Ensure HIPAA Compliance and Protect ePHI

The Health Insurance Portability and Accountability Act (HIPAA) Security Rule is focused on protecting the confidentiality, integrity, and availability of electronic protected health information (ePHI) which is created, received, maintained, or transmitted by any covered entity (CE) against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. Covered entities include: covered healthcare providers, health plans, healthcare clearinghouses, Medicare prescription drug card sponsors and business associates. By meeting the requirements set forth in the Security Rule for ePHI, CEs will also meet the ePHI requirements of the Privacy Rule.

To achieve compliance with the HIPAA Security Rule, CEs must adhere to the six main sections, each consisting of several standards and implementation specifications, including:

  • Security Standards - General Rules – includes the general requirements all covered entities must meet to ensure reasonable and appropriate protection of ePHI.
  • Administrative Safeguards - are defined as the "administrative actions and policies, and procedures to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.1
  • Physical Safeguards - are defined as the "physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.2
  • Technical Safeguards - are defined as the "the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.3
  • Organizational Requirements - includes standards to ensure appropriate safeguards are in place at business associates and others who share ePHI.4
  • Policies and Procedures and Documentation Requirements - ensures that covered entities have formal plans (i.e., policies, procedures and documentation) in place for the reasonable and appropriate implementation of ePHI security.5

The HIPAA Security Rule requirements have most recently been expanded via the Health Information Technology for Economic and Clinical Health (HITECH) Act, which establishes mandatory federal security breach reporting requirements with expanded criminal and civil penalties for non-compliance. Business associates of covered entities are now required to address the security rule requirements.


Overview

Security Management Solutions from Lumension Help Covered Entities Protect ePHI and Ensure HIPAA Compliance

Security management software from Lumension addresses HIPAA Security Rule compliance challenges and enables covered entities to protect confidential electronic medical records and improve operational efficiencies.

These solutions include:

  • Lumension® Risk Manager - Comprehensive IT-GRC software that streamlines and automates audit workflows and IT risk management to provide crucial visibility and continuous monitoring across the IT environment to ensure compliance with HIPAA as well as with other pertinent regulations (i.e. PCI), mandates, and internal policies.
  • Lumension® Scan - Complete network-based scanning solution enables assessment and analysis of threats impacting all network devices.
  • Lumension® Patch and Remediation - Proactive management of threats through automated collection, analysis, and delivery of patches (all major operating systems and applications) across heterogeneous networks.
  • Lumension® Security Configuration Management - Proactive monitoring of security configurations.
  • Lumension® Content Wizard - Create custom remediation packages to address configuration issues, remove unauthorized files and applications, address zero-day threats, patch custom software and more.
  • Lumension® Enterprise Reporting - Robust data warehouse that enables easy creation and sharing of reports on all aspects of your remediation efforts in support of HIPAA compliance.
  • Lumension® Application Control - Policy-based enforcement of application use to secure your endpoints from malware, spyware and unwanted or unlicensed software.
  • Lumension® Device Control - Policy-based enforcement of removable device use to control the flow of inbound and outbound ePHI.
  • Lumension® AntiVirus - Protection from malware and zero-day threats via traditional signature matching capabilities as well as innovative DNA Matching, SandBox and Exploit Detection technologies.

Lumension solutions can help protect covered entities and their business associates against targeted attacks, prevent data loss or theft, enforce security policies, prepare for compliance audits, and lower the cost of IT security.


The Cost of Non-Compliance

HIPAA compliance is enforced by the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) from a civil penalty perspective and by the Department of Justice (DOJ) on the criminal side. The breakdown of the civil penalties are not more than $100 for each violation and not more than $25,000 for all violations of identical type during a single calendar year.6

Improperly obtaining or disclosing individual health information, or improper use of unique health identifiers are subject to the following criminal penalties: 7


  Fine Prison

Knowingly

$50,000

1 Year

False Pretenses

$100,000

5 Years

For Profit, Gain, or Harm

$250,000

10 Years


HIPAA compliance is now being strictly enforced and the penalties for non-compliance are substantial. In fact, the recently signed stimulus package contains significant additions to HIPAA via the HITECH Act. The new rules include a breach notification law, forcing healthcare providers to provide notification to individuals and via "prominent media outlets" if more than 500 people are impacted by a breach, and increase civil and criminal penalties.


Lumension® Solution Capabilities Mapped to HIPAA

The HIPAA Security Rule consists of three safeguards and two general requirements (Administrative Safeguards, Physical Safeguards, Technical Safeguards, Organizational Requirements, and Policies and Procedures and Documentation Requirements). In all, these encompass 22 Standards and 42 Implementation Specifications, of which 20 are "Required" and 22 are "Addressable". Required Implementation Specifications are those that the covered entity must implement policies and/or procedures which meet the implementation specification requirements. Addressable Implementation Specifications are those that the covered entity must assess whether it is a reasonable and appropriate safeguard in their environment; if not, they must implement an equivalent alternative measure. Standards without additional Implementation Specifications are also considered required.

