I N F O R M A T I O N

S ECURITY
®

E SS E NTIAL G U I D E TO

HIPAA
,
Electronic health records are a cornerstone of President Obama’s
national healthcare reform. But in order to succeed, healthcare
organizations need to ensure consumer privacy.
As a result, changes to the Health Insurance Portability
and Accountability Act were recently enacted. We’ll
explain the regulation, the new requirements, and
how to prepare for an audit.

INSIDE
6 Laying the Groundwork: The Basics of HIPAA
11 New Changes to HIPAA
15 Key Elements of a HIPAA Compliance Checklist
20 How to Survive a HIPAA Audit

INFOSECURITYMAG.COM
How Can Healthcare and Related
Organizations Streamline the Audit Process
and Ensure Continuous Compliance?
Does your organization have multiple databases containing

AppDetectivePro
TM
sensitive information? Are your data protection policies subject
to regular HIPAA compliance audits?

To be compliant with HIPAA, organizations must constantly

For Auditors and IT Advisors
monitor their data, perform regular assessments, and provide
AppDetectivePro is a network-based discovery and
audit trails of data access - they must conduct comprehensive
vulnerability assessment scanner. Backed by a proven
analyses of which users have access to each system, which data
security methodology, AppDetectivePro locates,
and functionality they can access, and verify that the level of
examines, reports, and fixes security holes and
access that has been granted is appropriate based on the
misconfigurations. By automating this process,
user’s business function. AppDetectivePro saves time, and ensures consistent
and repeatable results that allow the user to do more
Application Security, DATABASE SECURITY, RISK AND in less time, with less effort.
Inc. (AppSecInc) is COMPLIANCE LIFECYCLE
the leading provider User Rights Review, a new automated solution,
of database security, provides an analysis of user access privileges, how
risk and compliance those privileges were assigned, and whether those
solutions for the privileges are appropriate. The product allows
enterprise and organizations to more easily and cost effectively
bolsters HIPAA prepare for audits and ensure compliance.
compliance efforts
by grounding

DbProtect
TM
compliance where
the data lives – in
the database.
For Enterprise Organizations
AppSecInc solutions
facilitate compliance
DbProtect is a software-based, centrally-managed,
and proactively
enterprise solution for comprehensive database
secure enterprise
security, risk and compliance. Based on proven
applications at more than
technology, the DbProtect platform integrates
1,600 organizations around the world. database asset management, vulnerability
AppSecInc’s products combine data discovery, vulnerability management, audit and threat management, policy
scanning, user access rights review, real-time activity management, reporting and analytics into a complete
monitoring, and privileged user activity auditing to enable our enterprise solution.
clients to dramatically reduce risk, remediate vulnerabilities,
identify threats, and demonstrate compliance. DbProtect enables organizations with complex,
heterogeneous environments to optimize database
For more information, or to download a free demo, security, manage risk, and bolster regulatory
go to: www.appsecinc.com compliance.

350 Madison Avenue, 6th Floor, New York, NY 10017 TOLL FREE 866 9APPSEC MAIN +1 212 912 4100 FAX +1 212 947 8788

Copyright © 2009 Application Security Inc. All rights reserved. AppDetectivePro and DbProtect are trademarks of Application Security Inc. All other company and product names are trademarks of their
respective companies.
contents ESSENTIAL GUIDE

F E AT U R E S

6 Laying the Groundwork: The Basics of HIPAA

H I PA A

COMPLIANCE This regulation aims to protect patient records

and ensure the information is properly transmitted, shared
and stored. Here’s what the law says.
BY SEARCHSECURITY.COM EDITORS

11 New Changes to HIPAA

WHAT’S AHEAD In February 2010 an amendment to HIPAA,
dubbed HITECH, will be enforced. Here’s how it could
affect you. BY DAVID MORTMAN

15 Key Elements of a HIPAA

Compliance Checklist
POLICIES AND PROCEDURES Building a set of processes
and systems to meet HIPAA can be challenging. We’ll
outline where to start. BY RICHARD E. MACKEY

20 How to Survive a HIPAA Audit

ENFORCEMENT Recent fines and penalties prove HIPAA
compliance is not optional. We’ll lay out the steps you can
take to pass your next audit successfully. BY RANDY NASH

25 Advertising Index

2 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 Which
came
first?
Cyber
Criminals
or Data
Breaches
GET A HIPAA LIFELINE WITH ARCSIGHT

Your job is to take care of your patients.

Our job is to protect your patient’s data.
Find out how the ArcSight SIEM Platform for healthcare will protect your organization from privacy violations,
and ensure HIPAA audit readiness.

ArcSight SIEM allows you to:

• Safeguard ePHI records and avoid privacy breaches
• Reduce the operational cost of compliance with HIPAA and other regulations
• Decrease healthcare administration costs

Learn why leading healthcare providers and payers, as well as the United States Department of Health and
Human Services – who itself mandates HIPAA – rely on ArcSight to protect their organizations. For more
information about healthcare security solutions by ArcSight go to www.arcsight.com/hipaalifeline

