SECURITY

1
SECURITYHIPAA
DATA ENSURE INC. 798 PARK AVE. NW SUITE
204 NORTON, VA 24273 (276) 679-7900 WWW.DATAENSURE
INC.COM
2
HIPAA Compliance
DATA ENSURE INC. 798 PARK AVE. NW SUITE
204 NORTON, VA 24273 (276) 679-7900 WWW.DATAENSURE
INC.COM

• Complying with HIPAA is challenging because this
  regulation affects so many areas, including
  standards for transactions, rules for data
  privacy/security, standards for clinical records
  and more.

3
HIPAA Background

• In August of 1996, Congress enacted the Health
  Insurance Portability and Accountability Act.
  (HIPAA) The goals of the legislation are to
  reduce the administrative costs of healthcare, to
  develop standard transactions for consistency
  industry wide, to require broad security and
  disaster recovery protections for individually
  identifiable healthcare information, to promote
  confidentiality of patient records and to provide
  an incentive for the healthcare companies to
  communicate electronically.

4
HIPAA Background

• Any health care provider organization, office,
  or plan that electronically maintains or
  transmits health information pertaining to an
  individual must comply with HIPAA regulations.
  These federally governed regulations will require
  strict standards for Security and Disaster
  Recovery.

5
Who Must Comply ?

• Those who must comply with HIPAA fall into two
  categories
• Covered Entities
• Business Associates
• .

6
HIPAA Overview

• HIPAA consists of five parts
• Title1 - Health Insurance Portability - helps
  workers maintain insurance coverage when they
  change jobs
• Title 2 - Administrative Simplification -
  standardizes electronic health care-related
  transactions, and the privacy and security of
  health information
• Title 3 - Medical Savings Accounts Health
  Insurance Tax Deductions
• Title 4 - Enforcement of Group Health Plan
  provisions
• Title 5 - Revenue Offset Provisions

7
The Security Rule

• The Final Security Rule was published in
  February 2003, and became effective on April 21,
  2003. Compliance with this Rule has been required
  sense April 21, 2005.

8
The Security Rule

• The Security Rule legislates the means that
  should be used to protect ePHI (electronic
  Protected Health Information). It requires that
  covered entities have appropriate Administrative
  Procedures, Physical Safeguards, and Technical
  Safeguards to protect access to ePHI.

9
Examples of Appropriate Safeguards Include

• Establishment of clear Access Control policies,
  procedures, and technology to restrict who has
  authorized access to ePHI.
• Establishment of restricted and locked areas
  where ePHI is stored.
• Establishment of appropriate Data Backup,
  Disaster Recovery, and Emergency Mode Operation
  planning.
• Establishment of technical security mechanisms
  such as encryption to protect data that is
  transmitted via a network.

10
The Security Rule

• Two Rules for Discussion are
• 164.308(a)(7)(ii)(A)
• Data Backup Plan (R)
• 164.308(a)(7)(ii)(B)
• Disaster Recovery Plan (R)

11
Disaster Recovery Planning

• Disaster recovery planning is a necessary and
  vital part of any healthcare delivery
  organization. How does an institution recover
  from something as simple as a hardware or
  software failure or as catastrophic as the loss
  of a complete data center? How long can data be
  unavailable before it impacts patient care?

12
Disaster Recovery Planning

• These are precisely the situations that the
  Security Standard was intended to address by
  ensuring confidentiality, integrity and
  availability of patient information. To that end,
  disaster recovery planning should be viewed as a
  plan for business continuity and, further, as an
  opportunity to minimize the costs associated with
  regulatory compliance.

13
What is Required for a Disaster Recovery Plan?

• What should be included in the disaster
  recovery strategy? Considerations must include
  the end-users specific needs, the location and
  storage of the critical data, and every component
  in-between. The plan must allow a covered entity
  to re-create the entire infrastructure necessary
  to guarantee information availability.

14
Why Backup?

• It is an integral part of any Disaster Recovery
  Plan. The amount of data stored electronically
  is growing and your practice relies on it to
  conduct efficient and proper patient care.
• What if you lost your scheduling software?
• How long would it take to recreate it?

15
Who Performs Data Backups?

• It is estimated that less than 30 of businesses,
  properly protect their computer data.
• Healthcare related businesses do better job.
• Proper backups can ensure that your business /
  practice survives computer related disasters no
  matter how big or small.

