​HIPAA/HITECH Controls Review

​HIPAA/HITECH Controls Review

With the growing reliance on information technology in the healthcare industry, the security and privacy of medical records have become a government regulated requirement. Technology innovation has delivered significant advances in electronic health records (EHR) technology, enabled broad collaboration in diagnosis and research, and streamlined efficiency of administrative processes, like integrated billing systems.

The U.S. Health and Human Services (HHS) Office for Civil Rights (OCR) recently reported that nearly 8.3 million individuals were impacted by 249 privacy and security breaches between September 2009 and March 2011. This highlights the importance of having proper IT security procedures and practices in place to ensure that confidentiality and security of patient information is preserved when it is transferred, received, handled, stored, or shared. To address the growing need for privacy of medical information, the Health Insurance Portability and Accountability Act (HIPAA), established in 1996, includes definitions of the requirements for appropriate use and safeguarding of Electronic Protected Health Information (ePHI). The Health Information Technology for Economic and Clinical Health (HITECH) Act, part of the 2009 American Recovery and Reinvestment Act (ARRA), includes updates to the HIPAA standards to further strengthen the privacy and security of health information as well as adds specific requirements for breach response and notification. In today’s sophisticated IT environment, traditional security controls are no longer enough to protect critical infrastructure, applications, and data.

Constantly evolving threats and attack techniques make security a moving target and expose these assets to new risks on a daily basis. In addition, ARRA contains specific incentives designed to accelerate the adoption of EHR systems among providers. Because this legislation anticipates a significant expansion in the exchange of ePHI, the HITECH Act also widens the scope of HIPAA privacy and security protections; HITECH increases the potential legal liability for violations and noncompliance; expands the applicability of HIPAA to include “business associates,” and it provides for more enforcement.

As a result, most healthcare organizations find it challenging to defend against emerging cyber threats while still providing authorized clinical users with efficient and flexible access to health information management systems.

Team with the Experts Clarium Managed Security Services can help healthcare organizations monitor and manage the cybersecurity of critical infrastructure and thereby help protect patients’ health information. Managed Security Services delivers real-time information security threat monitoring and analysis to help organizations maintain HIPAA and HITECH compliance. By partnering with Managed Security Services as their remote security team, healthcare security administrators can leverage Clarium’s global network of Security Operation Centers (SOCs), security experts, best practices, information correlation capabilities, and global threat intelligence to ensure that systems processing or containing ePHI are protected against cybersecurity threats.

Clarium will provide a detailed assessment for compliance with the HIPAA/HITECH requirements. Specific areas reviewed include but are not limited to:

Media Security – protection of all forms of physical storage media including paper documents

Hardware Security – hardware maintenance and change controls, anti-theft, anti-tampering

Software Security – software maintenance and change controls, software integrity, software copyright/licensing compliance, privileged program controls, anti-virus and related malicious software safeguards, database security, security design on new systems, risk management process

Network Security – network device security, communications security, network access controls, internet/web security, intrusion detection, vulnerability testing, network change controls, firewalls & proxy servers, dial-up access security, encryption, e-mail security

Host (System) Security – multi-user and single-user (workstation) computer operating system access controls including: user authentication, data access authorization, audit logs; application security

Procedural Security – information security charter, policies and procedures, organization, roles & responsibilities, auditing, awareness, IT change controls

Personnel Security – background checks, non-disclosure agreements, training, professional development, terminations & transfers, contracts

Disaster Recovery/Business Resumption Planning – Fault tolerance/redundancy, data backup, recovery/continuity planning

Physical Security – facilities access control, security cameras, location and marking of facilities

Environmental Security – disaster/interruption avoidance, safety, air conditioning and temperature controls, electrical power and utilities

Contractual Security/Privacy – Business Associate Agreements, non-disclosure-agreements