ArcSight Headquarters: 1-888-415-ARST

© 2009 ArcSight. All rights reserved.
 EDITOR’S DESK

Getting Serious
with HIPAA BY KELLEY DAMORE

w
TABLE OF CONTENTS

WHILE HIPAA HAS BEEN AROUND for more than a decade, the regulation has been
EDITOR’S DESK viewed by many in the industry as a toothless legislative mandate. The lack of
enforcement caused many in the healthcare industry to take a wait-an-see attitude
toward HIPAA compliance. As risk managers, it makes perfect sense. The risk was
HIPAA BASICS low and the investment was high when it came to meeting HIPAA. So many health-
care organizations did nothing.
Well that has all changed in the last year. First, we’ve seen some highly-publicized
NEW CHANGES incidents where healthcare workers were abusing their access and viewing patient
TO HIPAA records of celebrities such as George Clooney and Britney Spears. More recently
15 employees where fired from Kaiser Permanente for accessing medical records
of Nadia Suleman, the octuplet mother.
HIPAA COMPLIANCE Then the U.S. Department of Health and Human Services (HHS) started to get
CHECKLIST
very serious about HIPAA compliance and issued a number of hefty fines, most
notably to Providence Health & Services and CVS Caremark Corp. The perception
today: HIPAA is no longer deemed optional and organizations need to take the
SURVIVING A
HIPAA AUDIT regulation far more seriously.
Add to the increased enforcement, the Obama Administration’s vision of health
care reform and the need to move to and invest in electronic health records. HIPAA
SPONSOR is the linchpin here. Earlier this year HHS greatly expanded the scope of HIPAA
RESOURCES with the HITECH Act. The original HIPAA legislation stated that the covered entity
was responsible for evaluating and policing its business associates and the penalties
would be applied to the covered entity. But now the new law stipulates that business
associates must follow notification standards for breaches and can be sued or prose-
cuted directly. This broadens the breadth and the scope of the regulation and a
renewed interest in how to become HIPAA compliant.
As a result we compiled this Essentials Guide to give you one place to get infor-
mation on the HIPAA regulation, the new changes taking hold next year, how to
tackle HIPAA compliance effectively and how to pass an audit. We hope you find
this useful.w

Kelley Damore is Editorial Director of the Security Media Group for TechTarget, which
includes Information Security magazine, SearchSecurity.com, SearchMidmarketSecurity.com,
SearchFinancialSecurity.com, SearchSecurityChannel.com. SearchSecurity.uk.co, Information
Security Decisions and Financial Information Security Decisions conference. Send feedback on
this column to feedback@infosecuritymag.com.

4 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 How would a data breach impact
your healthcare organization?
Waiting to find out?

Healthcare organizations handle the most sensitive

and personal data: patient demographics, patient
insurance, patient credit and financial information.
Your patients trust you to safeguard their sensitive
data and laws require you to protect it. What would
happen if your patients’ private information was
exposed?

According to the 2008 HIMSS Analytics Report: Security of

Patient Data, in the period from 2006-2007, over 1.5 million
names were exposed during data breaches that occurred
in hospitals alone.

Don’t wait to find out what a security breach

will do to your organization…Check out the
Fully Integrated Data Loss Prevention Solution
from Code Green Networks and Blue Coat Systems.

Sign up now to qualify for a Data Loss Prevention Test Drive

and your chance to win a Sony Playstation® 3

For more information visit www.codegreennetworks.com/hipaa

Copyright © 2009 Code Green Networks. All rights reserved. Code Green Networks and TrueDLP are trademarks of Code Green Networks. Blue Coat and the Blue Coat logo are registered trademarks of Blue Coat Systems, Inc.
Playstation is a registered trademark of Sony Computer Entertainment America, Inc.
 COMPLIANCE

TABLE OF CONTENTS

EDITOR’S DESK

HIPAA BASICS

NEW CHANGES
TO HIPAA
LAYING THE GROUNDWORK:
HIPAA COMPLIANCE
CHECKLIST
The Basics
of HIPAA
SURVIVING A
HIPAA AUDIT

SPONSOR
RESOURCES
This regulation aims to protect patient records and ensure
the information is properly transmitted, shared and stored.
Here’s what the law says. BY S EAR C HS E C U RITY.C O M E D ITO R S

6
h HIPAA, short for the United States Health Insurance Portability and Accountability Act,
is a set of standards introduced by Congress in 1996 that aim to protect the privacy
of patient information in the healthcare industry by regulating how providers handle
patient data while conducting business, as well as ensuring the continuity of individuals’
healthcare coverage.
HIPAA created a set of universal standards for exchanging and securing personal data
via electronic data interchange (EDI), the goal being to protect all data that is personally
identifiable to a specific person, regardless if it is communicated orally, electronically or
in writing.

I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 The HIPAA privacy rule [http://www.hhs.gov/ocr/privacy/hipaa/understanding/
index.html] requires that all healthcare providers, or any other organization that
processes medical records, inform patients of their privacy rights, educate and train
staff on how medical data should be properly handled, and implement and practice
the required privacy and security policies in order to ensure that electronic health
information of patients remain secure.

TABLE OF CONTENTS Breaking down HIPAA security

rules and compliance guidelines
There are two sections to the standard: HIPAA Title I, which focuses on protecting
EDITOR’S DESK citizens’ healthcare coverage if they are fired or laid off, and HIPAA Title II, which
is focused more on patients’ rights and how to properly transmit, share and store
their information.
HIPAA BASICS HIPAA’s standards require that all healthcare industries apply and enforce certain
protections. The implementation process will be different for every organization
depending on its size, budget, risks and infrastructure complexity. But regardless
NEW CHANGES of each organization’s different needs in terms of HIPAA implementation, the general
TO HIPAA
HIPAA requirements stay the same.
• Organizations must have an administra-

HIPAA COMPLIANCE
tive authority in charge of managing and
enforcing HIPAA compliance rules, regulations
HIPAA’s standards
CHECKLIST
and efforts. There should be a clear set of guide- require that all healthcare
lines in place regulating who is and isn’t permit-
SURVIVING A
ted to access patient information. All access to industries apply and
HIPAA AUDIT sensitive data and systems should be monitored.
• Documentation should be provided to
enforce certain protections.
patients informing them of their rights.
SPONSOR • All corporate systems, machines and buildings must have physical and technical
RESOURCES data and intrusion protection controls to prevent malicious hacker and
unauthorized access.
• There must be a traffic-monitoring device, such as a firewall, in place to examine
activity coming into and leaving the organization’s network.
• Management should practice risk assessments, data-handling policies, data loss
prevention (DLP) and record all security policies and procedures.

