|
Featured Article
|
This month's featured article wraps up our initial coverage of the HIPAA Security Rule ("SR"). A framework approach by which the SR can be "attacked" by providers of all sizes is discussed. Let's be clear, a framework is not a cookbook solution, those do not exist for wicked problems, but rather, its a kind of map of the territory. Going forward, we will be laser focused on developing various frameworks for meeting the challenges of the HITECH Act, and its transformational impact on the HIPAA Regulations. These frameworks are intended to move an organization forward on the compliance continuum.
Additional more in depth coverage of our proposed frameworks will be covered in our HITECH Risk Management Webinar Series.
|
The World Health
Care Congress Leadership Summit on HITECH and HIPAA Compliance Management for
Providers
November 9 - 10, 2009
Alexandria, VA
|
Presenting strategic frameworks for the C-Suite
and in-depth, tactical solutions for your IT and operations teams, this must
attend Summit will feature industry experts and key association think-tank
leaders presenting
solutions on how to expose risk, minimize liability and maintain compliance in
an environment of continual "HIT change." Save an extra $200.00 off
the current rate with code BFX997 (not applicable on gov't rate). To
register, contact us at 800-767-9499.
Read More...
|
 Deciphering the Safe Harbor on Breach Notification
|
Healthcare organizations planning to protect themselves from breach notification should implement data encryption in their organizations. Data encryption is the only technology recognized by the federal government and many states as a way of making data unusable, unreadable, or indecipherable to unauthorized individuals.
Data encryption is often considered a complex technology that is difficult to implement. However, modern software has made encryption easier to deploy and manage. One of the most important factors that should be used in selecting an encryption solution is the availability of a centralized management console for managing the encryption platform. Encryption platforms take into account many points of data protection such as disk encryption, e-mail, file folder, database, etc. Managing encryption software centrally is the key to a successful deployment and management of the encryption solution. The ability to make changes to settings and policies and view log files from a central location is also very important.
There are two types of encryption methods - symmetric (also
called secret key) and public key cryptography (PKI). Symmetric encryption methods are dependent on
a passwords or passphrases to encrypt and decrypt data. PKI methods depend on a
key pair - a public key and private key to encrypt and decrypt data. Both
symmetric and PKI methods could have a place in your encryption deployment
strategy.
Care must be taken to ensure that data can be decrypted by
management in case an employee leaves, is terminated, or in case of litigation.
It is possible to purchase inexpensive, off the shelf software to encrypt files
or even hard drives. However, without a way for management to decrypt data you
may be putting your organization's critical data at risk of never being
recovered. Allowing the use of
encryption software that does not have encryption recovery features is strongly
discouraged.
Read More...
|
|
Join Our Mailing List
|
|
Interested in staying current on HITECH / HIPAA compliance issues? Click the join our list link above and receive your own copy of the newsletter on the first business day of each month.
|
|
Dear Carlos,
Welcome to the November 2009 HITECH/HIPAA Compliance Newsletter. The featured article this month is entitled: "HITECH/HIPAA and Meaningful Use Part IV: Attacking the HIPAA Security Rule (Hug the Monster: Redux). It is the fourth in a series of featured articles over the next few months that will discuss the transformational impact that the HITECH Act is likely to have on HIPAA's regulatory environment.
The October Issue started our in depth review of the HIPAA Security Rule. This month's issue completes our Security Rule analysis by reviewing risk management under the Administrative Safeguards and wraps up our review by looking at the Physical Safeguards. This month also features a guest article by Alex Zaltsman, CEO of Experior Data Security and Encryption.
Alex's article discusses (and courageously attempts to clarify) the often confusing topic of "data states" and the varying security approaches that apply to: 1) data at rest; 2) data in motion; 3) data in use; and 4) data disposed. It is entitled "Deciphering the Safe Harbor on Breach Notification." A robust data encryption strategy and implementation is imperative for organizations that want to prevent (more likely significantly mitigate) security incidents that trigger notification. A breach notification analytical framework will be discussed in a future issue, once we have covered the basics of the HIPAA's Security and Privacy Rules.
