The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has set the stage for a lot of changes in Healthcare in the U.S. in the last decade. When combined with the Health Information Technology for Economic and Clinical Health (HITECH) Act of 2009, organizations dealing with electronic Protected Health Information (ePHI, also referred to as the “the information” in this document) need to put technical controls in place to ensure the security and privacy of patient data or face severe consequences ranging from making public acknowledgement of data exposure and paying steep fines (currently up to $1.5 million for noncompliance), to the loss of government payments for care (such as from Medicare or Medicaid).
AlertSec provides a solid foundation on which you can build your compliance program. Today, most organizations that deal with medical information use some sort of electronic health care system that combines the many facets of patient care, from intake and visits to follow-up care and billing, and these systems are generally designed for compliance. To provide complete coverage of the ePHI technical protection needed for HIPAA compliance, you need to protect more than just the Healthcare System itself. Any systems where patient data could be accessed or stored must be protected, and this is where the AlertSec Service plays a critical part.
AlertSec Service features:
- Protect – Safeguard all ePHI on computers and removable media (USB sticks/drives etc.)
- Comply – with HIPAA and HITECH Enforcement Rule through Policy Control
- Manage – Deploy and monitor compliance through a cloud management tool
Building HIPAA Compliance
When approaching HIPAA Compliance for your organization it is important to look at your overall compliance “story”. The HIPAA and HITECH Acts lay out the penalties for ePHI disclosure but also provide mechanisms for Safe Harbor against breaches when certain conditions are met.
To claim an Affirmative Defense the key is to be able to show the overall compliance coverage within your organization, explaining the Administrative, Physical and Technical Safeguards you have put in place to protect the information. .
Both HIPAA and HITECH are more about what you need to do and what you need to protect, rather than how. As a result ensuring your organization is compliant can be complicated. The complexity of systems involved in today’s highly technical medical settings means there is no silver-bullet solution that can solve all your compliance concerns. Instead you must diligently select various components with the goal of protecting your systems that access or store patient data so that you can ensure the security and privacy of your patient information.
In hospitals, pharmacies and other healthcare organizations, doctors and other staff often use mobile devices to access ePHI at work in the practice, at remote sites (such as a partner facility or a patient home) or after-hours work (such as working from home). Central or cloud based healthcare systems are generally designed to be compliant but do not provide protection of ePHI that is downloaded or stored on devices such as laptops, or even on the desktops in the office that never leave.
Who Needs to be HIPAA Compliant
If you store or access any information that could be classified as ePHI, you are subject to the requirements of HIPAA and HITECH. Clearly that includes organizations such as hospitals, doctor’s offices and pharmacies, but it also covers other organizations, for example companies that perform billing services, or IT services such as cloud-hosted email or patient portals. Any system that can touch ePHI needs to be HIPAA compliant.
If a HIPAA covered organization (a Covered Entity) engages a business associate to help carry out its health care activities and functions, there should be a Business Associate Agreement (BAA) between the two organizations. So if you have a signed BAA, then your business is also subject to HIPAA requirements for data protection.
HIPAA Rules
There are three main rule sets that come into play for HIPAA compliance: the Administrative Rules, the Privacy Rules and the Security Rules
Administrative Rules
The Administrative Rules cover the general policies and procedures regarding the securing of information. In some cases these may be borderline technical requirements, like the requirement to guard against malicious software, but the administrative rules are really focused on establishing security best practices as a baseline for the Privacy and Security Rules to build on.
Privacy Rules
The Privacy Rules focus on ensuring that PHI is protected from exposure outside the proper confines of use. These rules state the permitted uses and disclosures of PHI, regardless of the format (for example, paper, oral or electronic) and the types of controls that must be enforced for their protection.
Security Rules
The Security Rules focus on what safeguards must be in place. The Security Rules are divided into Administrative (section 164.308), Physical (section 164.310) and Technical Safeguards (section 164.312) to protect ePHI. The Security Rules are written so that they provide flexibility in implementation whilst ensuring the overall goals of ePHI protection are met.