How to achieve compliance with HIPAA

In the early years of HIPAA, fines and penalties for lack of compliance were seldom
seen, causing many organizations to assume that HIPAA compliance was discre-
tionary [http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1330457,
00.html]. But recently, several organizations have received more then a slap on
the wrist in the form of hefty HIPAA-related fines for bad practices, causing many
healthcare organizations to rethink their lagging efforts in implementing and
enforcing HIPAA policies. Here we’ll discuss how to tackle the main requirements
needed to achieve HIPAA compliance and offer insight into how to get prepared
for an audit.

7 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 • Appointing a HIPAA management consultant team
One of the first steps in becoming compliant with HIPAA is to delegate the
responsibility of managing and enforcing compliance policies and procedures to a
specific person or group of persons, depending on the size of the organization. The
responsibility of educating staff, handling data,
enforcing polices, answering questions and
leading corporate efforts needs to be assigned One of the first steps in
TABLE OF CONTENTS out to staff members to avoid confusion and
keep things organized. It is important for all
becoming compliant with
employees to be aware of what the HIPAA regu- HIPAA is to delegate the
EDITOR’S DESK lations and policies are, how and why the
organization needs to become compliant and responsibility of managing
HIPAA BASICS
what the potential penalties and fines are for
non-compliance.
and enforcing compliance
This management person or persons will
also act as a liaison among business and IT
policies and procedures to
NEW CHANGES management, employees, HR and the legal a specific person or group
department; getting all departments on the
TO HIPAA
same page in terms of compliance and verifying of persons, depending on
HIPAA COMPLIANCE
that every department is doing its part to estab-
lish a HIPAA-friendly environment.
the size of the organization.
CHECKLIST
• HIPAA employee awareness compliance training
All organizations affected by HIPAA should ask employees to undergo some
SURVIVING A form of HIPAA training to make sure the rules and regulations are clear and every-
HIPAA AUDIT
one is on the same page. It should be clearly identified in the training sessions what
constitutes as sensitive patient information, how it should be protected and who is
allowed to access that information. This will avoid an incident down the road, in
SPONSOR which an employee claims that he or she was unaware that, lets say, a patient’s Social
RESOURCES
Security number or name is considered “sensitive” data.

• Restricting and monitoring employee access

Administering access controls and data-handling polices are essential parts of
any good compliance program. Access to sensitive materials should be restricted to
only those who absolutely need it and their access should be monitored frequently
and updated as needed. If an employee is terminated or changes positions, update
access controls accordingly to avoid giving the wrong people expansive privileges.
There are several identity and access management (IAM) tools available on the
market with reporting and auditing capabilities that can assist with user provisioning
and with managing and controlling who has access to what.
System monitoring is an important part of system and data access as well as a
HIPAA requirement. Being diligent with monitoring efforts will ensure that only the
right people are accessing information and that, if information is moved, it is moved
to a secure location. System monitoring software should be implemented and
the logged information should be examined on a regular basis to spot a potential
problem and take the proper precautions before a breach occurs.

8 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 • Encryption, data protection and data handling policies
Implementing a variety of data loss prevention (DLP) technologies and data
handling polices is a good idea when trying get compliant.
Organizations must also have some sort of data-classification policy in place that
will identify different types of data based on privacy and security demands. Informa-
tion should be classified depending on its location, type, how sensitive it is to risk,
and what storage, transmission or other security measures are currently in place to
TABLE OF CONTENTS protect it.
Your data-classification policy should determine what information needs
advanced security measures, such as encryption or written permission for data
EDITOR’S DESK sharing. If certain data is extremely sensitive, more advanced security measures
should be taken to ensure its protection. For example, if patient data is compro-
mised or lost, having implemented encryption would add another layer of security
HIPAA BASICS that the attacker would have to bypass to make use of the data. There should also
be a data-sharing policy in place for especially sensitive data. If an employee wants
or needs to share data with another party, written permission should be required,
NEW CHANGES lessening the likelihood of unnecessary or malicious information sharing.w
TO HIPAA

HIPAA COMPLIANCE
CHECKLIST

SURVIVING A
HIPAA AUDIT

SPONSOR
RESOURCES

9 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 Optimize Your
Security Architecture

Unparalleled Visibility

Automated
Compliance

Cost Efficiencies

Greater Agility

COMPLETE PROTECTION
for agile businesses
Today IT organizations are being asked to do more
with less, while at the same time global security threats
and compliance requirements are increasing every day.
How will successful CIOs navigate these converging
pressures? By optimizing their security architecture in a
way that balances the need for greater protection with
the need to control costs and support productivity. And
McAfee is here to help with an integrated defense for
every aspect of today’s dynamic businesses.
 WHAT’S AHEAD

New
TABLE OF CONTENTS
Changes
EDITOR’S DESK
to HIPAA
HIPAA BASICS
In February 2010 an
NEW CHANGES
amendment to HIPAA,
TO HIPAA
dubbed HITECH, will be
HIPAA COMPLIANCE
enforced. Here’s how it
CHECKLIST
could affect you.
BY DAVID MORTMAN
SURVIVING A
HIPAA AUDIT

SPONSOR

a
RESOURCES

AS YOU MAY KNOW, changes to the Health Insurance Portability and Accountability
Act (HIPAA) were recently enacted under The Health Information Technology for
Economic and Clinical Health Act (HITECH) as part of the recent American Recovery
and Reinvestment Act. However, these changes don’t go into effect until February of
2010, meaning there’s time before companies need to be compliant. So like the cover
of the Hitchhiker’s Guide to the Galaxy says: “Don’t panic.”
Before delving into the changes, it’s important to understand that under HIPAA
there are three general groups of organizations: covered entities, business associates
and everyone else. Covered entities are generally health care organizations or health
insurance companies (though this gets complicated with companies that self-
insure). Business associates are organizations that support covered entities and
handle protected health information (PHI), such as online backup providers,
billing agencies and organizations that support eHealth products, and everyone
else is, well, everyone else.

11 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 HIPAA requires covered entities meet specific criteria to be certified compliant;
if they do not, those entities are subject to fines. As a result of HITECH, civil penalties
for HIPAA violations have gone up significantly, potentially to the tune of $1.5 million
per year in fines. Additionally, deliberate disclosure of PHI for non-legitimate reasons
can now lead to criminal prosecution. HITECH specifically allows state attorneys
general to file civil suits as well as criminal charges, though for many states this was
already the fact due to CA 1386 and other state data breach-notification laws.
TABLE OF CONTENTS HIPAA’s other major change for covered entities is they must now disclose if and
when they have a security breach and client data is exposed. All users whose data has
been lost must be notified, and if more then 500 individuals’ data is lost, the organi-
EDITOR’S DESK zation must notify the Secretary of the Department of Health and Human Services
(HHS), who will publicly post the breach on the
HHS website.
HIPAA BASICS If your organization is classified as a busi- HIPAA’s other major
ness associate, this is the time when you will
consider panicking. Prior to the changes,
change for covered entities
NEW CHANGES HIPAA requires business associates to have con- is they must now disclose
TO HIPAA tracts with the covered entities enforcing the
appropriate privacy and security controls of if and when they have a
HIPAA COMPLIANCE
individuals’ PHI. Now the requirements for
business associates have been significantly
security breach and client
CHECKLIST expanded. Under HITECH, business associates data is exposed.
are subject to the same civil and criminal penal-
ties as covered entities, as well the disclosure requirements outlined above.
SURVIVING A HHS should provide more clarity regarding what exactly business associates need
HIPAA AUDIT
to do. In the meantime, a good best practice is to assume the new requirements will
be similar to the requirements for covered entities, so start retooling the necessary
parts of your business appropriately. For starters, covered entities should make sure
SPONSOR
RESOURCES they are actually meeting the requirements of their existing contracts. From there,
implement controls to minimize who has access to that critical data, and start exam-
ining stronger protection such as encryption. Patterning after covered entities will
put the company way ahead of the game; the worst-case scenario is the company will
have done more than is strictly necessary and will have become an improved organi-
zation for the effort.
Members of the final category, everyone else, will likely see some changes as well,
though this will depend on the final decisions of the Secretary of Health and Human
Services around business associates. The most likely change will be that consumers
must identify themselves more strongly to business associates in order to be granted
access to information. Similarly, companies that provide services to business associ-
ates will quite likely see more security and privacy terms in their contracts, especially
if they have any dealings with systems that contain PHI.
HITECH (not to mention recent HIPAA enforcement activities) has shown that
the government now takes the security and privacy of medical records far more seri-
ously than it has in recent years. As a result, all covered entities and business associates
should proactively review their security and privacy policies, processes and controls,
and evaluate where they stand. Time flies, and February 2010 will be here much

12 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 sooner than it may seem. There is always the option of taking a chance and choosing
not to comply, though given that HITECH allows for both federal and state criminal
and civil proceedings to be brought against non-compliant companies and their
executives, you won’t see me advocating that choice to anyone I work with.w

As CSO-in-Residence, David Mortman is responsible for Echelon One’s research and analysis
program. Formerly the Chief Information Security Officer for Siebel Systems, Inc., David and
TABLE OF CONTENTS his team were responsible for Siebel’s worldwide IT security infrastructure, both internal and
external. He also worked closely with Siebel’s product groups and the company’s physical security
team and led up Siebel’s product security and privacy efforts. A CISSP, Mr. Mortman sits on a
EDITOR’S DESK variety of advisory boards including Qualys and Applied Identity and Reflective, amongst others.
He holds a BS in Chemistry from the University of Chicago.

HIPAA BASICS

NEW CHANGES
TO HIPAA

HIPAA COMPLIANCE
CHECKLIST

SURVIVING A
HIPAA AUDIT

SPONSOR
RESOURCES

13 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

Building Trust Around The Globe
When you want to establish trusted relationships
with anyone, anywhere on the internet, turn to thawte.
Securing Web sites around the globe with:

• strong SSL encryption

• expansive browser support
• multi-lingual customer support
• recognized trust seal in 18 languages

thawte offers outstanding value on a full range of

of digital certificates. Secure your site today
with a thawte SSL Certificate.

www.thawte.com

© 2009 thawte, Inc. All rights reserved. thawte; the thawte logo; it’s a trust thing; thawte, and other trademarks, service marks, and designs are registered
or unregistered trademarks of thawte, Inc. and its subsidiaries and affiliates in the United States and in foreign countries. All other trademarks are
property of their respective owners.
 POLICIES AND PROCEDURES

