Home page logo
/

basics logo Security Basics mailing list archives

RE: Healthcare Standards and Regulations
From: Mattias Baecklund <mattias.baecklund () ifsworld com>
Date: Fri, 16 Apr 2010 09:19:56 +0200

Put medical records and that stuff on one network. Put email and internet access on another network. Make the two 
networks physically separate from one another and don't connect the medical network to the internet if you don't 
absolutely must do that (read gov regulation). You would have "surf" computers. Also look in to PCI-DSS if they are 
going to handle credit cards as a form of payment for there services. 

That's my instinctive train of thought.



Mattias Baecklund
SOFTWARE SECURITY ENGINEER 
Foundation 1 | Research & Development
 Please consider the environment before printing my email 


-----Original Message-----
From: listbounce () securityfocus com
[mailto:listbounce () securityfocus com] On Behalf Of Jason Kolpin
Sent: den 15 april 2010 21:22
To: John Morrison
Cc: security-basics () securityfocus com
Subject: Re: Healthcare Standards and Regulations

I've looked here and now have looked again. Is it just me or is there
absolutely no cut and dry guidance for the physical and logical network
design regulations for healthcare IT infrastructures? I can sit and
read
and read to get my one or two sentences per document that covers what I
am positive is a tiny chunk of the entire whole, but is this really
necessary? Somewhere there must be some cut and dry list of HIPAA
requirements for IT infrastructure, segmentation, firewalling, and data
security. I'm not so concerned about the software or services, I am
positive I can manage that what I am concerned about is not having the
email server sharing a zone that their medical records zone is or
whatever the requirements may be. I'm also concerned about network user
policy and the regulations that apply there as well including vlan
implementation, what doctors should be able to see and do as well as
what others should and should not be able to do. Nice guess at
California as we have offices there, I am in MT though.

I also must note that at a glance the suggestion from another post to
read NIST P-800-66 looks promising to a degree.

Jason Kolpin
Web Specialist
National Center for Appropriate Technology
www.ncat.org



John Morrison wrote:
Jason,

As you are in California I assume the main regulation is HIPAA. Have
you tried the HIPAA Resource Center
(http://www.aishealth.com/Compliance/HIPAAResource.html) as a
starting
point?

Also, do the suppliers of the products have any literature?

On 14 April 2010 23:22, Jason Kolpin <jasonk () ncat org> wrote:

Hello!

I have been approached by a small medical practice to build an
infrastructure from the ground up. After some research I decided I
knew
nothing about best practices and such in this environment, these
folks are
in a rural area and have no clue who to contact, I am at a loss as
well
other than a big company like Seimans or something. It would be
greatly
appreciated if anyone on this list knew of a place where I could get
some
solid information on this subject, refer these folks to a company
that does
this sort of thing, or offer some advice for a situation such as
this. It's
not like I am completely clueless concerning server setup and stuff
like
that, I work IT, I am more interested in security related
information such
as typical physical layout for the network, IE firewalling and
data/service
separation issues.

Excuse my ignorance here as this is completely new to me.
I have been asked about LIS, RIS, PM, patient records server,
scheduling/calendar, billing, email server, domain controller, VPN
from two
locations and some more. I'm just looking for some simple "stick
man"
drawings of a typical physical layout using this type of stuff, as
well as a
place I might go to find out about required/mandated policies and
such, and
even a few hints on policies you may know that you find important in
a
situation such as this.

FYI I have already informed these people I am not the man for the
job as the
risk is too great for me should something bad happen but they are
probably
going to use me as a consultant, they have no IT staff and are
completely
clueless about how the simplest of things work.

I know this is a lot to ask of a mailing list so no surprise if I
get no
response.

--
Jason Kolpin
Web Specialist
National Center for Appropriate Technology
www.ncat.org



--------------------------------------------------------------------
----
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL
certificate.  We look at how SSL works, how it benefits your company
and how
your customers can tell if a site is secure. You will find out how
to test,
purchase, install and use a thawte Digital Certificate on your
Apache web
server. Throughout, best practices for set-up are highlighted to
help you
ensure efficient ongoing management of your encryption keys and
digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f727d1
--------------------------------------------------------------------
----




---------------------------------------------------------------------
---
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs
an SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f727d1
---------------------------------------------------------------------
---





-----------------------------------------------------------------------
-
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL certificate.  We look at how SSL works, how it benefits your
company and how your customers can tell if a site is secure. You will
find out how to test, purchase, install and use a thawte Digital
Certificate on your Apache web server. Throughout, best practices for
set-up are highlighted to help you ensure efficient ongoing management
of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be44
2f727d1
-----------------------------------------------------------------------
-


------------------------------------------------------------------------------

CONFIDENTIALITY AND DISCLAIMER NOTICE

This e-mail, including any attachments, is confidential and for use only by
the intended recipient. If you are not the intended recipient, please notify
us immediately and delete this e-mail from your system. Any use or disclosure
of the information contained herein is strictly prohibited. As internet
communications are not secure, we do not accept legal responsibility for the
contents of this message nor responsibility for any change made to this
message after it was sent by the original sender. We advise you to carry out
your own virus check as we cannot accept liability for damage resulting from
software viruses.


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault