HIPAA Security Standards - PowerPoint PPT Presentation

About This Presentation
Title:

HIPAA Security Standards

Description:

HIPAA Security Standards ... Next Steps Assign responsibility to one person Conduct a risk analysis Deliver security awareness in conjunction with privacy Develop ... – PowerPoint PPT presentation

Number of Views:486
Avg rating:3.0/5.0
Slides: 19
Provided by: aelc
Category:

less

Transcript and Presenter's Notes

Title: HIPAA Security Standards


1
HIPAA Security Standards
  • Whats happening in your office?

2
Agenda
  • Industry Statistics
  • Review Rules
  • Assessment -What needs to be done?
  • Physical and Technical Safeguards
  • Technical terminology
  • Next Steps
  • Questions Open Discussion

3
Statistics
4
Statistics
5
  • IT security will always be a balancing act
    between risk and cost.

6
Security Standards
  • Required or Addressable

7
HIPAA Security Standards
  • Administrative Safeguards (55)
  • 12 required, 11 Addressable
  • Physical Safeguards (24)
  • 4 required, 6 Addressable
  • Technical Safeguards (21)
  • 4 required, 5 Addressable
  • The final rule has been modified to increase
  • Flexibility as to how protection is accomplished.

8
Addressable Implementation Specifications
  • Covered entities must assess if an implementation
    specification is reasonable and appropriate based
    upon factors such as
  • Risk analysis and mitigation strategy
  • Costs of implementation
  • Current security controls in place
  • Key concept reasonable and appropriate
  • Cost is not meant to free covered entities from
    their security responsibilities

9
Addressable Implementation Specifications
  • In meeting standards that contain addressable
    implementation specifications, a covered entity
    will ultimately do one of the following
  • a. Implement one or more of the addressable

    implementation specifications
  • b. Implement one or more alternative security
    measures
  • c. Implement a combination of both or
  • d. Not implement either an addressable
    implementation specification or an alternative
    security measure.
  • Must document!

10
Administrative Safeguards
11
Physical Safeguards
12
Technical Safeguards
13
Terminology
  • Security
  • Refers to techniques for ensuring that data
    stored in a computer cannot be read or
    compromised. Most security measures involve data
    encryption and passwords. Data encryption is
    the translation of data into a form that is
    unintelligible without a deciphering mechanism.
    A password is a secret word or phrase that gives
    a user access to a particular program or system.
  • firewall
  • A system designed to prevent unauthorized access
    to or from a private network. Firewalls can be
    implemented in both hardware and software, or a
    combination of both. Firewalls are frequently
    used to prevent unauthorized Internet users from
    accessing private networks connected to the
    Internet, especially intranets. All messages
    entering or leaving the intranet pass through the
    firewall, which examines each message and blocks
    those that do not meet the specified security
    criteria.

14
Terminology
  • There are several types of firewall techniques
  • Packet filter Looks at each packet entering or
    leaving the network and accepts or rejects it
    based on user-defined rules. Packet filtering is
    fairly effective and transparent to users, but it
    is difficult to configure. In addition, it is
    susceptible to IP spoofing.
  • Application gateway Applies security mechanisms
    to specific applications, such as FTP and Telnet
    servers. This is very effective, but can impose a
    performance degradation.
  • Circuit-level gateway Applies security
    mechanisms when a TCP or UDP connection is
    established. Once the connection has been made,
    packets can flow between the hosts without
    further checking.
  • Proxy server Intercepts all messages entering
    and leaving the network. The proxy server
    effectively hides the true network addresses.
  • In practice, many firewalls use two or more of
    these techniques in concert.
  • A firewall is considered a first line of defense
    in protecting private information. For greater
    security, data can be encrypted.

15
Terminology
  • VPN
  • Short for virtual private network, a network that
    is constructed by using public wires to connect
    nodes. For example, there are a number of
    systems that enable you to create networks using
    the Internet as the medium for transporting data.
    These systems use encryption and other security
    mechanisms to ensure that only authorized users
    can access the network and that the data cannot
    be intercepted.
  • Antivirus program
  • A utility that searches a hard disk for viruses
    and removes any that are found. Most antivirus
    programs include an auto-update feature that
    enables the program to download profiles of new
    viruses so that it can check for the new viruses
    as soon as they are discovered.
  • Secure server
  • A Web server that supports any of the major
    security protocols, like SSL, that encrypt and
    decrypt messages to protect them against third
    party tampering. Making purchases from a secure
    Web server ensures that a user's payment or
    personal information can be translated into a
    secret code that's difficult to crack. Major
    security protocols include SSL, SHTTP, PCT, and
    IPSec.

16
Next Steps
  • Assign responsibility to one person
  • Conduct a risk analysis
  • Deliver security awareness in conjunction with
    privacy
  • Develop policies, procedures, and documentation
    as needed
  • Review and modify access and audit controls
  • Establish security incident reporting and
    response procedures

17
Questions?
18
Helpful sites
  • www.hipaadvisory.com Phoenix Health System
  • www.himss.org Health Information Management
    Systems Society
  • www.sans.org/resources/policies/ - SysAdmin,
    Audit, Networks, Security Institute
  • www.hipaacomply.com - Beacon Partners
  • www.cms.gov/hipaa/ - Center for Medicare and
    Medicaid Services
  • www.aha.org American Hospital Association
  • www.aamc.org/members/gir/gasp/ - Guidelines for
    Academic Medical Centers on Security and Privacy
  • http//dirm.state.nc.us.hipaa.hippa2002/security/s
    ecurity.html - North Carolina DHHS HIPAA
Write a Comment
User Comments (0)
About PowerShow.com