16
How Often?

• Backups should be done on a schedule. Daily
  would be ideal. Most businesses don't do this
  for one reason or other they don't keep a
  regular backup regimen.  
• Usually it's because the person responsible for
  doing backups (if there is one) is too busy doing
  something else, or someone is using the computer
  when it's time for a backup, or they simply
  forget.
• It should be automated so as not to depend on any
  one person.

17
Why Off-Site Backups?

• Of the estimated ten percent of companies that
  follow all the other rules for safe backups, only
  five percent follow this one.  This is where
  almost every business makes its biggest mistake. 
  
• Even if you do everything else perfectly, your
  backups are of little use if your building burns
  or you are unable to physically recover your data
  backup media. 

18
Redundancy! Why?

• The general definition of "proper" backups
  requires redundancy.  That is, one must keep
  multiple copies of the same files at different
  points in their development, called versions. 
• Part of the reason for doing backups is to be
  able to revert to the previous version of a file
  in case a virus, hardware failure, or human error
  damages the current version.

19
Redundancy! Why?

• If you copy new files over old ones you may lose
  your only backup by inadvertently copying a
  damaged file over it.  This is much too important
  to overlook. 

20
What Data is Backed Up?

• Most hard drives contain thousands of files, but
  only a small percentage of them contain your
  Critical Data.  Find out which ones, and be sure
  you are backing them up. 
• Ordinary backup software is often installed with
  a list of files to be backed up.  This set of
  files usually represents the state of the system
  when the software was installed, and often misses
  critical files. 

21
What about Security?

• Of the very small percentage of companies that
  take their backups off-site regularly, an even
  smaller percentage encrypts their backups for
  security. 
• Most of those send backups home with an employee
  who might make a few stops on the way.  If
  backups are stolen or lost, your ePHI data could
  easily end up in the hands of ?????????????. 

22
What about Security?

• Would you want someone to be able to slip one of
  your backup tapes into a pocket and take it to
  ???????  It happens.  Tape backups are not
  generally encrypted, so anyone can read them and
  gain access to your patient database, billing
  records, payroll, tax info, and everything else
  on your computer. 

23
What about Security?

• Jane Doe
• Birth date
• Address
• Condition
• Medications
• Treatments
• Insurance

24
Data Encryption

• è ( ( _at_
  
  ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ ÿÿÿ
  
  wwwwwwwwwwwwwwpDDDDDDDDDDDDDDpÿÿÿÿÿÿÿÿÿ
  ÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿ
  ÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿ
  ôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôp
  ÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿ
  ÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpÿÿÿ
  ÿÿÿÿÿÿÿÿÿÿôpÿÿÿÿÿÿÿÿÿÿÿÿÿôpˆˆˆˆˆˆˆˆˆˆˆˆˆpDDDDD
  DDDDDDDDDpLLLLLLLLLNÎÎItpÌÌÌÌÌÌÌÌÌÌÌÌÌÄ
  DDDDDDDDDDDDD_at_
  ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÀ
  
  À ÿÿÿÿÿÿÿÿÿÿÿÿ(
  À
  ÀÀÀ ÿ ÿ ÿÿ ÿ ÿ ÿ ÿÿ
  ÿÿÿ wwwwwwwDDDDDDDGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿ
  øGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGOÿÿÿÿÿøGHˆˆˆˆˆˆG
  LÌÌÌÌÌÌGÄDDDDDDÀ ÿÿ
  ÿÿ ÿÿ

25
What is RDB?

• Remote Data Backup works basically like regular
  tape backups, with one important difference.
• Instead of sending backups to a tape drive or
  other media, Remote Data Backup sends it over the
  internet to another computer safely off-site. 

26
What is RDB?

• It does this (usually) at night while the
  practice is closed and nobody is using the
  computers.  And it's completely automatic.
• Remote Data Backup encrypts its backups for
  complete security so nobody can read them.
• Only Remote Data Backup has such an easy to use
  version control system.  Further, you should be
  able to easily restore any of your files up to
  any given point in time.

27
Remote Data Backup From Data Ensure, Inc.

• Can be your data backup solution. It provides
  you with secure encrypted data storage and
  recovery and automatic backups. It meets HIPAA
  compliance standards for electronic transactions
  through the use of encryption and passwords in a
  secure environment.

28
THANK YOU FOR ATTENDING!!!
D
E
DATA ENSURE INC. 798 PARK AVE. NW, SUITE
204 NORTON, VA 24273 (276) 679-7900 WWW.DATAENSURE
INC.COM