Home page logo
/

basics logo Security Basics mailing list archives

Re: Healthcare Standards and Regulations
From: John Morrison <john.morrison101 () googlemail com>
Date: Fri, 16 Apr 2010 10:05:50 +0100

Jason,

It looks like many suppliers have moved on from selling HIPAA
compliance to a wider sales pitch. Also, I found the same as you that
the official sites don't give any information that is detailed enough.
This is in contrast to, say, PCI that has clear guidance and check
lists.

All I could find with diagrams was the following:

Sun B2B Suite HIPAA Protocol Manager User's Guide
http://docs.sun.com/app/docs/doc/820-1277/agcjh?a=view

Cisco Healthcare Security Perspectives: Protect Your Patients, Your
Practice, Yourself Technical Implementation Guide
http://www.cisco.com/web/strategy/docs/healthcare/health_security_impgd.pdf
(Page 11 has the first)

Plus some templates at http://www.endhack.com/better_than_templates.htm



Has your California office already done all the work and you can copy this?

Could the Montana Department of Public Health & Human Services provide any help?

There may be some books on Amazon.

On 15 April 2010 20:22, Jason Kolpin <jasonk () ncat org> wrote:
I've looked here and now have looked again. Is it just me or is there
absolutely no cut and dry guidance for the physical and logical network
design regulations for healthcare IT infrastructures? I can sit and read and
read to get my one or two sentences per document that covers what I am
positive is a tiny chunk of the entire whole, but is this really necessary?
Somewhere there must be some cut and dry list of HIPAA requirements for IT
infrastructure, segmentation, firewalling, and data security. I'm not so
concerned about the software or services, I am positive I can manage that
what I am concerned about is not having the email server sharing a zone that
their medical records zone is or whatever the requirements may be. I'm also
concerned about network user policy and the regulations that apply there as
well including vlan implementation, what doctors should be able to see and
do as well as what others should and should not be able to do. Nice guess at
California as we have offices there, I am in MT though.

I also must note that at a glance the suggestion from another post to read
NIST P-800-66 looks promising to a degree.

Jason Kolpin
Web Specialist
National Center for Appropriate Technology
www.ncat.org



John Morrison wrote:

Jason,

As you are in California I assume the main regulation is HIPAA. Have
you tried the HIPAA Resource Center
(http://www.aishealth.com/Compliance/HIPAAResource.html) as a starting
point?

Also, do the suppliers of the products have any literature?

On 14 April 2010 23:22, Jason Kolpin <jasonk () ncat org> wrote:


Hello!

I have been approached by a small medical practice to build an
infrastructure from the ground up. After some research I decided I knew
nothing about best practices and such in this environment, these folks
are
in a rural area and have no clue who to contact, I am at a loss as well
other than a big company like Seimans or something. It would be greatly
appreciated if anyone on this list knew of a place where I could get some
solid information on this subject, refer these folks to a company that
does
this sort of thing, or offer some advice for a situation such as this.
It's
not like I am completely clueless concerning server setup and stuff like
that, I work IT, I am more interested in security related information
such
as typical physical layout for the network, IE firewalling and
data/service
separation issues.

Excuse my ignorance here as this is completely new to me.
I have been asked about LIS, RIS, PM, patient records server,
scheduling/calendar, billing, email server, domain controller, VPN from
two
locations and some more. I'm just looking for some simple "stick man"
drawings of a typical physical layout using this type of stuff, as well
as a
place I might go to find out about required/mandated policies and such,
and
even a few hints on policies you may know that you find important in a
situation such as this.

FYI I have already informed these people I am not the man for the job as
the
risk is too great for me should something bad happen but they are
probably
going to use me as a consultant, they have no IT staff and are completely
clueless about how the simplest of things work.

I know this is a lot to ask of a mailing list so no surprise if I get no
response.

--
Jason Kolpin
Web Specialist
National Center for Appropriate Technology
www.ncat.org



------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an
SSL
certificate.  We look at how SSL works, how it benefits your company and
how
your customers can tell if a site is secure. You will find out how to
test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------




------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL
certificate.  We look at how SSL works, how it benefits your company and how
your customers can tell if a site is secure. You will find out how to test,
purchase, install and use a thawte Digital Certificate on your Apache web
server. Throughout, best practices for set-up are highlighted to help you
ensure efficient ongoing management of your encryption keys and digital
certificates.


http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------






------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]