Jump to content


Photo
- - - - -

What does HIPAA really mean?


  • Please log in to reply
10 replies to this topic

#1 Irongeek

Irongeek

    Dangerous free thinker

  • Agents of the Revolution
  • 1,516 posts
  • Location:Louisville, Ky more or less

Posted 18 April 2006 - 08:26 AM

Ok, I’ve been Googling around, and I understand that the basics of HIPAA (Health Insurance Portability and Accountability Act) from a computer security perspective is to keep all patient information on a need to know basis. But when I look around for real tech guidelines all I get is loose “policy” information, nothing like “You must use at least 104 bit WEP on WAPS” or anything technical. My question is, what does HIPAA really mean from a security tech’s perspective? How do you know your “compliant”? I've gottend some good info on another forum, but I figured I'd ask the BinRever's too.

#2 spinlock

spinlock

    I broke 10 posts and all I got was this lousy title!

  • Members
  • 13 posts

Posted 19 April 2006 - 07:35 PM

I'm not sure I'm helping much, but I thought this sounded interesting enough to do a little research myself, so I figure I'd share what I found.

Over at SANS is a white paper called Risk Analysis for HIPAA Compliancy (PDF). It describes a real world configuration intended to meet the HIPAA standard. It also mentions using nmap to take an inventory of system assets, as well as using Nessus for vulnerability assessment. It has an interesting mention of wireless LANs: "Current policy dictates that wireless LANs are not used by GIAC Health. Any access points detected on the GIAC Health network are in violation of policy." It's a tad ambiguous as to whether that is the company's own policy or in HIPAA's policies. It mentions using Net Stumbler to find rogue APs on the network.

A far more in-depth document seems to be HIPAA Security Implementation, a publication of SANS Press. It looks like it covers actual hardware and software configurations that meet HIPAA standard, but it's not free and is quite expensive.

HIPAA and PDAs (PDF) - Slides from a presentation, so there's not much real information in there. I found it amusing that one of the slides is actually a screen capture from one of the Matrix movies. The link for info on the presentation is here, though it's mostly schedule and speaker information.

That's about all I could find so far, at least as far as real implementations that meet HIPAA guidelines. Just from my nosing about and the lack of (free) information about specific hardware and software leads me to think that the HIPAA might not actually specify specific hardware, protocols, encryption algorithms, etc but rather just policies that enforce "good" security practices with respect to the sensitive information involved, and intended to be used in environments that perhaps meet some other technological standard. But that's just my guess, and I could be off the mark. Good luck on finding out more, hope I helped a little bit. :-)

#3 Irongeek

Irongeek

    Dangerous free thinker

  • Agents of the Revolution
  • 1,516 posts
  • Location:Louisville, Ky more or less

Posted 19 April 2006 - 07:59 PM

Yes, that helps quite a bit. Thanks.

#4 tiocsti

tiocsti

    rekcah-rebÜ

  • Banned
  • 676 posts

Posted 19 April 2006 - 08:23 PM

hipaa, much like sarbanes-oxley, is really mostly about auditing. Specifying things at the level of specific technologies would be a very stupid idea anyways. My understanding of the law is it is divided into three areas:

1: administrative mechanisms to protect integrity, availability, confidentiality of patient data (this is mostly on the policy side -- having specific policies in place that protect this data)

2: physical protection -- implementation of policy from a physical point of view; making sure only people who need patient data have access to it, from paper copies of the data to physical access to the computers storing it, etc.

3: technical safegards to protect data (enforcement of policy)

The law itself is technology neutral (as it should be), and is mostly designed so that formal policies are in place, and you have technical means to enforce those policies.

There is a significant audit process that's mandatory, to prove to outside auditors that you a: have a policy and b: are actually enforcing it. From a security practitioners perspective, hipaa requirements for an organization will be driven from the administrative policy, and do not really stand on their own. There's certain prerequisites for the policy, but it's really more strategic than tactical.


