Enabling Solutions for HIPAA Compliance
Transcript of Enabling Solutions for HIPAA Compliance
Enabling Solutions forHIPAA Compliance
Presented by:Mike McDermand
HIPAA Agenda
About Computer Associates International, Inc. (CA)
AHA – HCCA HIPAA security survey– Summary results
– Highlights of responses
Recommended technology solutions to enable compliance
Added complexity of wireless networks
Summary information
World’s fourth-largest independent software vendor
The global leader in identity and access management security
More than 15,000 employees internationally
Market cap approximately $60 billion
Revenues > $3 billion
1,200+ software solutions
Achieved IS0 9001 quality certification
Offices in more than 50 countries
About CA
Healthcare Solutions Group
ObjectiveCombine CA technology with industry knowledge and the capabilities of our partners to deliver business and clinical solutions to the healthcare industry
Technology to Enable HIPAA Security Compliance
AHA – HCCA HIPAA Security Survey
772 Respondents to Survey– 1-100 Beds 37.1%– 101-200 Beds 14.9%– 201-350 Beds 18.8%– 351 + Beds 23.7%– Health Plans 1%– Other (no patient care) 4.5%
75% of respondents were executive levelLess than ½ of executives have a role in compliance efforts (47% CIO, 45% CFO, 41% CEO, 22% Board)74% of Compliance Officers take a role
Summary Results
What is Going Well?97% of respondents are using Anti-Virus70% of respondents are using Spam Control78% conduct on-going security awareness training70% of respondents are increasing security budgets in 2005
Summary Results
What is getting better?80% of respondents have completed a network scan (only 25% scan quarterly or more)47% are currently using intrusion detection technology62% are using security audit tools (most are not centralized)
Summary Results
What is going poorly?11% of respondents say they are compliant55% are in the implementation stage8% are using identity management software and 22% plan to use this software60% use WLAN technology and 43% use wireless security48% use encryption for e-mail sent outside the organizationLimited Audit consolidation and correlation
Survey Highlights
Results indicate that most covered entities are behind schedule for Security complianceCovered Entities are most advanced with electronic defenseAdministrative Compliance and Access Controls need the most attentionMuch security related education is needed Increasing involvement from executives (41% of CEOs, and 45% of CFOs)Three main obstacles to security compliance– Budget - 57%– Resources – 81%– Time – 59%
The Need for Improvement
60% of respondents have a wireless LAN , 43% use wireless security48% use encryption for e-mail sent outside the organization63% use technology to prevent unauthorized loading of spy ware, cookies, malware, etc.43% do not conduct regularly scheduled security audits, while only 33% perform audits more than once per yearOn the good side, 70% of respondents plan to use single sign on
Workforce security– Provide access to authorized users– Prevent access for unauthorized users– Ensure that access to electronic protected health
information (ePHI) by a workforce member is appropriate
– Implement procedures for terminating access when employment has ended
Information access management– Access authorization – Access establishment and modification
Example - Workforce Administration
Example - HIPAA Access Control
Unique user identification — requiredEmergency access procedure — requiredAutomatic logoff — addressableAdditional administrative requirements– Log-in monitoring– Password management
Current barriers to meeting these requirements– Balance security with convenience at the clinical workstations– Limited security capabilities within current applications
Example - Security Incident Tracking
Information system activity review — required– Review records of information system activity– Audit logs, access reports and security incident tracking reports
Security incident response and reporting — required– Identify and respond to suspected or known security incidents– Mitigate harmful effects of security incidents that are known to the
covered entity– Document security incidents and their outcomes
Audit controls — required– Implement hardware, software and/or procedural mechanisms
that record and examine activity in information systems containing ePHI
Example - System Access Controls For…
Risk management– Reduce security risks and vulnerabilities to a reasonable and
appropriate level
Isolating healthcare clearinghouse functions– Allow systems administrators to access all components
Access control and validation procedures– Control and validate access to software programs for testing and
revision
Authenticating ePHI– Help ensure ePHI has not been altered or destroyed in an
unauthorized manner
Current barriers to proper access controls– Superusers have global access to ePHI on distributed platforms
Issues Related to Access Controls
Much PHI resides on distributed systems (Microsoft platforms or Unix platforms)A Root User on Unix, and an Administrative User on Microsoft, have full access rights to all information on a serverSecurity logs are often not complete, and may be modified by an Administrative/Root UserAdministrative/Root access is required to set up user accounts, manage the Db, etc.Where does minimum necessary apply?