Key ents
TABLE OF CONTENTS

EDITOR’S DESK

E l e m P A A
H I
of a pliance
HIPAA BASICS

NEW CHANGES

Com klist
TO HIPAA

HIPAA COMPLIANCE
CHECKLIST

C h e c d s y s t e m s
SURVIVING A
HIPAA AUDIT esses an o f p r o ing.
c h a l l e n g
g a se t a n b e c a r t.
B u i l d i n HI PA A c re t o s t
m e e t i n e w h e
SPONSOR
to o u t l . MACKE
Y
We’ll
RESOURCES
H A R D E
BY R I C

IN MARCH 2007, the U.S. Department of Health and Human Services audited
the information security practices of Atlanta’s Piedmont Hospital to determine
whether the facility met HIPAA requirements. The audit revealed several areas in
which the hospital failed to comply. That was just the beginning; recent HIPAA-
related fines imposed on Providence Health & Services and CVS Caremark Corp.
have caused many organizations, hospitals, healthcare clearinghouses and business
associates to take HIPAA compliance more seriously.

15 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 However, for a great many of these organizations, whose main business is health
care and not information technology, building a set of processes and systems that
enable the business to meet the requirements of the Health Insurance Portability
and Accountability Act can be a challenge.

The importance of data governance

The difficulty most organizations have in complying with HIPAA results from the
TABLE OF CONTENTS
lack of well thought-out IT governance. In other words, many companies do not
establish clear organizational responsibility for ensuring the security of the protected
health information. According to requirements, there must be an individual assigned
the responsibility for HIPAA compliance. Fur-
EDITOR’S DESK
thermore, NIST’s guidance on the subject sug-
gests that the individual be authorized to estab- The difficulty most organi-
HIPAA BASICS
lish controls and accept business risk. This
means that management must have ownership
zations have in complying
of both the sensitive information and the poli- with HIPAA results from
cies defined to protect it. Once a clear business
NEW CHANGES
TO HIPAA
owner is established, HIPAA compliance the lack of well thought-
requires coordination of a cross-disciplinary
group, including business and technical
out IT governance.
management, legal departments and human
HIPAA COMPLIANCE
CHECKLIST resources to ensure that the policies are defined appropriately, implemented correctly,
disseminated to employees and enforced. While technology plays a significant role in
compliance, organization and governance can either support or undermine the best
SURVIVING A technical controls.
HIPAA AUDIT
Transparency and accountability
HIPAA, like all regulations, requires transparency, and all activities associated with
SPONSOR the regulated data and systems are subject to an audit. By establishing the appropriate
RESOURCES
policies and organizational structure, companies can put the controls and the associ-
ated checks and balances in place to comply. Simply put, the overall goal is to ensure
that electronic protected health information (EPHI) is:
• Only accessible to those who have a business need
• Stored and processed on systems that are strictly controlled and backed up
• Monitored during all access
• Only moved to authorized locations and is encrypted in storage and while
transmitted on unprotected networks

The requirements above reflect four security principles respectively: identity and
access management, system and environment configuration, monitoring and infor-
mation flow control and encryption. These practices are central to HIPAA compli-
ance and give rise to many critical process and technical controls, including network
configuration, data loss detection and backup. The key to remember is that each of
these important elements of compliance is part organizational process and part
technology. Technology, by itself, cannot succeed. Let’s take a closer look:
Identity management and access controls. A good example of the need for

16 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 process and technology is evidenced when ensuring appropriate access controls. The
organizational process requires that information owners, custodians and supervisors
be involved in approving access to EPHI. While there is no explicit requirement for
a technological remedy to this problem, many organizations address the need by
deploying identity and access management tools. Without such technological help,
it is difficult to maintain the discipline necessary (and the records of requests and
approvals) to ensure that only appropriate users have access. These systems also can
automate account and privilege recertification, a requirement in HIPAA and many
TABLE OF CONTENTS other regulations.
Conversely, lack of discipline and formality in access management is one of the
most common reasons for compliance failures. Interestingly, even if there is no inap-
EDITOR’S DESK propriate access allowed, the lack of formality in and of itself is a compliance violation.

System and environment configuration controls. Systems that store protected

HIPAA BASICS data must follow strict configuration guidelines. The underlying principle in con-
trolling configuration is the need to know the state of the critical systems in the regu-
lated environment at any time. This involves more than just monitoring; it requires
NEW CHANGES
control. The requirement for tight systems control suggests that an organization
TO HIPAA should isolate each of them, configure them strictly for their purpose, maintain strict
vulnerability controls and software version con-

HIPAA COMPLIANCE
trols, and ensure that the systems are adminis-
tered securely.
The underlying principle in
CHECKLIST There are several organizational and design
processes involved in achieving these goals.
controlling configuration is
First, the organization must establish responsi- the need to know the state
SURVIVING A bility for managing the systems and networks.
HIPAA AUDIT
Second, the organization should establish a of the critical systems in
clear demarcation separating systems contain-
ing EPHI from those that do not. This isolation
the regulated environment
SPONSOR
RESOURCES
reduces the number of systems to tightly man- at any time.
age, cuts down on the monitoring burden, and
demonstrates good practices to an auditor. Third, the organization needs to establish
strong vulnerability management practices for the environment.
Once the organizational processes are in place, technology can be a real boon. Fire-
walls can establish boundaries, vulnerability management systems can track operating
system and application versions and help to deploy fixes, while change control systems
can keep tabs on all the administrative activities affecting the regulated environment.