When combined, these rules detail what needs to be protected and provide guidance about the minimum requirements for protection.
AlertSec HIPAA Safeguards
The AlertSec Service provides a solid foundation for compliance with HIPAA requirements. With the AlertSec Service you are able to provide many of the Administrative Safeguards required in section 164.308 and most of the Technical Safeguards required in section 164.312. It is important to understand that full HIPAA compliance for all systems will require combining AlertSec with other tools to build a complete compliance picture.
Section 164.308 Administrative Safeguards (a)(1) Standard: Security Management Process
The AlertSec Service can assist with the following Security Management Process requirements:
Specification |
Description |
AlertSec Support |
---|---|---|
Risk Management (Required) |
Implement security measures to reduce risks to a reasonable level |
The AlertSec Service provides multiple modules to secure computers against many types of risk. |
Information System Activity Review (Required) |
System activity must be reviewed on a regular basis for activity that could be considered malicious |
The AlertSec Service provides audit records for all its services as part of the activity tracking that needs to be monitored |
Security Awareness and Training
The AlertSec Service can help address the following Security Awareness and Training requirements:
Specification |
Description |
AlertSec Support |
---|---|---|
Protection from Malicious Software (Addressable) |
Detect and prevent malicious software |
The AlertSec Anti-Malware service provides protection against malicious applications |
Log-in Monitoring (Addressable) |
Login attempts must be logged and monitored |
The AlertSec Service provides audit records for all authentication attempts to the AlertSec FDE and the Lock Screen in Windows |
Password Management (Addressable) |
Policies to manage password use and changes |
The AlertSec Service provides password management capabilities to ensure strong passwords and scheduled password changes |
Access Control
Specification |
Description |
AlertSec Support |
---|---|---|
Unique User Identification (Required) |
Each user must be uniquely identified relative to every other user |
With AlertSec FDE, each user can be configured to login with a unique account |
Emergency Access Procedure (Required) |
There must be a capability to access information in an emergency |
Administrator access can be used to ensure the system or media is accessible in an emergency where regular users may not be available |
Automatic Logoff (Addressable) |
The system should automatically log out the user after a period of inactivity |
AlertSec FDE can be configured to automatically lock the system after a pre-defined period of inactivity |
Encryption and Decryption (Addressable) |
Data should be encrypted to ensure only the authorized users can access it |
AlertSec FDE encrypts the entire drive on the PC and only allows logged in users access to any OS, applications or data on itAlertSec Media Encryption allows the secure use of removable media by enforcing the use of encryption of any data stored to the mediaAlertSec Port Control can block access to removable media, ensuring that ePHI cannot leave the system and also blocking potentially malicious applications from gaining access to the system |
Audit Controls
The Audit Control requirement specifies that access to ePHI be recorded for review. While the AlertSec Service does not directly protect the ePHI application, but does support the requirement for audit records related to activity on the systems where the protected information will be accessed. The AlertSec Service provides a record of any authentication attempts and access to the system itself so you can review when the system/device was used (based upon successful logins) as well as any attempts to gain access (based on authentication failures).
This information is supplemental to the specific Audit Controls mandated by HIPAA. The additional information provided by the AlertSec Service provides a broader coverage story about your compliance efforts and enhances your access to Affirmative Defense (as explained under Safe Harbor in the Building HIPAA Compliance section above).
Person or Entity Authentication
The Person or Entity Authentication requirement specifies that in addition to each user having a unique identifier (as required in the Access Control requirements), they must also have unique authentication credentials paired with the unique identifier. In normal terms, this means a user has to enter a password (or token or biometric, etc.) to validate their identity.
AlertSec FDE and AlertSec Media Encryption both require the user to authenticate with a username and password to access the system or any encrypted media, providing assurance about who is accessing applications dealing with ePHI.