Healthcare Access Control
App DB OSApp DB OS App DB OS
Healthcare Access Control
Admin Policy Engine
App DB OSApp DB OS App DB OS
Healthcare Access Control
Admin Policy Engine GUI
App DB OSApp DB OS App DB OS
Healthcare Access Control
HR System
Admin Policy Engine GUI
App DB OSApp DB OS App DB OS
Healthcare Access Control
HR System
Admin Policy EngineWeb GUI
App DB OSApp DB OS App DB OS
Healthcare Access Control
HR System
Admin Policy Engine
Authentication Service
Web GUI
App DB OSApp DB OS App DB OS
User logs into SSO by clicking “logon” button
User presents finger to fingerprint reader
The toolbar “populates” with icons that represent applications that are authorized within SSO.
Healthcare Access Control
HR System
Admin Policy Engine
Authentication Service
Web GUI
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
Healthcare Access Control
HR System
Admin Policy Engine
Audit/Command Center
Authentication Service
Web GUI
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
Healthcare Access Control
HR System
Admin Policy Engine
Audit/Command Center
Authentication Service
Web GUI
Enhance OSEnhance OSEnhance OS
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
App DB OS___ ___ ___ ___ ___ ______ ___ ___ ___ ___ ___
Data backup plan — required– Create and maintain retrievable exact copies of ePHI
Disaster recovery plan — required– Establish procedures to restore data loss– Must contain documented policies and procedures
Emergency mode operation plan — required– Protect the security of ePHI while operating in an
emergency modeTime limit — required
– Maintain documentation for six years from the date when it was last in effect
Example - Contingency Plan and Operations
Solution – Centralized Storage Management
Conduct data and application criticality analysisMaintain reliable offsite storage for disaster recoveryDevelop emergency mode operation proceduresDeliver enterprise-wide, policy-based data protection solutionsProvide centralized monitoring of data protection processes, including hardware and softwareEnsure existing hardware is utilized to its fullest possible extent
Wireless Brings its Own Set of Issues
A diverging set of client platformsNew management issues from both an end-user perspective (change management) and a technology perspective (wireless application architecture)New security concerns with data accessNew physical concerns with device locations
How Far Does Your Access Point Transmit?
Parts list– Buying in bulk helps a lot. You
probably won't be able to find a six-inch piece of all-thread, so buy the standard size (usually one or two feet) and a 10-pack of washers and nuts instead. Then, you'll have enough for two, for only about $10.
Tools required– Ruler– Scissors– Pipe cutter (or hacksaw or
dremel tool, in a pinch)– Heavy-duty cutters (or dremel
again, to cut the all-thread)– Something sharp to pierce the
plastic (like an awl or a drill bit)– Hot glue gun– Soldering iron
Construction time– About an hour
…and then put them on the Internet?
Can Hackers Inventory Your Access Points?
Managing the Wireless LAN
Wireless LAN management– Discover and map the access points– Show signal strengths, health and alerts– Show devices associated with each access point– Provide remote administration, configuration and bio
flash updates– Deliver centralized access control management
Support for software distribution to handheld devices
Mobile Device Management
0101010001010010101010001010101110
0101010001010010101010001010101110
01010100010100101010100010
Mobile device management to manage wireless PDA devices– Monitor PDA health and welfare
DiscoveryBattery levelsOS versionsApplication versions and updatesAvailable memory
– Asset management– Software delivery
Manage WLAN at Each Site
Automatically discover all WLAN components
– APs and wireless devices– wired and over the air via agents and sensors
Automatically allocate appropriate channels to the APs to mitigate RF signal interferenceBalance the number of connections on each access point to optimize throughput for each userProvides centralized access control managementVisualize your WLAN site on a location-aware map
Wireless Site Management
Allow access only to authorized employees– Specific device identification
required for access– Time-based access
Restrict connections only within a predefined access zone– Users required to be in the
“access zone” to connect to the WLAN
– If user steps out of the access zone, connection is dropped (even for authorized users)
Secure the Enterprise WLAN
Highwall Scout AntennaHow it works:
The Scout is 8 directional antennae that are pointing in different directions.
Can Report the location of the source of all wireless activity to the Highwall Sentinel.
One Highwall Sentinel with one 802.11a and b/g scouts can normally cover an entire 4 to 6 story building
Distance is determined byThe Signal Strength of the device
The Sector tells us theGeneral direction. Using neighboring sectors allows better accuracy
Locate Wireless Source with Long Range Antenna
Manage the WLAN Enterprise
• Wireless LAN management– Discovery access points (Wired and through the air)– Shows Performance, Health and Alerts– Shows devices associated with each access point– Propagates events to notify/correct issues
Summary
Compliance with the HIPAA Security Regulation is behind the desired scheduleSecurity within the healthcare provider market has improved, but still has a long way to goElectronic Defense is the most well established componentCreating appropriate access controls, and administrative compliance are both trailingThere is a recognize need for enabling technologiesWireless LANs bring increased risk
Enabling Solutions forHIPAA Compliance
Presented by:Mike McDermand