Security Basics mailing list archives
Re: Healthcare Standards and Regulations
From: Caspian <Caspian () random-interrupt org>
Date: Fri, 16 Apr 2010 18:11:52 -0400
Jason (and others who are looking)-HIPAA is a pretty tricky thing to apply, mostly because of it's intended use. It was never meant as a strict technical standard for IT, but more of a set of governing business rules. This, of course, leads to variable interpretations, and a serious lack of anything definitive for all sorts of reasons, litigation being a primary one. I think this is why there has been a vendor shift to broader standards. You might find some HIPAA compliance related technical information in Insurance industry related IT discussions, since that's where it really made an initial impact.
From my experience with both PCI and HIPAA, Brenda has a pretty good point- Swapping Patient Information in to the PCI requirements will work pretty well, but it might miss a few things. It's definitely a good starting point.
I'm not sure, but the NIST guide mentioned below may have been co-written by a few people who are also part of the IHE group, who have (basically) attempted to harmonize the parts of HIPAA that apply to health IT with other standards, roll it all into one, and make it vendor subscriptive. IHE has a very broad website, and a lengthy set of specifications for their standards. If you're looking for something that gives specifics, that might be a good place to start. I'm not sure if IHE compliance guarantees HIPAA compliance, but I suspect that it might. They can be found at http://www.ihe.net/. I should mention that I have done volunteer technical audit work with them in the past, so this isn't entirely impartial information.
-Caspian Brenda C. Henderson wrote:
PCI questionnaires (not as many levels but will follow the HIPAA security rule and HITECH Act guidelines and most likely use the HITRUST framework. Will not be available until June/July timeframe. In the meantime, we continue to do HIPAA risk/gap assessment/remediation plans to prepare our clients for HIPAA compliance.Jason,The best guide we have found is the NIST guide to HIPAA. It was written to provide guidance to federal agencies that must comply with HIPAA. http://www.sses.net/industry-solutions/healthcare/ As of yet, you will not find the very clear guidance that PCI gives. However, we have a Risk Assessment/Gap Analysis tool that allows us to measure an "as is" HIPAA environment against the NIST references found in the referenced guide and advise clients on what needs to be done to better secure private information and meet HIPAA security rule and HITECH. However, there is a movement that is gaining momentum called HITRUST. HITRUST has some very large backers in the healthcare industry who are working to develop a framework that is definable. Much of it is based on ISO. We have been evaluating whether to join the movement and in the last month have decided to take the plunge. In addition we and our partners are working on a web based portal that will begin to look a bit like the
You will not go wrong if you looked at the PCI requirements for a Level 1 or 2 merchant that stores, transmits and processes credit card date and substitute patient information. Here is a link to some PCI information. http://www.sses.net/services/risk-and-compliance/pci-compliance-audits/ Look under PCI Resources.Kindest Regards, Brenda Henderson Director Sales and Marketing Sword & Shield Enterprise Security, Inc. 1431 Centerpoint Blvd. Suite 150 Knoxville, TN 37932 865 244-3517 865 244-3599 faxwww.sses.net www.securehq.com-----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of John Morrison Sent: Friday, April 16, 2010 5:06 AM To: Jason Kolpin Cc: security-basics () securityfocus com Subject: Re: Healthcare Standards and Regulations Jason, It looks like many suppliers have moved on from selling HIPAA compliance to a wider sales pitch. Also, I found the same as you that the official sites don't give any information that is detailed enough. This is in contrast to, say, PCI that has clear guidance and check lists. All I could find with diagrams was the following: Sun B2B Suite HIPAA Protocol Manager User's Guide http://docs.sun.com/app/docs/doc/820-1277/agcjh?a=view Cisco Healthcare Security Perspectives: Protect Your Patients, Your Practice, Yourself Technical Implementation Guide http://www.cisco.com/web/strategy/docs/healthcare/health_security_impgd.pdf (Page 11 has the first) Plus some templates at http://www.endhack.com/better_than_templates.htm Has your California office already done all the work and you can copy this? Could the Montana Department of Public Health & Human Services provide any help? There may be some books on Amazon. On 15 April 2010 20:22, Jason Kolpin <jasonk () ncat org> wrote:I've looked here and now have looked again. Is it just me or is there absolutely no cut and dry guidance for the physical and logical network design regulations for healthcare IT infrastructures? I can sit and read and read to get my one or two sentences per document that covers what I am positive is a tiny chunk of the entire whole, but is this really necessary? Somewhere there must be some cut and dry list of HIPAA requirements for IT infrastructure, segmentation, firewalling, and data security. I'm not so concerned about the software or services, I am positive I can manage that what I am concerned about is not having the email server sharing a zone that their medical records zone is or whatever the requirements may be. I'm also concerned about network user policy and the regulations that apply there as well including vlan implementation, what doctors should be able to see and do as well as what others should and should not be able to do. Nice guess at California as we have offices there, I am in MT though. I also must note that at a glance the suggestion from another post to read NIST P-800-66 looks promising to a degree. Jason Kolpin Web Specialist National Center for Appropriate Technology www.ncat.org John Morrison wrote:Jason, As you are in California I assume the main regulation is HIPAA. Have you tried the HIPAA Resource Center (http://www.aishealth.com/Compliance/HIPAAResource.html) as a starting point? Also, do the suppliers of the products have any literature? On 14 April 2010 23:22, Jason Kolpin <jasonk () ncat org> wrote:Hello! I have been approached by a small medical practice to build an infrastructure from the ground up. After some research I decided I knew nothing about best practices and such in this environment, these folks are in a rural area and have no clue who to contact, I am at a loss as well other than a big company like Seimans or something. It would be greatly appreciated if anyone on this list knew of a place where I could get some solid information on this subject, refer these folks to a company that does this sort of thing, or offer some advice for a situation such as this. It's not like I am completely clueless concerning server setup and stuff like that, I work IT, I am more interested in security related information such as typical physical layout for the network, IE firewalling and data/service separation issues. Excuse my ignorance here as this is completely new to me. I have been asked about LIS, RIS, PM, patient records server, scheduling/calendar, billing, email server, domain controller, VPN from two locations and some more. I'm just looking for some simple "stick man" drawings of a typical physical layout using this type of stuff, as well as a place I might go to find out about required/mandated policies and such, and even a few hints on policies you may know that you find important in a situation such as this. FYI I have already informed these people I am not the man for the job as the risk is too great for me should something bad happen but they are probably going to use me as a consultant, they have no IT staff and are completely clueless about how the simplest of things work. I know this is a lot to ask of a mailing list so no surprise if I get no response. -- Jason Kolpin Web Specialist National Center for Appropriate Technology www.ncat.org ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------
Current thread:
- Healthcare Standards and Regulations Jason Kolpin (Apr 15)
- Re: Healthcare Standards and Regulations John Morrison (Apr 15)
- Re: Healthcare Standards and Regulations Jason Kolpin (Apr 15)
- RE: Healthcare Standards and Regulations Mattias Baecklund (Apr 16)
- Re: Healthcare Standards and Regulations John Morrison (Apr 16)
- Re: Healthcare Standards and Regulations Jason Kolpin (Apr 16)
- RE: Healthcare Standards and Regulations Brenda C. Henderson (Apr 16)
- Re: Healthcare Standards and Regulations Caspian (Apr 19)
- Re: Healthcare Standards and Regulations Jason Kolpin (Apr 15)
- Message not available
- RE: Healthcare Standards and Regulations Barbara L. Filkins (Apr 16)
- Re: Healthcare Standards and Regulations John Morrison (Apr 15)