AlertSec Service Features
The AlertSec Service provides compliance security as a service. Instead of requiring the purchase of several individual components and needing to manage them separately, the AlertSec Service provides a single, comprehensive, policy based, cloud-managed package of vital components to secure and make your systems compliant. The following compliance modules are available:
Compliance Module |
Description |
---|---|
Full Disk Encryption (FDE) |
Automatic encryption for any digital personal or sensitive data on the computer. Ensures that only authorized users can access data on protected computers. AES-256 encryption for maximum protection, certification to FIPS 140-2, Common Criteria EAL4 and BITS. |
Media Encryption/Port Control |
Media Encryption automatically encrypts any data stored on removable storage media such as USB sticks and external hard drives based on policy. Data remains transparent to authorized users. Enables secure data sharing with other authorized users. Port control prevents use of unknown/unauthorized media on the computer, helping to prevent unsecure movement of personal or sensitive data. |
Compliance Check |
Scans and checks all endpoints for compliance with pre-defined security policies, enabling demonstration of security software deployment and management of software update installation compliance. |
Anti-Malware/Program Control |
Malware detection and prevention using signatures, behavior blockers and heuristic analysis. Anti-Malware defends against all malware groups (trojans, viruses, spyware, adware, worms, rootkits, phishing) and provides a more complete solution than anti-virus programs.Policy controlled Program (application) Control can be configured to limit the applications that can be run on the system to only those that have been explicitly approved, helping to prevent threats to data integrity. |
Firewall |
Proactive policy based protection: the firewall blocks targeted attacks and stops unwanted traffic, keeping data and systems safe. |
Encryption for third parties – ACCESS |
Monitors and enforces encryption policies across third party data processor service providers. Enables audit of encryption management and compliance by third parties trusted with accessing and handling sensitive and nonpublic information. |
Two factor authentication for administrators |
Additional security for privileged administrator accounts on the AlertSec admin console, helping to prevent unauthorized access or changes to security policies. |
Pre-boot authentication |
Ensures that only authorized users will be allowed access to personal or sensitive data stored on the device. Prevents anything being read from the hard disk, including the operating system, until the user has provided valid login credentials. |
Password management |
Automatic locking of a user account after five failed login attempts, preventing unauthorized access. AlertSec helpdesk processes for password reset and data recovery are designed to ensure devices are unlocked only for the authorized user. |
Software development and support |
AlertSec manages the ongoing development and release of security software updates to maintain maximum protection. Regular customer communications about security risks and good practice enable employee training and security policy assessments. |
Summary
The AlertSec Service provides a solid foundation for building a complete ePHI security solution for your Electronic Health Record (EHR) system. The HIPAA act does not expect that a single application or service alone will provide all the security safeguards necessary to protect the information, and therefore provides the flexibility for an organization to design a complete security infrastructure using components that best meet its needs.
With the AlertSec Service your organization can ensure the security of endpoint devices, providing a solid layer of technical security surrounding ePHI that is unobtrusive whilst also being highly effective. By minimizing the possibility of unsecured access on endpoint devices, AlertSec helps to achieve “Safe Harbor”, mitigating the need for breach notifications that would otherwise be mandatory whenever unsecured ePHI is accessed. Complete encryption of ePHI, as provided by AlertSec, is considered a primary way to achieve Safe Harbor.
Implementing AlertSec FDE on endpoint devices within your organization ensures that any copies of ePHI, such as offline copies for remote work, data in Word® or Excel® documents, or cached data from applications, are always secured on the endpoint device. AlertSec Media Encryption can enable your organization to securely utilize removable media when transporting ePHI between systems (for example, when large volumes of data need to be backed up or delivered directly to another location, or where secure network transfers are not available or possible). And AlertSec Port Control and Application control provide your organization with the ability to block access to removable media ports and block unwanted applications in order to prevent any ePHI from being removed from the device.
References
The following selection of websites provide more information about HIPAA and HITECH.
http://www.hhs.gov/ocr/privacy/hipaa/administrative/securityrule/securityruleguidance.html