Monitoring. An important part of maintaining control over PHI is knowing

who has had access to the information. HIPAA requires that all access to protected
information be monitored. This means that systems and applications that provide
the access need to be instrumented to capture access events. Further, an organization
needs to look at its captured log information regularly.
Here again, establishing that someone is responsible for monitoring and log
review is of primary importance; deploying technology is secondary. The one
additional requirement is that the responsible party be separate from those entrusted
to use or manage the systems. One need only look at the failures in compliance to

17 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 understand why monitoring is so important. Many organizations look at logs only
as a forensic tool, inspecting them solely after a suspected breach has occurred. This
approach does not meet the intent of the security rule. The goal should be to know,
at any time, who exercised the privilege to access sensitive data.
While smaller organizations may be able to manage log and event review with
manual processes, event correlation and consolidation tools can help facilitate this
difficult job tremendously. They can combine events from multiple systems, applica-
tions and environments, enabling the enterprise to concentrate on critical activities
TABLE OF CONTENTS
that might otherwise be lost in the noise.

Information flow control and encryption. The fourth element of compliance

EDITOR’S DESK
described above involves ensuring that protected information only moves to safe
locations, and only moves when authorized. It is just as critical for the data to be
protected in motion and at rest.
HIPAA BASICS
Of course, there must be assigned responsibilities for controlling the data and a
process for authorizing its movement. HIPAA
also requires deployment and administration
NEW CHANGES
TO HIPAA
of a variety of technologies. Organizations should
Organizations should assemble a data
catalog, detailing the type, sensitivity and
assemble a data catalog,
HIPAA COMPLIANCE
assigned owner of all protected information.
Processes should also be defined to track
detailing the type, sensitivity
CHECKLIST
where information moves. The procedures and assigned owner of all
can aid in identifying when encryption will
SURVIVING A be necessary and provide guidance when protected information.
HIPAA AUDIT employing technologies where appropriate.
Technologies like data loss prevention (DLP) can catch information with a defined
signature if it moves over the network to some unauthorized location. DLP tools can
SPONSOR also help catch when data has been copied to unapproved devices like thumb drives.
RESOURCES While also being good for key management, encryption products, too, can help meet
the in-place data encryption requirement.

Achieving HIPAA compliance is no easy task. Keeping in mind the fundamental

elements of compliance, however, can make the goals understandable and help your
organization meet the challenge more effectively. Remember to establish the organi-
zational processes first and then employ technology to facilitate them. You can refine
both your processes and your technology practices as you go, but be sure that your
organization is clear on who’s responsible, what needs to be protected, and how it
needs to be protected.w

Richard Mackey has advised leading Wall Street firms on security architecture, VPNs, enterprise
wide authentication, and intrusion detection. Prior to joining the consultancy SystemExperts,
he was the director of collaborative development for The Open Group. Mackey is an original
member of the DCE Request for Technology technical evaluation team and was responsible for
the architecture of the Distributed Computing Environment Releases 1.1 and 1.2. Mackey has
been a frequent speaker at major conferences and has taught tutorials on developing secure
distributed applications.

18 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

Three critical questions...
How secure & compliant is my network?
What are the top 10 things we need to do?
Who is accountable & how are they doing?

One Suite answer.

nCircle Suite360
™

The Leader in Security & Compliance Auditing Solutions for Healthcare Organizations

nCircle and HITRUST have partnered to deliver an innovative SaaS solution to reduce the
complexities and costs of compliance with the HITECH Act, HIPAA and PCI.

Get your answers at:

www.ncircle.com/healthcare-answers
 ENFORCEMENT

Survive HOW TO
TABLE OF CONTENTS

EDITOR’S DESK

HIPAA BASICS
a HIPAA Audit
Recent fines and
penalties prove
BY RANDY NASH

HIPAA compliance WATCH OUT FOLKS, it’s finally happened. The U.S. Depart-
NEW CHANGES
TO HIPAA
is not optional. ment of Health and Human Services (HHS) has levied
the first penalties against a healthcare agency. Providence
We’ll lay out the Health & Services, based in Seattle, has agreed to a six-

HIPAA COMPLIANCE
steps you can take figure settlement following HIPAA security and privacy
violations related to the loss of 386,000 patients’ personal
CHECKLIST
to pass your next health information. Settlements had previously been
resolved by demanding organizations to resolve their
audit successfully. privacy and security problems. It’s no longer sufficient,
SURVIVING A
HIPAA AUDIT however, to tell the auditors, “we’ll resolve that problem.”
The HHS settlement agreement states that disks
containing individuals’ HIPAA-protected health records were taken from employees’ cars
SPONSOR
on at least five occasions in 2005 and 2006. The agreement also mandates that Providence
RESOURCES Health and Services use encryption and other data protection policies to prevent the
opening of authorized files. Providence must also train employees on security processes
and issue compliance reports to HHS for three years.

20 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 This news should eliminate the false perception among healthcare organizations
that HIPAA compliance is optional. Now that fines and monetary penalties are
on the table, it’s time for enterprises to shore up their HIPAA compliance programs,
and that means being prepared for that next audit. Here are several steps enterprises
can take to ensure a successful HIPAA audit.

What are the trends?

