Re: HIPAA Assessments and Network Access

[Angel L Cruz <cruz () AUSTIN UTEXAS EDU>]

Eric,

Can you share the tool through EDUCAUSE? It sounds like a great "best
practices" opportunity.

-Angel 

Mr. Angel L. Cruz, CISSP, CISM
Director & University ISO
The University of Texas at Austin
Information Technology Services
MAI 26 G9805
P.O. Box 7908
Austin TX  78713
(512) 471-7130
a.cruz () its utexas edu

-----Original Message-----
From: The EDUCAUSE Security Discussion Group Listserv
[mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Schmidt, Eric W
Sent: Wednesday, July 28, 2004 8:48 PM
To: SECURITY () LISTSERV EDUCAUSE EDU
Subject: Re: [SECURITY] HIPAA Assessments and Network Access

Here at the IU School of Medicine we decided we couldn't afford the cost
of HIPAA consultants so we developed our own baseline security
assessment tool.  It is based on a tool developed by the North Carolina
HHS and was available for use out on their web site.  We adapted the
tool to match the final security rule since the North Carolina toolwas
written for the proposed rule and we're almost finished with our initial
assessment phase now.  The IT and business administrators for all of our
various departments, offices, and centers have all used the tool as a
self-assessment.  The results of each departments assessment will be
rolled up into a school-wide report in the next month or so.  Department
reports will be prepared as well as a gap analysis report to help the
school's executive leadership determine where to best deploy our limited
resources to help us comply with the rule.  If anyone's interested let
me know and I'll be glad to share the assessment tool.  The tool is
basically several spreadsheets.  One spreadsheet allows the user to
determine compliance with each specification of the rule, the other
spreadsheet is a central area to capture all specific policy,
procedures, and documentation supporting each specification of the rule.
One spreadsheet provides a summary of the compliance and another
spreadsheet contains reference information for the entire rule.  So far
it's been a lot better than a $100,000+ bill from a consultant group....
 
 
Eric W. Schmidt, CISSP, CISM
Chief Security Officer
Indiana University School of Medicine

        -----Original Message----- 
        From: The EDUCAUSE Security Discussion Group Listserv on behalf
of Michael Cole 
        Sent: Wed 7/28/2004 4:38 PM 
        To: SECURITY () LISTSERV EDUCAUSE EDU 
        Cc: 
        Subject: Re: [SECURITY] HIPAA Assessments and Network Access
        
        

        Check out Bradford Software's Campus Manager and Remediation
center, it'll do what your looking for as well as register all your
computers.   www.bradford-sw.com

        Mike 

        -----Original Message----- 
        From: Doug Sandford [mailto:dsandfor () SEEBECK UA EDU] 
        Sent: Wednesday, July 28, 2004 5:02 PM 
        To: SECURITY () LISTSERV EDUCAUSE EDU 
        Subject: [SECURITY] HIPAA Assessments and Network Access 


        Apologies for the rather broad subject area(s). I know these
items 
        have been discussed in the past, but am looking for some more
recent 
        experiences/recommendations. 

        Have any of you brought in consultants to perform the full range
of 
        compliance checks necessary for HIPAA compliance, ie, Risk 
        Assessment, policy and function creation, etc? Your
recommendations 
        would be welcomed. 

        Additionally, we are interested in a solution (such as Perfigo
or one 
        of the others) that would enable us to check computers as they
are 
        attached to our network for current Windows patches, virus
software 
        and updates, etc. SUS is certainly a partial answer but requires
that 
        we get our hands on each machine. Again, any recommendations, 
        successes or horror stories will be welcome. 

        Thanks in advance.... 




        Doug Sandford 
        Information Security Officer 
        University of Alabama 
        Seebeck Computer Center 
        doug () ua edu 

        This email is intended only for the person to whom it is 
        addressed.  Any review or other use of this information by 
        persons or entities other than the intended recipient or any 
        retransmission without the consent of the sender is prohibited. 

        ********** 
        Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

********** Participation and subscription information for this EDUCAUSE
Discussion Group discussion list can be found at
http://www.educause.edu/cg/.

**********
Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at 
http://www.educause.edu/cg/.