HIPAA

HIPAA / HITECH ACT



For organisations who are subject to the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) and need to safeguard the Protected Health Information (PHI) of their clients, SecureNet Consulting provides solutions compliant with HIPAA / HITECH obligations.


Healthcare Security and Compliance solutions


Health Insurance Portability and Accountability Act (HIPAA)

Applies to organisations collecting, processing or storing medical information, specifically:

  • Health Care Providers
  • Health Plans
  • Health Clearinghouses
  • Medicare Prescription Drug Card Sponsors

Many organisations are under pressure to comply with HIPAA due to a number of process and organisational changes, for examples;

Change: moving towards ACOs, EHRs, Cloud Services, mobile device adoption.

Risk: Fines (data breaches and data violations), legal and law suits. $50,000 per violation, with an annual maximum of $1.5 million

Must have sufficient protection applied to all processes, devices and business associates that hold or have access to Protected Health Information (PHI).



A summary of key requirements is listed below:


1. Conduct an initial risk assessment, periodic reviews and reassessments.

2. Written security policy.

3. Designated security person.

4. Written incident handling policy.

5. Backup, Emergency Operations, and Disaster Recovery plan.

6. Reuse and disposal plan for reusable media.

7. Audit controls are required, including unique user identifiers.

8. Termination Policy and Procedures

9. Implement user level processes of least privilege.

10. Log/audit login and logoffs
11. Secure and authenticate before physical access to the facility and sensitive areas is
granted.

12. Written usage policies by system type (laptop, desktop, server…).

13. Physical removal tracking and policy of all systems and data (including
removable media).

14. Create an “exact copy” backup prior to being moving data or systems.

15. Logout/disconnect inactive sessions

16. Audit access to secure data

17. Encrypt sensitive data

18. Monitor and audit access and alterations to sensitive data

19. Protect data in transmission

20. Multi-Factor authentication and/or non-repudiation



Comply with regulatory mandates by safeguarding privileged accounts, and providing the auditing and control necessary to address key HIPAA requirements:


45§164.308(1)(D)
Implement audit logs, access reports, and security incident tracking reports.

45§164.308(3)(i)
Prevent unauthorised members from obtaining access.

45§164.308 (a)(3)
Implement policies and procedures that, based upon the entity’s access authorisation policies, establish, document, review, and modify a user’s right of access to a workstation, transaction, program, or process.

45§164.308(3)(B)
Implement procedures to determine that the access of a workforce member to electronic protected health information is appropriate.

45§164.308(3)(C)
Implement procedures for terminating access to electronic protected health information when the employment of a workforce member ends.

45§164.308(5)(C)
Implement procedures for monitoring log-in attempts and reporting discrepancies.

45§164.308(5)(D)
Implement  procedures for creating, changing, and safeguarding passwords.
45§164.312(a)(1)
Allow access only to those persons or software programs that have been granted access rights.

45§164.312(2)(i)
Assign a unique name and/or number for identifying and tracking user identity.

45§164.312(2)(b)
Implement mechanisms that record and examine activity in information systems that contain or use electronic protected health information.

Hardens and auto-propagates secured privileged login credentials wherever they may reside and provides a reliable audit trail to document the requesters, systems and accounts, timeframes, and purpose of each access request.

45§164.312 (c)
Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.
45§164.312 (e)(1)
Implement security measures to ensure that electronically transmitted electronic protected health information is not improperly modified without detection until disposed of.
45§164.319 (a)(1)
Implement procedures to control and validate a person’s access to facilities based on their role or function, including visitor control, and control of access to software programs for testing and revision.




Solution Features & Benefits



HIPAA section / Reference

High, Medium & Low Systems  
          
Solution Required

Firewall
Requirement Level



Required
High & Medium Systems
IDS / IPS
Strongly Recommended

16, 18                                                              

Centralised Logging

Strongly Recommended

1                                                         



Baseline /Vulnerability Assessment

Required
High & Medium Systems                                  
Patch Management
24 Hours for Critical Updates

17, 19                                                                                      

Encryption

Required
(for transmission of patient data)


 
SecureNet Consulting provide solutions for all of the above and address further HIPAA mandates outlined below on this page.


> Support the entire clinical environment. Solutions compatible with all applications, hardware and OS platforms.

> Data Protection and Management for Healthcare

> Ensure health record data does not leave specific geographical locations.

> Centralised data management solutions
Take away the pain of running disparate and separate solutions.



> Data Backup & Recovery
Data backup and File Level Disaster Recovery…in minutes not hours or days
  • Safeguard data on missing devices
  • Monitor endpoint data
  • Complete data privacy
> Encrypt Cloud Backup Data
Create, receive and transmit only encrypted data. Using a three-tiered AES encryption system which encrypts data on the user’s computer, again in transit and finally when at rest in storage at cloud providers datacenters.