TABLE OF CONTENTS
A quick review of HHS compliance and enforcement data shows that the top five
HIPAA compliance and enforcement issues during the past few years remain virtually
unchanged. Among others, common problems include impermissible uses and disclo-
EDITOR’S DESK sures, safeguards and access control. These issues are recurring due to the fact that
they are the core of a successful HIPAA compliance program. They involve controls
that range across the full spectrum of technical, operational and management con-
HIPAA BASICS trols. Failures of these controls may lead to inappropriate disclosure and thus bring
negative attention to the organization. Unfortu-

NEW CHANGES
nately, while the overall security posture is stag-
nant across the healthcare industry, the number
A quick review of HHS
TO HIPAA
of complaints filed against an organization due compliance and enforce-
to the loss or exposure of sensitive information
continues to rise. Such a scenario will generally ment data shows that the
HIPAA COMPLIANCE
CHECKLIST
lead to a more focused audit of that particular
organization as trends develop and become
top five HIPAA compliance
recognized across the industry. For example, as and enforcement issues
more laptops have been lost and/or stolen, audits
SURVIVING A
HIPAA AUDIT have focused on the policies, procedures and during the past few
technical controls related to protecting mobile
devices and data.
years remain virtually
SPONSOR unchanged.
RESOURCES Pre-audit meeting
Auditors don’t show up without an invitation, so before meeting with them, plan to
gather your staff and key personnel and review the status of all outstanding projects.
Also let them know the purpose of the audit and what areas or functions the audi-
tors are expected to focus on. Common focus areas include the accuracy and com-
pleteness of documentation, current risk assessments, review of POAMs (plan of
action and milestones), current inventory, and security awareness and training.
Auditors expect key staff to know what’s going on in the organization. If people don’t
know that a security measure, like encryption for example, hasn’t been implemented,
the conflicting stories will be a red flag to the auditor.

Document everything
What will the auditors want to see when they arrive? Documentation and lots of it!
All documentation of security procedures needs to be properly maintained and
updated. In the eyes of the auditor, if it isn’t in writing, then it didn’t happen. All
staff should be aware of the existing security policies and processes. If not, then they
need proper training. You do have an awareness training program, don’t you? The

21 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 auditor will want to know that your team is aware of organizational policies and
security practices.
It’s a good idea to show up at the initial auditor meeting with copies of critical
documentation, possibly including security plans, risk assessments, policies, proce-
dures, contingency plans and disaster recovery processes. They’re going to ask for
it; the sooner you provide it to them, the quicker they’ll be kept busy reading and
digesting it all.
TABLE OF CONTENTS
Communication is critical
Communication will be critical throughout the audit process. Stay in touch with the
EDITOR’S DESK audit team, be cooperative and make sure they have what they need. In spite of the
bad rap auditors get, they really are on your side. Daily briefings with the auditors
and staff can ensure the process goes smoothly.
HIPAA BASICS To prevent rumors, communicate with your staff as well. Staff members should
be notified ahead of time if their assistance will be needed for any aspect of the audit.
They should be given enough time to be prepared for interviews.
NEW CHANGES
TO HIPAA
Handling any findings
No matter how thorough your work has been, there are likely to be some findings by
the auditors. Don’t panic! Listen thoroughly to what the auditor has to say. Not all
HIPAA COMPLIANCE
CHECKLIST findings are legitimate, but may be due to a misunderstanding of the environment,
the implementation of controls, and any mitigating factors in the environment. If
there’s any misunderstanding due to the specifics of your organization, you will have
SURVIVING A
an opportunity to discuss the issues in a professional manner. Supporting documen-
HIPAA AUDIT tation may be helpful to demonstrate where the misunderstanding lies. The auditor
is not intimately familiar with your environment, so it’s quite possible he or she has
missed something along the way or drawn an incorrect conclusion. If that’s the case,
SPONSOR it can be worked out.
RESOURCES If the auditor is correct in his or her finding, however, discuss the effect of the
finding in your environment. Demonstrate any mitigating factors that may have
been overlooked. Above all, cooperate and be professional; a peaceful discussion
will go a long way toward reaching a solution.
While I’ve almost never seen an audit that didn’t produce some sort of findings,
it is possible to reduce the effect of findings by being as prepared as possible. Accu-
rate and complete documentation of security controls—being able to clearly demon-
strate that health-related data is well-protected through encryption, access control
policies, or other procedures—is the best way to prepare for and ensure a successful
audit.w

Randy Nash is CISSP with more than 25 years of professional experience in information security,
system security, network security, personnel security, and physical security. First certified in ADP
security and risk assessment in 1984, he has a long history of work with civilian, military and
government entities. Randy also maintains the security website @RISK Online, where he posts
projects and articles on a wide variety of security topics.

22 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

0806_ISM_Newsletter ad_63.qxd 7/26/06 9:57 AM Page 1

Security Topics Tailored

to Your Needs
You rely on Information Security magazine every month for original,
in-depth information and analysis on the security of your enterprise.
But as you know, to secure your data and network you need to be well
informed every day. Stop scouring the web; become a member of
SearchSecurity.com and receive tailored messaging delivered right to
your inbox with the latest news, current threats, expert advice, white
papers, webcasts, and much more on the security topics that YOU
select including:

Network Security Current Threats

Intrusion Defense Application Security
Identity and Access Management Compliance
Email Security Security Management
Web Security Platform Security

Stay informed 24/7. Activate your free SearchSecurity.com membership at

www.SearchSecurity.com/join today.

