Information System Security Professional Invited speaker at national HIPAA conferencesEmphasis on HIPAA security implementationFormer Information Security Manager for large healthcare system in Kansas CityDOE-certified safeguards and security instructor.

niveditha
Download Presentation

final hipaa security rule

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

    1. Final HIPAA Security Rule Tom Walsh, CISSP

    2. Tom Walsh, CISSP Senior Consultant, E-Security Certified Information System Security Professional Invited speaker at national HIPAA conferences Emphasis on HIPAA security implementation Former Information Security Manager for large healthcare system in Kansas City DOE-certified safeguards and security instructor

    4. Provide an overview on the final HIPAA Security Rule Explain changes between the proposed rule and the final rule Review key concepts and terminologies employed Discuss benefits and impacts Discuss next steps toward compliance Provide an opportunity for questions Session Objectives

    6. Security Rule Timeline Originally posted to the Federal Register on August 12, 1998 Rule was sent to the Office of Management and Budget (OMB) on January 13, 2003 Published in Federal Register on February 20 Compliance by April 21, 2005 An extra year for small payers – Below $5 million: April, 2006

    7. Security Rule Sections §164.103 and §164.304 – Definitions §164.105 – Organizational requirements "Health care component and "Affiliated covered entities" §164.306 – Security Standards: General Rules §164.308 – Administrative safeguards §164.310 – Physical safeguards §164.312 – Technical safeguards §164.314 – Organizational requirements §164.316 – Policies and procedures and documentation requirements §164.318 – Compliance dates

    8. Comparison of Rules Old vs. New Terminology “24 Requirements” “ 18 Standards” “69 Implementation Features” “ 42 Implementation Specifications” “ 20 Required” or “22 Addressable”

    9. Administrative

    10. Physical

    11. Technical

    12. Comparison of Rules Old Proposed Rule – Section headings, Requirements and Implementation Features were listed in alphabetical order so as not to imply the importance of one requirement over another New Final Rule – Standards and Implementation Specifications are grouped in a logical order within each of the three areas: Administrative, Physical and Technical Safeguards

    13. Other Changes Removes the Electronic signature standards Incorporates standards that parallel those in the Privacy Rule thus helping organizations meet a number of the security standards through the implementation of the privacy rule Covers only electronic protected health information (More limited than Privacy Rule) Requires a minimum level of documentation that must be periodically updated to reflect currently practices

    14. HIPAA Security Standards Are based upon good business practices Basic concepts:

    16. HIPAA Security Standards Administrative Safeguards (55%) 12 Required, 11 Addressable Physical Safeguards (24%) 4 Required, 6 Addressable Technical Safeguards (21%) 4 Requirements, 5 Addressable

    17. Administrative Safeguards

    18. Administrative Safeguards Security Management Process Risk Analysis (R) Risk Management (R) Sanction Policy (R) Information System Activity Review (R) Assigned Security Responsibility Workforce Security Authorization and/or Supervision (A) Workforce Clearance Procedure (A) Termination Procedures (A)

    19. Administrative Safeguards Information Access Management Isolating Healthcare Clearinghouse Function (R) Access authorization (A) Access Establishment and Modification (A) Security Awareness and Training Security Reminders (A) Protection from Malicious Software (A) Log-in Monitoring (A) Password Management (A) Security Incident Procedures Response and Reporting (R)

    20. Administrative Safeguards Contingency Plan Data Backup Plan (R) Disaster Recovery Plan (R) Emergency Mode Operation Plan (R) Testing and Revision Procedure (A) Applications and Data Criticality Analysis (A) Evaluation Business Associate Contracts and Other Arrangement Written Contract or Other Arrangement (R)

    21. Physical Safeguards

    22. Physical Safeguards Facility Access Controls Contingency Operations (A) Facility Security Plan (A) Access Control and Validation Procedures (A) Maintenance Records (A) Workstation Use Workstation Security Device and Media controls Disposal (R) Media Re-use (R) Accountability (A) Data backup and Storage (A)

    23. Technical Safeguards

    24. Technical Safeguards Access Control Unique User Identification (R) Emergency Access Procedure (R) Automatic Logoff (A) Encryption and Decryption (A) Audit Controls Integrity Mechanism to Authenticate Electronic PHI (A) Person or Entity Authentication Transmission Security Integrity Controls (A) Encryption (A)

    26. Risk Analysis “The most appropriate means of compliance for any covered entity can only be determined by that entity assessing its own risks and deciding upon the measures that would best mitigate those risks” Does not imply that organizations are given complete discretion to make their own rules Organizations determine their own technology choices to mitigate their risks

    27. Addressable Implementation Specifications Covered eternities must assess if an implementation specification is reasonable and appropriate based upon factors such as: Risk analysis and mitigation strategy Current security controls in place Costs of implementation Key concept: “reasonable and appropriate” Cost is not meant to free covered entities from their security responsibilities

    28. Addressable Implementation Specifications “In meeting standards that contain addressable implementation specifications, a covered entity will ultimately do one of the following: Implement one or more of the addressable implementation specifications; Implement one or more alternative security measures; Implement a combination of both; or Not implement either an addressable implementation specification or an alternative security measure.”

    29. Other Concepts Security standards extends to the members of a covered entity’s workforce even if they work at home such as transcriptionists Security awareness and training is a critical activity, regardless of an organization's size Evaluation – Periodic review of technical controls and procedural review of the entity’s security program Documentation Retention – Six years from the date of its creation or the date when it last was in effect, whichever is later

    31. Terminologies Removed Formal – Was used to convey documentation rather than word-of-mouth Breaches – Replaced by “security incident” Open Networks – Now up to the entity to determine when to apply encryption (addressable because there is not a simple solution to encrypting e-mails with patients)

    32. Terminologies Clarified System – "an interconnected set of information resources under the same direct management control that shares common functionality… includes hardware, software, information, data, applications, communications, and people." Workstations – "an electronic computing device, for example, a laptop or desktop computer, or any other device that performs similar functions, and electronic media stored in its immediate environment."

    34. Benefits Establishes minimum baseline Encourages the use of EDI (increased confidence in the reliability and confidentiality) Promotes connectivity to provide availability of information Reduces the risks and potential cost of a security incident versus the increase in costs of additional security controls for compliance

    35. Impacts – Responsibility Responsibility must rest with one individual to ensure accountability “More than one individual may be given specific security responsibilities, especially within a large organization, but a single individual must be designated as having the overall final responsibility for the security of the entity's electronic protected health information.” Aligns Security Rule with the Privacy Rule provisions concerning the Privacy Official

    36. Other Impacts Impacts will be dependent upon the size, complexity, and capabilities of the covered entity “Ensuring” protection does not mean providing protection, no matter how expensive. Balance between the information's identifiable risks and vulnerabilities, and the cost of various protective measures Enforcement not defined in the rule

    38. Next Steps Assign responsibility to one person Conduct a risk analysis Deliver security awareness in conjunction with privacy Develop policies, procedures, and documentation as needed Review and modify access and audit controls Establish security incident reporting and response procedures

More Related