This data cannot be read while in transit, or even on the service provider servers, (provided the user/health care provider does not compromise the password).
Supplier servers are located in a SAS 70 II datacenters protected by gated access, 24 x 7 x 365 on-site staffed security and technicians, electronic card key access, and strategically placed security cameras both inside and outside the building.

Cloud solution hosts provide offsite backup and protects data against hardware malfunction, accidental deletion, virus attacks, theft and natural disasters.



> Data Archiving

> Data Deduplication

> eDiscovery and compliance

> Map out where all of our sensitive data resides
  • inventory of personally identifiable information (PII),
  • electronic health records

> File Sync
When a manager leaves his or her device at home, he or she can still access data instantly. The benefits are obvious to users.



> Granular permission controls

> Tamper-proof audit trails

> Provide a complete Audit trail
Prevent fines from not being able to provide an audit of anti-fraud / document / patient record changes.

> Managed Services
Managed Security Services

Healthcare organisations can partner with Managed Security Services as their remote security team, healthcare security administrators can leverage global network of Security Operation Centres (SOCs), security experts, best practices,information correlation capabilities, and global threat intelligence to ensure that systems processing or containing ePHI are protected against cyber-security threats.

- Training & knowledge transfer

- Security Operation Centres hold both SAS70 Type II and ISO27001 certification.

- Administrative Safeguards

Administrative Safeguards includes procedural controls around;


  • Security Management
  • Assigned Security Responsibilities
  • Information Access Management
  • Security Awareness Training
  • Security Incident Procedures
  • and Contingency Planning


- Business continuity and disaster recovery with a global redundant infrastructure that provides failover across Managed Security Services for SOCs worldwide.



> Endpoint Protection

Combat data breach risks, highly regulated organisations need an endpoint data protection solution with the right features to address administrative, physical, and technical safeguards as found in the Security Rule at 45 CFR §164.304.

Protect against data loss and breach, ensure data privacy, and allow for data governance on endpoints so that only those with appropriate security clearance are able to access PHI.


> Mobile Control


  • Secure, monitor and control the configuration of smartphones and handhelds, including Apple iPhones and iPads, Google Android and Windows Mobile devices.

  • Prevents compliance violations of leaked PHI.
  • Remotely wipe lost or stolen devices with confidential data.
  • Enforce policy of strong passwords to access devices.


> Secure Mobile Access for Collaboration Patient Care

Give users secure mobile access to protected data through secure and audit log mobile app gives users anywhere access to information across the organisation, enhancing collaborative care and patient outcomes.



> Email  
  • Block malware and spam,
  • Encryption of sensitive data within email.
  • Content-aware data loss prevention.

  • Email is encrypted during transit and can be easily decrypted by the email recipient without the need to install additional software.
  • Data Loss Prevention provides detection of PHI, FDA approved drugs, and ICD-9 classified drugs.



  


> Performance test healthcare web applications without the risk of recording or capture sensitive personal health data


> HIPAA Security Rule

The Security Rule applies to PHI in electronic formats either transmitted by or maintained on electronic media. Covered entities that maintain or transmit protected health information are required by the Security Rule (see 45 CFR. §164.306) to: 

  • Ensure the confidentiality, integrity, and availability of all EPHI data
  • Protect against any threats or hazards to the security or integrity of such information
  • Protect against any uses or disclosures of such information that are not permitted
  • Institute a contingency plan for an emergency that results in a major data loss 


More than 750,000 individuals’ PHI breached in the first six months of 2014.

 
Securing Endpoint Devices
These requirements become harder to satisfy as users increasingly access EPHI on endpoint devices.

This means that if an endpoint device is lost, stolen or otherwise compromised advertently or inadvertently, a substantial amount of data will be rendered inaccessible, thus breaching the Security Rule.



> Encryption

PHI End-to-end File Encryption

End-to-end network files, file share encryption automates file encryption and controls employee access to PHI files - stopping external threats and internal leaks.

Ensures that PHI files remain encrypted on servers, across networks and when stored on end-user PCs until the moment authorised users choose to open the files.


Data-at-Rest Encryption

Cloud-based solutions should encrypt data at rest with both 256-bit AES and a two-factor encryption mechanism. This ensures that no entity outside the customer (including the solution provider) has the ability to decrypt or gain access to PHI data without the knowledge or consent of the customer, effectively reducing the risk of unauthorised access.
This approach is modelled after a bank safety deposit box, wherein the bank and the customer each retain separate keys and the box cannot be accessed with just one of the keys.

