mailing list archives
RE: HIPAA certs
From: "Robinson, Sonja" <SRobinson () HIPUSA com>
Date: Fri, 21 Feb 2003 10:20:44 -0500
If they are just thinking about it now they're in some serious trouble.
You've got until April 16th to basically comply or chance being fined
heavily at a minimum and $20K is just for starters. If they comply with ISO
17799 then they should be relatively OK EXCEPT where they are dealing with
PHI and disclosing it. It's stuff they should have already been complying
with anyway. They'll need to start writing FORMAL policies out the wazoo
and actually complying with them.
I will focus on the PHI security aspect of it for you since this is critical
and I'm sure that the other general security measures you are well aware of.
PHI is Protected Healthcare Info (individually identifiable health
information)- that identifies the individual or can be a reasonable basis to
believe the info can be used to identify and individual. Some examples are,
Member ID, Group ID, SSN, Phone #'s, gender, zip code, address, age, etc.
ANY PHI and I mean ANY that leaves that office by ANY means must be secured.
If it is electronic, it must be encrypted, this includes FTP, e-mail,
attachments, etc. And that includes info going between pharmacies, doctors,
insurance companies, pharmaceutical companies, vendors, labs, hospitals,
patients, etc. You only really have to worry about what leaves your office,
not what comes in (but you still have to keep it secured while it's in your
possession) If PHI leaves on removable media it has to be PHYSICALLY Secured
and documented with Chain of Custody until delivery (i.e. FEDEX, UPS and
Certified Mail are fine). If it leaves the office so that someone can work
at home, you've got some issues. You have to make sure that NO ONE has
access to that info - so the kids should not be able to access it on that
Home PC. If it is FAXED, security measures must be in place to ensure that
the info is being picked up by the right person. PHI documents (hard copy)
must not be left where unauthorized people can see them (including other
patients). Disclosure of any PHI is severely restricted - health care
workers should be sure that their telephone conversations with patients are
not overheard by unauthorized parties. PHI can not be disclosed to anyone
other than the patient except under certain conditions. Obviously insurance
companies, other doctors, etc. are exempt as long as they follow the rules
above. Giving out info to a spouse, family member, etc is prohibited except
under VERY STRICT circumstances, such as patient unconsciousness, life
threatening instances, waivers signed, etc. These are obviously just
examples and are not all encompassing.
Doctors should NOT be accepting any PHI on any e-mail servers external to
their network unless it is stored and viewed through an encrypted mechanism
(i.e. AOL, MSN, YAHOO...) If it is sent to say an AOL address the Sender
must ensure that it is sent encrypted. There are a number of e-mail
encryption mechanisms (network and client based) but your doctor will want a
"send anywhere" feature that is transparent to the recipient and so that
anyone can receive it. Key management such as PGP may be too difficult for
them so look for other options such as Kryptiq, Sigaba, Zix to name a
few.... PGP of course is acceptable encryption as long as they are willing
to do key exchanges with all of their e-mail recipients.
As for investigations, that is up to the feds and since it hasn't hit the
deadline. Best guess, they will investigate claims of PHI leaks and do ad
hoc elsewhere since they don't have the manpower.
Here is a good test for you to answer when securing the information and
complying - if this was YOUR doctor would you want your Information in
HIS/HER hands or his employees? Is it secure enough for you to feel
comfortable? If the answer is no, then there is a problem. You also have
to remember that these people are NOT security people and that IT is not
their business so they don't have a clue what is really needed and why.
They just need it easy to use/maintain and cheap. It'll be tough trying to
get all those patches in and firewall rules set and consistently maintained.
I just pray they are not wireless LAN's because odds are that traffic is NOT
encrypted AND the SSID's are poor or default.
Also, please remember that Security Awareness Training for doctor's
employees is also required by HIPAA and by ISO 17799. This includes IT
awareness as well as legal awareness and PHI security.
To make matters worse, the feds still have not come up with some
clarifications that they should have.
**THESE STATEMENTS ARE NOT NECESSARILY THE OPINION OF MY EMPLOYER AND THEY
SHOULD NOT BE CONSTRUED AS SUCH. THEY ARE WHOLLY AND INDIVIDUALLY MINE.**
From: Jason Hastain [mailto:hastain () sbcglobal net]
Sent: Thursday, February 20, 2003 1:29 PM
To: security-basics () securityfocus com
Subject: HIPAA certs
I have a few clients who are doctors running small practices.
They have small LAN's and DSL connectinos behind a simple
NAT router/firewall in one case and persoanl FW's in the
other (unfortunatly not my decision in either case).
Each has approached me about the HIPAA certs in the last
week. I have read through what seams reams of pages on it b
ut have been unable to deduce anything other than general
good security practices. Strong passwords, offsite encrypted
backups, real firewalls, etc and so on.
Can anyone shed some light onto this subject or point me to a
document with only the IT requirements prefereably boiled
down to something simple?
And also has anyone had any experience yet with the HIPAA
investigators or quality control people checking on a site?
any ideas what they are looking for?
I understand it is a 20k dollar fine for each infraction so I
would hate for it to be on my watch.
This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or
others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby
notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have
received this communication in error, please notify the sender of the error immediately, do not read or use the
communication in any manner, destroy all copies, and delete it from your system if the communication was sent via