Ok, I’ve been Googling around, and I understand that the basics of HIPAA (Health Insurance Portability and Accountability Act) from a computer security perspective is to keep all patient information on a need to know basis. But when I look around for real tech guidelines all I get is loose “policy” information, nothing like “You must use at least 104 bit WEP on WAPS” or anything technical. My question is, what does HIPAA really mean from a security tech’s perspective? How do you know your “compliant”? I've gottend some good info on another forum, but I figured I'd ask the BinRever's too.

View Post



#5 SUB-S0NIX

SUB-S0NIX

    !Pee-Wee Pimpin!

  • Members
  • 1,381 posts

Posted 20 April 2006 - 01:10 AM

http://en.wikipedia.org/wiki/HIPAA Dont know if you check out wikipedia yet..

#6 Irongeek

Irongeek

    Dangerous free thinker

  • Agents of the Revolution
  • 1,516 posts
  • Location:Louisville, Ky more or less

Posted 20 April 2006 - 07:21 AM

http://en.wikipedia.org/wiki/HIPAA Dont know if you check out wikipedia yet..

View Post


Yes I did, thanks. Not much of any tech stuff in that article

#7 xof7

xof7

    Hakker addict

  • Members
  • 558 posts
  • Location:Spokane, Washington

Posted 20 April 2006 - 11:21 PM

I don't know of the exacts of the HIPAA law's but I do work in a medical laboratorie and I may be able to request a copy of the standards and if I can i will either scan em or send a copy to u.

Edited by xof7, 21 April 2006 - 04:07 PM.


#8 ziptree

ziptree

    What number are we thinking of?

  • Members
  • 69 posts

Posted 21 April 2006 - 01:44 AM

I don't know of the exacts of the HIPPA law's but I do work in a medical laboratorie and I may be able to request a copy of the standards and if I can i will either scan em or send a copy to u.

View Post


I'm a student at a big medical complex/school...and all I know about HIPPA and security is that when I access patients' medical records, I have to do so through wired ethernet. No wireless access at all...and the area where we can plug into the Intranet system has no wireless access at all, actually, providing wireless access is prohibited just in case you have a trojan or whatnot on your laptop.

We're not supposed to store patient records on our laptops at any time either.

#9 SisterChristian

SisterChristian

    Will I break 10 posts?

  • Members
  • 4 posts
  • Location:Walnut Creek, CA

Posted 21 April 2006 - 10:30 AM

No wireless access at all...and the area where we can plug into the Intranet system has no wireless access at all, actually, providing wireless access is prohibited just in case you have a trojan or whatnot on your laptop.

We're not supposed to store patient records on our laptops at any time either.

View Post


HIPAA doesn't actually require that but your school, in order to implement HIPAA, may have taken those steps.

HIPAA really came into effect in two stages, Privacy and Security. The Privacy portion was mostly non-techie. It covered access to patient records, both for only authorized personnel and providing the ability for the patient to request a "Full" copy of their medical record. Mostly policy and procedure stuff.

Now Security did have techie portions, however it never specified a specific technology. So it would say transactions that occur over the internet that contain PHI (Protected Health Information) must be encrypted, but it wouldn't specific a minimum requirement. For example a password protected zip file would qualify as "encryption".

It also required, organizations to audit each other for compliance(which is annoying) and had disaster recovery plans (duh), pointed heavily toward using NIST guidelines for policy and procedure(there was a lot of copy/paste going on). Also obvious things like applications have unique usernames and passwords for each user, or where possible enable auditing.

Most of HIPAA requires that health care providers look at the regulations and either comply or document why they are not in compliance. Oddly enough the regs allow for "costs too much" to be an excuse.

Edited by SisterChristian, 21 April 2006 - 11:53 AM.


#10 tokachu

tokachu

    SUPR3M3 31337 Mack Daddy P1MP

  • Agents of the Revolution
  • 458 posts
  • Country:
  • Gender:Male

Posted 21 April 2006 - 11:28 AM

One "P", two "A"'s. <_<

#11 SisterChristian

SisterChristian

    Will I break 10 posts?

  • Members
  • 4 posts
  • Location:Walnut Creek, CA

Posted 21 April 2006 - 11:54 AM

One "P", two "A"'s. <_<

View Post


:%s/HIPPA/HIPAA/g




BinRev is hosted by the great people at Lunarpages!