  • Full disk encryption for PCs and MACs (laptops, desktops).
  • Encryption of all types of removable media, and port control of physical and wireless ports on PCs for data leak prevention.


Encryption: Data-in-Transit

The solution should encrypt data with industry-standard 256-bit TLS secure communication protocol to ensure secure transmission. If the company is backing up its endpoints to the cloud, every client should securely authenticate with its solution provider before ever transmitting any data, including profile configurations. Having a secure channel ensures that all data is protected while in transit and will also reduce the risk of any person intercepting PHI data that may be transmitted over public networks.




> Cryptographic Key Storage
 
Store and manage all cryptographic keys, certificates, configuration files, and any other “opaque object” an enterprise maintains to secure its most sensitive data.


> Remote Wipe / Auto-Delete

The solution should have the ability to remotely and immediately decommission a device when potential PHI data is in jeopardy of unauthorised access. If a device is suspected of being compromised, a remote wipe command can be issued, immediately removing all protected information from the device. The solution should also allow a device to be automatically decommissioned and wiped if it does not “check in” with the solution system within a specific number of days, adding an extra layer of protection to the device when it’s off-network.


> Continuous Data Protection (CDP)

At a minimum, an endpoint data protection solution needs to allow an end user to create and maintain exact copies of EPHI and recover that data when a device is lost, stolen or simply malfunctions. Whether taking measures for a contingency plan or trying to enable better business functions, a reliable endpoint backup solution is essential. A risk management solution that offers automated and continuous data protection will enable more comprehensive recovery capabilities. Automation reduces human error such as forgetting to back up data and provides continuous data protection. This enables users to restore data to the most recent instance possible.


HIPAA Privacy Rule

The HIPAA Privacy Rule establishes national standards to protect individuals’ medical records and other personal health information that applies to health plans, healthcare clearinghouses, and those health care providers that conduct certain health care transactions electronically.

The rule requires appropriate privacy protection for personal health information and sets conditions on the uses and disclosures that may be made of such information without patient authorisation. The rule also gives patients rights over their health information, including rights to examine and obtain copies of their health records and to request corrections.

Business Associates are also directly liable for uses and disclosures of PHI that are not covered under their Business Associate Agreement (BAA) or the HIPAA Privacy Rule itself and the Privacy Rule requires Business Associates to do the following:


  1. Prohibit impermissible uses or disclosures of PHI.
  2. Provide breach notification to the Covered Entity.
  3. Provide either the individual or the Covered Entity access to PHI.
  4. Disclose PHI to the Secretary of HHS, if compelled to do so.
  5. Provide an accounting of disclosures.
  6. Comply with the requirements of the HIPAA Security Rule.
Because HIPAA-covered companies are held to an even higher standard of data privacy, they need a Business Associate with the solution that provides exceptional safeguards surrounding privacy and accessibility of PHI. While 45 CFR §164.304(b) gives companies the flexibility in choosing the type of technology used to enforce compliance, all endpoint solutions should have granular controls over data accessibility and provide complete data privacy and anonymity, no matter where the data resides.

Controlled access by authorised personnel only

The solution should have comprehensive and easily managed policy settings that only allow authorised users and designated admins with the right level of clearance to access the minimum data needed to perform job functions. Users should also be granted privacy controls that enable them to restrict access to their data - even by admins - as a higher level of PHI protection. As unauthorised access is a compliance violation under HIPAA, having multiple safeguards provides greater control and visibility into potential data risks, especially by allowing only authorised access and by providing full monitoring and reporting capabilities.



Integrated disablement of user access

The solution should be integrated with an identity provider system (SSO/SAML) and Microsoft’s Active Directory so that when a user is removed or deactivated, the solution provider will reflect that change automatically. An integrated solution ensures that only authenticated entities can access or restore data; non-authenticated entities can be automatically blocked, thus reducing the risk of unauthorised access to PHI data.


Geofencing: Blocking access from unauthorised IP addresses

The solution should allow access levels to be determined by geographic IP ranges or by discrete domains to limit who can access the data solution system based on where that user is accessing data. Having the ability to control access via geographic IP and to block unauthorised domains provides organisations with full visibility into how data is accessed, and significantly mitigates the risk of unauthorised access to potential PHI data.


Authentication for data restore requests

The solution should offer both device-level authentication and another layer of authentication at the solution provider level when a user attempts to restore data. Having double authentication helps verify that the user requesting a data restore is authorised and has successfully authenticated their identity via their credentials. This reduces the risk of unauthorised persons gaining access to PHI data.