The Web’s best security-specific information resource

for enterprise IT professionals
 TECHTARGET SECURITY MEDIA GROUP
I N F O R M A T I O N SR. VICE PRESIDENT AND GROUP PUBLISHER
Andrew Briney
S ECURITY ®

PUBLISHER Josh Garland

EDITORIAL DIRECTOR Kelley Damore DIRECTOR OF PRODUCT MANAGEMENT

Susan Shaver
EDITOR Michael S. Mimoso
DIRECTOR OF MARKETING Kristin Hadley
SENIOR TECHNOLOGY EDITOR Neil Roiter
SALES MANAGER, EAST Zemira DelVecchio
FEATURES EDITOR Marcia Savage
SALES MANAGER, WEST Dara Such
ART & DESIGN
CREATIVE DIRECTOR Maureen Joyce CIRCULATION MANAGER Kate Sullivan
TABLE OF CONTENTS
COLUMNISTS ASSOCIATE PROJECT MANAGER
Jay G. Heiser, Marcus Ranum, Bruce Schneier Suzanne Jackson

CONTRIBUTING EDITORS PRODUCT MANAGEMENT & MARKETING

EDITOR’S DESK Michael Cobb, Eric Cole, James C. Foster, Corey Strader, Jennifer Labelle, Andrew McHugh
Shon Harris, Richard Mackey Jr., Lisa Phifer,
Ed Skoudis, Joel Snyder SALES REPRESENTATIVES
Eric Belcher ebelcher@techtarget.com
TECHNICAL EDITORS
HIPAA BASICS Greg Balaze, Brad Causey, Mike Chapple, Peter Neil Dhanowa ndhanowa@techtarget.com
Giannacopoulos, Brent Huston, Phoram Mehta,
Sandra Kay Miller, Gary Moser, David Strom, Patrick Eichmann peichmann@techtarget.com
Steve Weil, Harris Weisman
Jason Olson jolson@techtarget.com
NEW CHANGES USER ADVISORY BOARD
TO HIPAA Edward Amoroso, AT&T Jeff Tonello jtonello@techtarget.com
Anish Bhimani, JPMorgan Chase
Larry L. Brock, DuPont Nikki Wise nwise@techtarget.com
Dave Dittrich
Ernie Hayden, Seattle City Light TECHTARGET INC.
HIPAA COMPLIANCE Patrick Heim, Kaiser Permanente CHIEF EXECUTIVE OFFICER Greg Strakosch
CHECKLIST Dan Houser, Cardinal Health
Patricia Myers, Williams-Sonoma PRESIDENT Don Hawk
Ron Woerner, TD Ameritrade
EXECUTIVE VICE PRESIDENT Kevin Beam
SEARCHSECURITY.COM
SURVIVING A SENIOR SITE EDITOR Eric Parizo CHIEF FINANCIAL OFFICER Eric Sockol
HIPAA AUDIT
NEWS EDITOR Robert Westervelt EUROPEAN DISTRIBUTION
Parkway Gordon Phone 44-1491-875-386
ASSOCIATE EDITOR William Hurley www.parkway.co.uk
SPONSOR ASSISTANT EDITOR Maggie Wright LIST RENTAL SERVICES
RESOURCES Kelly Weinhold
ASSISTANT EDITOR Carolyn Gibney Phone 781-657-1691 Fax 781-657-1100

INFORMATION SECURITY DECISIONS REPRINTS

GENERAL MANAGER OF EVENTS Amy Cleary FosteReprints Rhonda Brown
Phone 866-879-9144 x194
EDITORIAL EVENTS MANAGER Karen Bagley rbrown@fostereprints.com

INFORMATION SECURITY (ISSN 1096-8903) is pub-

lished monthly with a combined July/Aug., Dec./Jan.
issue by TechTarget, 117 Kendrick St., Suite 800,
Needham, MA 02494 U.S.A.; Phone 781-657-1000;
Fax 781-657-1100.

All rights reserved. Entire contents, Copyright ©

2009 TechTarget. No part of this publication may be
transmitted or reproduced in any form, or by any
means without permission in writing from the pub-
lisher, TechTarget or INFORMATION SECURITY.

24 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 SPONSOR RESOURCES

Application Security, Inc.

See ad page 1
• HIPAA Datasheet
• HIPAA Webinar
• Database User Rights: Addressing Security, Risk, and Compliance Challenges

TABLE OF CONTENTS

ArcSight, Inc.
EDITOR’S DESK See ad page 3
• ArcSight Helps Healthcare Company Become HIPAA Compliant
• Healthcare Security Oversight for HIPAA Audit and Compliance
HIPAA BASICS
• Complete Security, Privacy, and Compliance Protection for Healthcare Providers

NEW CHANGES
TO HIPAA
Code Green Networks, Inc.
See ad page 5
HIPAA COMPLIANCE
CHECKLIST • Webmail and Web 2.0 Visibility and Control with
Code Green Networks and Blue Coat
• Protect Your Patient's Private Data from Accidental or Intentional Breaches
SURVIVING A • Quickly Identify Data Loss Risks at Your Organization
HIPAA AUDIT

SPONSOR
RESOURCES McAfee, Inc.
See ad page 10
• McAfee Application Control
• McAfee Change Control
• McAfee Integrity Monitor

nCircle
See ad page 19
• Automating HIPAA Compliance with Security
and Configuration Auditing
• nCircle and HITRUST: SaaS Solution for Securing Healthcare Information
• nCircleSuite360: Automated Security and Compliance Auditing

25 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA

 SPONSOR RESOURCES

thawte Inc.
See ad page 14
• Extended Validation - the New Standard in SSL Security
• Sign your Code and Content for Secure Distribution Online
• Get a Free SSL Trial Certificate from Thawte
TABLE OF CONTENTS

EDITOR’S DESK

HIPAA BASICS

NEW CHANGES
TO HIPAA

HIPAA COMPLIANCE
CHECKLIST

SURVIVING A
HIPAA AUDIT

SPONSOR
RESOURCES

26 I N F O R M AT I O N S E C U R I T Y • ESSENTIAL GUIDE • HIPAA