Scribd Logo
Upload

Welcome to Scribd!

  • JWayns IT540 Assignment-Unit6

    Uploaded by

    Justin Wayns
    80 views6 pages
    IT540 unit 6

    Copyright

    © © All Rights Reserved

    Available Formats

    DOCX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    IT540 unit 6

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    80 views6 pages

    JWayns IT540 Assignment-Unit6

    Uploaded by

    Justin Wayns
    IT540 unit 6

    Copyright:

    © All Rights Reserved
    Download as DOCX, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 6

    RUNNING HEAD: IT540 - ASSIGNMENT 6

    Assignment 6: Assess Computer Networks for Regulatory Compliance


    Justin Wayns
    IT540: Management of Information Security
    Professor: Dr. Thomas Watts, PhD, CISSP
    Kaplan University
    March 21, 2015

    IT540 - ASSIGNMENT 6

    Introduction
    This paper and scenario of Family Dentals two offices is to gauge the level of HIPAA
    compliance within the dentists offices. It is up to me to see where there are areas that need
    revised upon my review of the companys procedures that are in place as of today. Once I have
    assessed the compliance level of Family Dentals practice for electronic documentation and nonelectronic document storage, physical storage of ePHI, security of the building and server room,
    I can make the necessary recommendations to the dentists and office staff to pass a HIPAA
    compliance security review to help them maintain a secure environment.
    HIPAA Compliance Review for Family Dental
    1. What is all the electronic and non-electronic private health information (ePHI) that
    is stored, processed, and transmitted at the Family Dentals two offices?
    The ePHI or Electronic Personal Health Information is stored on a server in a
    closet in the dental office. The server room also has a tape backup machine next to it.
    The server is also behind a firewall/router with a DSL modem connected to the internet.
    The dental practices VPN server is always on to connect the North and South offices
    together for sharing of patient data. This way the data is kept in one place rather than two
    different servers at each office.
    The fax machine, printer, copier, and employee computers are out of the way of
    patients. The clerks send out letters for patient billing to insurance agencies and
    appointment reminders to patients. The dentists themselves are able to access the patient
    information by logging in to the VPN server from home to update information on
    patients. The dentists are the only ones that can access information from home.
    2. Assess the practices organization. Where is it most likely HIPAA compliant? What
    changes should be made to move the practice closer to compliance?

    IT540 - ASSIGNMENT 6

    After looking at Family Dentals offices and seeing what is to be covered and
    what does not need to be covered under the HIPAA Privacy Rule under the Office of
    Civil Rights and the U.S. Department of Health And Human Services (U.S. Department
    of Health and Human Services, n.d.), I have found that having the computers in private
    areas away from the waiting room falls in with compliance. The server with Electronic
    Personal Health Information (ePHI) is in a closeted area which is partially compliant, but
    needs to also be behind a locked door to protect it from theft, theft of data from USB or
    other copying media, and the general public. The employee computers should have
    encrypted passwords that change every 90 days and when the employees are away from
    their computers they are to log off to adhere to a clear screen policy. Employees with
    company issued laptop computers need to have them secured both on and off of company
    property.
    The patient examination rooms are free from outside noise and from others that
    could listen to dentist-patient conversations. The Family Dental practice website is
    informational only, so no patient information is displayed.
    3. Assess the practices physical and technical safeguards. Where is it most likely
    HIPAA compliant? What changes should be made to move the practice closer to
    compliance?
    Some of the physical safeguards that Family Dental needs to have in place for its
    practice locations are to have secure locking doors on the outside of the facility and also
    to have a separate lock on the server room door to further restrict access to the server
    equipment. Another physical safeguard is to have cameras on all outside doors and the
    server room door. The computers that employees use to register patients should have
    privacy screens attached to hinder prying eyes.
    The practice copy and fax machines should be out of patient view so that
    information is not revealed to the public. Paper materials that are discarded should be

    IT540 - ASSIGNMENT 6

    placed in a secure bin for a shredding company to properly dispose of during regularly
    scheduled service.
    Technical safeguards that need to be explored are the use of passwords on
    computer equipment and to keep the out of sight so that they cannot be found on a desk.
    Each employee that has computer access must use a separate password when accessing
    data from one of the facilities computers. An employee cannot be signed into more than
    one terminal at a time to counter fraudulent access. There is no general password for all
    to use. It must be known who is accessing what information and from which stations. As
    with laptops, desktop computers also need to have security software installed on them
    that is in line with the companys current security policy standards. The desktops
    computers should also have Kensington or similar type locks to keep them at their
    stations to prevent them from being stolen.
    4. Family Dental exchanges data with service providers and uses a third party to
    manage its IT infrastructure. What administrative and organizational safeguards
    should the practice expect these providers to adhere to? Some of the safeguards that
    need to be put in place are that all employees and third party contractors need to undergo
    HIPAA compliance training and need to be verified that they have passed the course.
    There needs to be an understanding that being compliant is not just signing a piece of
    paper stating that you have read the HIPAA compliance documents, but that you
    understand what can happen if you are non-compliant (Waan, RDA, JD, 2015). All
    emails sent and received containing patient information is to be encrypted at the server
    that has been setup by the third party network infrastructure group. The IT group or
    printer vendor should make sure that the hard drive in the printer and or copier encrypts
    the data contained and that if the device is removed that the hard drive is pulled and

    IT540 - ASSIGNMENT 6
    destroyed (Keteyian, 2010). A copy machine data breach can result in a HIPAA fine
    (Waan, RDA, JD, 2015) so the above listed safeguards must be in place.

    IT540 - ASSIGNMENT 6

    References
    Keteyian, A. (2010, April 19). Copy Machines, a Security Risk? (CBS News) Retrieved March
    19, 2015, from youtube.com: https://www.youtube.com/watch?v=iC38D5am7go
    U.S. Department of Health and Human Services. (n.d.). Health Information Privacy. Retrieved
    from hhs.gov: http://www.hhs.gov/ocr/privacy/
    Waan, RDA, JD, O. (2015). HIPAA: What do you want out of my dental practice now? Retrieved
    from dentistryiq.com: http://www.dentistryiq.com/articles/2014/02/hipaa-what-do-youwant-out-of-my-dental-practice-now.html

    You might also like