The following matrix focuses on how Lumension®’s security management software solutions can help healthcare organizations address the Standards and Implementation Specifications found in the Administrative Safeguards, Physical Safeguards, Technical Safeguards, and Policies and Procedures and Documentation Requirements areas. The remaining area (Organizational Requirements), while important, is not covered as Lumension® does not provide additive value in this area for achieving compliance.


Section Standard Implementation Specification
R = Required
A = Addressable
How Lumension® Helps
Administrative Safeguards

164.308(a)(1)

Security Management Process

Risk Analysis

R

Understand your current risk profile

Risk Management

R

Manage risks on / to your network

Sanction Policy

R

N/A

Information System Activity Review

R

Monitor system activity

164.308(a)(2)

Assigned Security Responsibility

   

N/A

164.308(a)(3)

Workforce Security

Authorization and/or Supervision

A

Use Lumension® Device Control to control data flows off your network, no matter where / when users are logged on

  • Control at user or group level
  • Can be tied to MS Active Directory or Novell eDirectory

Workforce Clearance Procedure

A

Use Lumension® Device Control to prevent unauthorized employees from downloading / transferring data off your network

Termination Procedure

A

Use Lumension® Device Control to prevent terminated employees from downloading / transferring data off your network

164.308(a)(4)

Information Access Management

Isolating Healthcare Clearinghouse Functions

R

N/A

   

Access Authorization

A

Prevent unauthorized access

   

Access Establishment and Modification

A

Monitor / Manage access

164.308(a)(5)

Security Awareness and Training

Security Reminders

A

Provide customizable messages to end users when attempting to contravene security policy

Protection from Malicious Software

A

Protect your network from malware

Log-in Monitoring

A

Look beyond network logins

Password Management

A

Use Lumension® Device Control to enforce existing or new (strong) password usage

  • Implement at user or group level
  • Tied to existing MS Active Directory or Novell eDirectory

164.308(a)(6)

Security Incident Procedures

Response and Reporting

R

Prevent / Report on potentially harmful incidents

164.308(a)(7)

Contingency Plan

Data Backup Plan

R

Use Lumension® Device Control to force encryption of data being taken / stored offsite to prevent unauthorized usage

Disaster Recovery Plan

R

N/A

Emergency Mode Operation Plan

R

N/A

Testing and Revision Procedure

A

N/A

Applications and Data Criticality Analysis

A

N/A

164.308(a)(8)

Evaluation

   

NA

164.308(b)(1)

Business Associate Contracts and Other Arrangements

Written Contract or Other Arrangement

R

Use Lumension® Device Control to force encryption of data being sent to / used by third parties to prevent unauthorized usage

Physical Safeguards

164.310(a)(1)

Facility Access Controls

Contingency Operations

A

N/A

Facility Security Plan

A

N/A

Access Control and Validation Procedures

A

Control access based on user / machine rights and other factors

Maintenance Records

A

N/A

164.310(b)

Workstation Use

   

Based on user / machine rights and other factors, ensure proper usage

164.310(c)

Workstation Security

   

Based on user / machine rights and other factors, restrict network / machine access

164.310(d)(1)

Device and Media Controls

Disposal

R

Use Lumension® Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage

Media Reuse

R

Use Lumension® Device Control to track and force encryption of data being saved onto removable devices / media to prevent unauthorized usage

Accountability

A

Use Lumension® Device Control to either track filename or create full copy of data being saved onto removable devices / media

Data Backup and Storage

A

Use Lumension® Device Control to create full copy of data being saved onto removable devices / media

Technical Safeguards

164.312(a)(1)

Access Control

Unique User Identification

R

Use Lumension® Device Control to control access to removable devices / media and applications

  • Based on user / machine rights and other factors
  • Based on existing MS Active Directory or Novell eDirectory structures

Emergency Access Procedure

R

N/A

Automatic Logoff

A

N/A

Encryption and Decryption

A

Use Lumension® Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage

164.312(b)

Audit Controls

   

Monitor system activity

164.312(c)(1)

Integrity

Mechanism to Authenticate Electronic Protected Health Information

A

Use Lumension® Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage

164.312(d)

Person or Entity Authentication

   

Use Lumension® Device Control to control access to removable devices / media and applications

  • Based on user / machine rights and other factors
  • By existing MS Active Directory or Novell eDirectory structures

164.312(e)(1)

Transmission Security

Integrity Controls

A

Use Lumension® Device Control to track and force encryption of data being saved onto removable devices / media to prevent unauthorized usage

   

Encryption

A

Use Lumension® Device Control to force encryption of data being saved onto removable devices / media to prevent unauthorized usage

Policies and Procedure and Documentation Requirements

164.316(a)

Policies and Procedures

   

Enforce your policies and procedures

164.316(b)(1)

Documentation

Time Limit

R

N/A

Availability

R

N/A

Updates

R

N/A