Re: HIPAA Assessments and Network Access

[Ben Sookying <ben () CSU NET>]

Hello Eric,

I apologize for spamming the group for this request but I am interested in
taking a look at your assesment tool.

Ben S. Sookying - CISSP
Director, Network Security Services
California State University - Office of the Chancellor
Tel: (562) 346-2263 * Email: Ben () csu net

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Schmidt, Eric W
Sent: Wednesday, July 28, 2004 6:48 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Assessments and Network Access

Here at the IU School of Medicine we decided we couldn't afford the cost of
HIPAA consultants so we developed our own baseline security assessment tool.
It is based on a tool developed by the North Carolina HHS and was available
for use out on their web site.  We adapted the tool to match the final
security rule since the North Carolina toolwas written for the proposed rule
and we're almost finished with our initial assessment phase now.  The IT and
business administrators for all of our various departments, offices, and
centers have all used the tool as a self-assessment.  The results of each
departments assessment will be rolled up into a school-wide report in the
next month or so.  Department reports will be prepared as well as a gap
analysis report to help the school's executive leadership determine where to
best deploy our limited resources to help us comply with the rule.  If
anyone's interested let me know and I'll be glad to share the assessment
tool.  The tool is basically several spreadsheets.  One spreadsheet allows
the user to determine compliance with each specification of the rule, the
other spreadsheet is a central area to capture all specific policy,
procedures, and documentation supporting each specification of the rule.
One spreadsheet provides a summary of the compliance and another spreadsheet
contains reference information for the entire rule.  So far it's been a lot
better than a $100,000+ bill from a consultant group....


Eric W. Schmidt, CISSP, CISM
Chief Security Officer
Indiana University School of Medicine

        -----Original Message-----
        From: The EDUCAUSE Security Discussion Group Listserv on behalf of
Michael Cole
        Sent: Wed 7/28/2004 4:38 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Cc:
        Subject: Re: [SECURITY] HIPAA Assessments and Network Access



        Check out Bradford Software's Campus Manager and Remediation center,
it'll do what your looking for as well as register all your computers.
www.bradford-sw.com

        Mike

        -----Original Message-----
        From: Doug Sandford [mailto:dsandfor () SEEBECK UA EDU]
        Sent: Wednesday, July 28, 2004 5:02 PM
        To: SECURITY () LISTSERV EDUCAUSE EDU
        Subject: [SECURITY] HIPAA Assessments and Network Access


        Apologies for the rather broad subject area(s). I know these items
        have been discussed in the past, but am looking for some more recent

        experiences/recommendations.

        Have any of you brought in consultants to perform the full range of
        compliance checks necessary for HIPAA compliance, ie, Risk
        Assessment, policy and function creation, etc? Your recommendations
        would be welcomed.

        Additionally, we are interested in a solution (such as Perfigo or
one
        of the others) that would enable us to check computers as they are
        attached to our network for current Windows patches, virus software
        and updates, etc. SUS is certainly a partial answer but requires
that
        we get our hands on each machine. Again, any recommendations,
        successes or horror stories will be welcome.

        Thanks in advance....




        Doug Sandford
        Information Security Officer
        University of Alabama
        Seebeck Computer Center
        doug () ua edu

        This email is intended only for the person to whom it is
        addressed.  Any review or other use of this information by
        persons or entities other than the intended recipient or any
        retransmission without the consent of the sender is prohibited.

        **********
        Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.