Our focus from the outset has been to provide actionable information to our readers. In short, "news you can use." To complement our newsletter and provide more in depth coverage of our compliance frameworks, we are launching a HITECH Risk Management Webinar Series starting in January 2010 (register here for our first webinar January 27, 2010 at 3:00 EST).
Our newsletter will provide an introduction to each framework with more in depth coverage, tools and templates provided via our Webinars.
|
Announcement
|
 The authors of the HIPAA Survival Guide will be presenting at the World Health Care Congress Leadership Summit on HITECH and HIPAA Compliance Management for Providers (see left sidebar for more information).
The title of our presentation is: "Meaningful Use Under HITECH: Why HIPAA is No Longer a Paper Tiger"
We encourage you attend this event and quickly get up to speed on the latest HITECH/HIPAA compliance issues. Changes in the healthcare industry are happening at a furious pace. Most providers and facilities are ill prepared for these changes. Take this opportunity to get information on HITECH/HIPAA best practices and on avoiding the hidden pain points.
If you would like to follow the authors' blogs click here and here. Also, if you plan to attend the conference we would enjoy meeting you. Please stop by after our presentation and say hello.
|
|
HITECH/HIPAA and Meaningful Use Part IV: Attacking the HIPAA Security Rule (Hug the Monster: Redux)
|
 The HIPAA Security Rule
is all about implementing effective risk management to adequately and
effectively protect ePHI. The assessment, analysis, and management of
risk provides the foundation of a covered entity's Security Rule
compliance efforts. A comprehensive risk management approach provides the tools necessary to develop and maintain a covered
entity's strategy; one that protects the confidentiality, integrity, and
availability of ePHI. One of our guiding principles for an SR
implementation is that "you can't manage what you don't measure and account for."
All ePHI created, received, maintained, or transmitted by a covered entity is subject to the Security Rule ("SR"). Covered entities
are required to implement reasonable and appropriate security measures
to protect against reasonably anticipated threats or vulnerabilities to
the security of ePHI. Under the Security Rule, covered entities are
required to evaluate risks and vulnerabilities in their environments
and to implement security controls to address those risks and
vulnerabilities.
Implementing an effective risk management strategy for the SR requires
the development of methodical and repeatable processes. These processes must implement the necessary safeguards and likewise implement a robust set of monitoring mechanisms that measure effectiveness.
More generally, a risk-based
approach to security control selection and specification considers
effectiveness, efficiency, and constraints due to applicable laws,
directives, Executive Orders, policies, standards, or regulations (see
the following National Institute of Standards and Technology (NIST) document: Implementing the HIPAA Security Rule page 10).
The NIST SR Implementation document recommends the following six step framework for controlling risks to ePHI:
Step 1: Categorize Information Systems (FIPS 199 / SP 800-60)
Step 2: Select Security Controls (FIPS 200 / SP 800-53)
Step 3: Implement Security Controls (SP 800-70)
Step 4: Assess Security Controls (SP 800-53A)
Step 5: Authorize Information Systems (SP 800-37)
Step 6: Monitor Security State (SP 800-37 / SP 800-53A )
The other NIST documents referenced in the framework steps can be found here and here. Arguably, the most important step in the framework, and in any SR risk management strategy, is step 1. You
simply cannot make much progress without having an inventory (and a
categorization of the inventory) regarding information assets that
either contain or access ePHI. The creation and
maintenance of said inventory is key, not only to a successful SR
implementation, but to ensuring that ePHI is secured over time. Whether
or not your organization has a current inventory of its ePHI information
assets is likely to be a baseline HHS audit point. Lack of one could
readily lead to a finding of "willful neglect."
Read More ...
|
|
About Us
|
|
We help
companies safely and securely do business on the web, in accordance
with applicable law. How? By helping them reduce risk. Privacy and
security compliance issues are merely a subset of legal issues that
online businesses face. This is equally true for eCommerce sites as it
is for healthcare providers, facilities, and vendors.
We take a partnering and collaborative approach in our legal practice.
If you would like to see specific topics covered in this newsletter then please let us know.
Sincerely,
|
|
|