HIPAA Enforcement and Breach Notification Rules

The HIPAA Breach Notification Rule, 45 CFR §§ 164.400-414, requires entities and their business associates to provide notification following a breach of unsecured PHI. Similar breach notification provisions implemented and enforced by the Federal Trade Commission (FTC) apply to vendors of personal health records and their third-party service providers, pursuant to section 13407 of the HITECH Act.

The HIPAA Enforcement Rule contains provisions relating to compliance and investigations, as well as financial penalties for violations of the HIPAA Administrative Simplification Rules and procedures for hearings. The HIPAA Enforcement Rule is codified at 45 CFR Part 160, Subparts C, D, and E.

With strengthened enforcement standards post-HITECH, it’s more critical now than ever for companies to provide accurate, timely notification upon potential breach and to aid in investigations. Otherwise, they risk hefty financial penalties and negative publicity. For example, a pharma researcher forgets her laptop on a train but is able to find it after two hours. Although the chances are that no one accessed the laptop during that time, the pharma company still needs to report, that for two hours, it didn’t know the laptop’s location or whether the data on it was secure. Even the mere possibility of a potential breach exposes an organisation to negative publicity. This is why an endpoint data protection solution that is built with audit readiness in mind is essential for data governance.

These are the data governance features to look for in an endpoint backup solution: 
Delegated administration

The solution should enable customers to have granular permission controls into access authorisation by administrators, not just users. Only administrators with the proper authorisation to work with such data should be granted access to administer users with the same authorisation. This will reduce the risk of unauthorised persons gaining access to such data.


Geo-Location / Tracking

The solution should allow endpoint device tracking so that a device suspected of being lost or stolen can be identified and located, reducing the risk of misappropriation of PHI data. A device with tracking enabled is able to leverage a number of mechanisms, such as WiFi network names and IP addresses, to help identify its approximate location in the event of loss or theft.

Tamper-proof audit trails

The solution should record unalterable audit trails for both end users and administrators. Audit trails contain details that trace the history of the data. Having trace and audit trail search functionality enables organisations to better assess risk potential for data and to monitor and investigate suspicious system usage or access - necessary components for conducting and validating compliance programs.



Maintaining HIPAA-Compliance Regardless of Deployment 

The solution provider needs to be HIPAA/HITECH compliant and ready to enter into a BAA on behalf of the customer. In addition, the solution should have the flexibility to implement on-premise or cloud deployments based on the customer’s need and maintain appropriate safeguards whether data is stored on-premise or in the cloud.

For solution providers backing up endpoint data to the cloud, the cloud infrastructure provider should meet high security standards, including redundant global data centres and industry-leading enterprise level SLAs. 

  • Partner with a business associate compliant with HIPAA/HITECH obligations.
  • When choosing a vendor, it’s also important for the solution provider to have passed independent review validating the company’s security and privacy controls for handling PHI in a HIPAA-compliant manner. This way, the customer will be assured that the solutions provider will:
    • Not use or disclose PHI other than as permitted or required by the BAA or as required by law.
    • Use appropriate safeguards to prevent use or disclosure of the PHI other than as provided for by the BAA.
    • Mitigate, to the extent practical, any harmful effect that is known to the vendor of a use or disclosure of PHI by the vendor in violation of the requirements of the BAA.
    • Report to the Covered Entity any use or disclosure of the PHI not provided for by the BAA of which it becomes aware.
    • Ensure that its agents, including subcontractors, to whom it provides PHI agree to the same restrictions and conditions that apply to the BAA.
    • Make its internal practices, books, and records available to the HHS Secretary relating to the use and disclosure of PHI received from the Covered Entity for the determining of compliance with HIPAA for the Covered Entity.
  • Cloud deployment with a compliant service.
  • For organisations interested in a cloud-based service, look for a provider with an audited environment that validates its security and privacy controls for handling PHI. This ensures all levels of the technology stack meet the guidelines required by HIPAA/HITECH. The cloud infrastructure should also be scalable, with multiple layers of operational and physical security.
  • In addition, the cloud provider should have secure and extensively documented procedures to ensure adherence to industry best practices for operation and management of cloud computing solutions, such as SOC 1 (includes SAS-70 Type II, SSAE-16), and a backup vendor whose cloud operations are ISAE 3000 Type II-certified.
  • This adherence should apply across all services offered by the solution provider to ensure customer data is never shared or accessible by another customer within the system.
  • On-premise deployment.
  • Organisations that prefer not to utilise a cloud-based service should select a provider offering on-premise solutions, enabling organisations to leverage their own internal data centres for storage of PHI data.




Contact us today to discuss your requirements in more detail.

P: +44(0)7714 209927

S: +44(0)1273 329753

info@securenetconsulting.co.uk