Home page logo

basics logo Security Basics mailing list archives

RE: HIPAA certs
From: "Tucker, Jason" <JTucker () libertymgt com>
Date: Mon, 24 Feb 2003 16:34:46 -0500

It's true that HIPPA will take effect on April 16th, but it does not become
effective for enforcement purposes until April 2005, as mandated in the just
published security rules.  They have to get moving, but no one is in SERIOUS
trouble yet.

-----Original Message-----
From: Robinson, Sonja [mailto:SRobinson () HIPUSA com]
Sent: Friday, February 21, 2003 10:21 AM
To: 'Jason Hastain'; 'security-basics () securityfocus com'
Subject: RE: HIPAA certs

If they are just thinking about it now they're in some serious trouble.
You've got until April 16th to basically comply or chance being fined
heavily at a minimum and $20K is just for starters.  If they comply with ISO
17799 then they should be relatively OK EXCEPT where they are dealing with
PHI and disclosing it.  It's stuff they should have already been complying
with anyway.  They'll need to start writing FORMAL policies out the wazoo
and actually complying with them.  

I will focus on the PHI security aspect of it for you since this is critical
and I'm sure that the other general security measures you are well aware of.

PHI is Protected Healthcare Info (individually identifiable health
information)- that identifies the individual or can be a reasonable basis to
believe the info can be used to identify and individual.  Some examples are,
Member ID, Group ID, SSN, Phone #'s, gender, zip code, address, age, etc.

ANY PHI and I mean ANY that leaves that office by ANY means must be secured.
If it is electronic, it must be encrypted, this includes FTP, e-mail,
attachments, etc.  And that includes info going between pharmacies, doctors,
insurance companies, pharmaceutical companies, vendors, labs, hospitals,
patients, etc. You only really have to worry about what leaves your office,
not what comes in (but you still have to keep it secured while it's in your
possession) If PHI leaves on removable media it has to be PHYSICALLY Secured
and documented with Chain of Custody until delivery (i.e. FEDEX, UPS and
Certified Mail are fine).  If it leaves the office so that someone can work
at home, you've got some issues.  You have to make sure that NO ONE has
access to that info - so the kids should not be able to access it on that
Home PC.  If it is FAXED, security measures must be in place to ensure that
the info is being picked up by the right person.  PHI documents (hard copy)
must not be left where unauthorized people can see them (including other
patients). Disclosure of any PHI is severely restricted - health care
workers should be sure that their telephone conversations with patients are
not overheard by unauthorized parties.  PHI can not be disclosed to anyone
other than the patient except under certain conditions.  Obviously insurance
companies, other doctors, etc. are exempt as long as they follow the rules
above.  Giving out info to a spouse, family member, etc is prohibited except
under VERY STRICT circumstances, such as patient unconsciousness, life
threatening instances, waivers signed, etc.  These are obviously just
examples and are not all encompassing.

Doctors should NOT be accepting any PHI on any e-mail servers external to
their network unless it is stored and viewed through an encrypted mechanism
(i.e. AOL, MSN, YAHOO...)  If it is sent to say an AOL address the Sender
must ensure that it is sent encrypted.  There are a number of e-mail
encryption mechanisms (network and client based) but your doctor will want a
"send anywhere" feature that is transparent to the recipient and so that
anyone can receive it.  Key management such as PGP may be too difficult for
them  so look for other options such as Kryptiq, Sigaba, Zix to name a
few.... PGP of course is acceptable encryption  as long as they are willing
to do key exchanges with all of their e-mail recipients.

As for investigations, that is up to the feds and since it hasn't hit the
deadline.  Best guess, they will investigate claims of PHI leaks and do ad
hoc elsewhere since they don't have the manpower.

Here is a good test for you to answer when securing the information and
complying - if this was YOUR doctor would you want your Information in
HIS/HER hands or his employees?  Is it secure enough for you to feel
comfortable?  If the answer is no, then there is a problem.  You also have
to remember that these people are NOT security people and that IT is not
their business so they don't have a clue what is really needed and why.
They just need it easy to use/maintain and cheap. It'll be tough trying to
get all those patches in and firewall rules set and consistently maintained.

I just pray they are not wireless LAN's because odds are that traffic is NOT
encrypted AND the SSID's are poor or default.

Also, please remember that Security Awareness Training for doctor's
employees is also required by HIPAA and by ISO 17799.  This includes IT
awareness as well as legal awareness and PHI security.

To make matters worse, the feds still have not come up with some
clarifications that they should have.



-----Original Message-----
From: Jason Hastain [mailto:hastain () sbcglobal net] 
Sent: Thursday, February 20, 2003 1:29 PM
To: security-basics () securityfocus com
Subject: HIPAA certs

hey all,

I have a few clients who are doctors running small practices. 
 They have small LAN's and DSL connectinos behind a simple 
NAT router/firewall in one case and persoanl FW's in the 
other (unfortunatly not my decision in either case).

Each has approached me about the HIPAA certs in the last 
week.  I have read through what seams reams of pages on it b 
ut have been unable to deduce anything other than general 
good security practices.  Strong passwords, offsite encrypted 
backups, real firewalls, etc and so on.

Can anyone shed some light onto this subject or point me to a 
document with only the IT requirements prefereably boiled 
down to something simple?

And also has anyone had any experience yet with the HIPAA 
investigators or quality control people checking on a site?  
any ideas what they are looking for?

I understand it is a 20k dollar fine for each infraction so I 
would hate for it to be on my watch.


Jason Hastain
Hastain Consulting

This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended
only for the individual(s) named herein or others specifically authorized to
receive the communication. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
communication is strictly prohibited. If you have received this
communication in error, please notify the sender of the error immediately,
do not read or use the communication in any manner, destroy all copies, and
delete it from your system if the communication was sent via email. 


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]