Embed Size (px)
DESCRIPTION
Citation preview
Complying with HIPAA Privacy and Security Standards
Complying with HIPAA Privacy and Security Standards
Whitepaper
�© Agiliance, Inc.
Complying with HIPAA Privacy and Security Standards
The Health Insurance Portability and Accountability Act (HIPAA)
The Health Insurance Portability and Accountability Act of 1996 (HIPAA) was created to increase the efficiency and effectiveness of the nation’s health care system by encouraging the widespread use of electronic data interchange in health care.
It required significant changes in how the health care industry manages all aspects of information, including billing, reimbursement, security and patient records. All the key players in the industry including providers, payers, and clearing houses are required to comply with HIPAA.
The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. This final rule specifies a series of administrative, technical, and physical security procedures for providers, payers, and clearing houses to use for assuring the integrity and confi-dentiality of Electronic Protected Health Information (EPHI). The technical safeguards in the ruling include:
Access control: Policies, procedures, and processes must be developed and implemented for electronic information systems that contain EPHI to only allow access to persons or software programs that have appropriate access rights.
Audit controls: Mechanisms must be implemented to record and examine activity in information systems that contain or use EPHI.
Integrity: Policies, procedures, and processes must be developed and implemented that protect EPHI from improper modification or destruction.
Person or entity authentication: Policies, procedures, and processes must be developed and implemented that verify persons or entities seeking access to EPHI are who or what they claim to be.
Transmission security: Policies, procedures, and processes must be developed and implemented that prevent unauthorized access to EPHI that is being transmitted over an electronic communications network (e.g., the Internet).
As a result, insurers and providers are required to develop and implement enterprise-wide security programs to comply with the security and privacy standards under HIPAA. Many have adopted the ISO17799 standard to ensure compliance with the security standards of HIPAA and have deployed a wide array of products which add layers of protection but also add significant complexity and cost.
Despite substantial investments, most organizations still struggle to find a mechanism to define and enforce the right policies and controls to comply with HIPAA in a cost effective manner.
The Agiliance solution is specifically designed to address these issues. It provides a holistic and real-time view of security, compliance and risk across the whole enterprise. Agiliance enforces and monitors policies & controls across functional and geographical boundaries within a company and improves compliance with the HIPAA standard in a cost-effective manner.
•
•
•
•
•
3© Agiliance, Inc.
Complying with HIPAA Privacy and Security Standards
Capabilities for ensuring compliance with HIPAA Security and Privacy standards
The following are key capabilities of best-in-class solutions to ensure compliance using a standard such as ISO17799/27001 to become compliant with HIPAA security and privacy standards
Maintain a repository of all relevant assets (hardware, software, physical IT infrastructure, and IT processes) that affect EPHI. Assets can either be brought in from external asset management or configuration management systems or through asset discovery technology. The system should support a comprehensive asset data model to document relationships between assets, organizations, processes and people.
Leverage surveys to identify how critical an asset is to maintaining the integrity and confidentiality of EPHI and then assess its overall risk.
Maintain a library of control objectives for a standard such as ISO17799/27001. By mapping each control objective in the standard against the various asset classes and their assessed risks, the user should be able to define and activate policies (including security policies) to manage the risk.
Track asset and configuration changes, integrate with monitoring tools and perform manual assessments to identify policy violations.
Compute an asset’s composite risk score based on multiple criteria, including business impact of its impairment, compliance with policies, including security policies, and its vulnerability based on external feeds. The risk score allows users to prioritize which non-compliant assets need to be addressed first for remediation.
Report on asset compliance scores – both for status purposes, as well as evidence of compliance for internal and external auditors.
Agiliance and Compliance with HIPAA
The Agiliance IT-GRC Platform enables organizations to effectively analyze and decrease secu-rity risk, and significantly reduce the cost of compliance with HIPAA. It is designed to address key issues, such as “How secure is our IT infrastructure?”, “Do we have the right policies and controls to mitigate privacy and security risk under HIPAA standards?”, or “How do we monitor compliance with policies and controls across the enterprise on a continuous basis?” Its core value proposition around a combination of assets, security policy and risk management makes it the right solution for ensuring IT compliance with HIPAA.
•
•
•
•
•
•
�© Agiliance, Inc.
Complying with HIPAA Privacy and Security Standards
Key capabilities Agiliance IT-GRC:Asset Management: Agiliance automatically builds and maintains an asset inventory database leveraging data collected by many sources including Active Directory, scanners, management systems and repositories.
Policy Management: A policy library based on an industry-wide security standard such as ISO 17799 allows a user to quickly define security policies. A powerful editor allows creation of rich custom policies. Policy sets may be assigned to individual assets or globally to groups. Manual policies are managed with customizable and automated surveys.
Policy Enforcement: Agiliance automates real-time monitoring to enforce automated policies, monitor compliance and flag violations. When an asset is moved, it automatically inherits the policies of its new environment.
Risk Management: Agiliance incorporates multi-dimensional risk analysis capabilities, which consider policy violations (non-compliance), threats and vulnerabilities, asset and policy classification. It uses relative risk scores to prioritize the remediation of non-compliant assets.
Dashboards and Compliance Reports: Agiliance delivers pre-configured compliance reports for a large number of regulations, as well as current status and trends.
Remediation: Agiliance provides a risk-based prioritized action plan for remediation of out-of-compliance assets and tracks the remediation process for assets under consideration.
•
•
•
•
•
•
1732 North First Street Suite 200 San Jose, CA 9511�
p: 408.200.0400 f: 408.200.0401 www.agiliance.com
Agiliance, Inc.
5
Complying with HIPAA Privacy and Security Standards
Enterprise Class: Agiliance has a scalable and secure architecture, capable of managing thousands of hosts and processing millions of daily events. Agent-less and agent-based options make the solution easy to deploy and the rich browser-based user interface is easy to use.
Open Architecture: Agiliance is designed around an open architecture based on industry standards. Open connectors easily integrate with and leverage your existing security and management tools and platforms.
Agiliance enterprise integration
•
•
