Irongeek

What does HIPAA really mean?

11 posts in this topic

Ok, I’ve been Googling around, and I understand that the basics of HIPAA (Health Insurance Portability and Accountability Act) from a computer security perspective is to keep all patient information on a need to know basis. But when I look around for real tech guidelines all I get is loose “policy” information, nothing like “You must use at least 104 bit WEP on WAPS” or anything technical. My question is, what does HIPAA really mean from a security tech’s perspective? How do you know your “compliant”? I've gottend some good info on another forum, but I figured I'd ask the BinRever's too.

0

Share this post


Link to post
Share on other sites

I'm not sure I'm helping much, but I thought this sounded interesting enough to do a little research myself, so I figure I'd share what I found.

Over at SANS is a white paper called Risk Analysis for HIPAA Compliancy (PDF). It describes a real world configuration intended to meet the HIPAA standard. It also mentions using nmap to take an inventory of system assets, as well as using Nessus for vulnerability assessment. It has an interesting mention of wireless LANs: "Current policy dictates that wireless LANs are not used by GIAC Health. Any access points detected on the GIAC Health network are in violation of policy." It's a tad ambiguous as to whether that is the company's own policy or in HIPAA's policies. It mentions using Net Stumbler to find rogue APs on the network.

A far more in-depth document seems to be HIPAA Security Implementation, a publication of SANS Press. It looks like it covers actual hardware and software configurations that meet HIPAA standard, but it's not free and is quite expensive.

HIPAA and PDAs (PDF) - Slides from a presentation, so there's not much real information in there. I found it amusing that one of the slides is actually a screen capture from one of the Matrix movies. The link for info on the presentation is here, though it's mostly schedule and speaker information.

That's about all I could find so far, at least as far as real implementations that meet HIPAA guidelines. Just from my nosing about and the lack of (free) information about specific hardware and software leads me to think that the HIPAA might not actually specify specific hardware, protocols, encryption algorithms, etc but rather just policies that enforce "good" security practices with respect to the sensitive information involved, and intended to be used in environments that perhaps meet some other technological standard. But that's just my guess, and I could be off the mark. Good luck on finding out more, hope I helped a little bit. :-)

0

Share this post


Link to post
Share on other sites

Yes, that helps quite a bit. Thanks.

0

Share this post


Link to post
Share on other sites

hipaa, much like sarbanes-oxley, is really mostly about auditing. Specifying things at the level of specific technologies would be a very stupid idea anyways. My understanding of the law is it is divided into three areas:

1: administrative mechanisms to protect integrity, availability, confidentiality of patient data (this is mostly on the policy side -- having specific policies in place that protect this data)

2: physical protection -- implementation of policy from a physical point of view; making sure only people who need patient data have access to it, from paper copies of the data to physical access to the computers storing it, etc.

3: technical safegards to protect data (enforcement of policy)

The law itself is technology neutral (as it should be), and is mostly designed so that formal policies are in place, and you have technical means to enforce those policies.

There is a significant audit process that's mandatory, to prove to outside auditors that you a: have a policy and b: are actually enforcing it. From a security practitioners perspective, hipaa requirements for an organization will be driven from the administrative policy, and do not really stand on their own. There's certain prerequisites for the policy, but it's really more strategic than tactical.

Ok, I’ve been Googling around, and I understand that the basics of HIPAA (Health Insurance Portability and Accountability Act) from a computer security perspective is to keep all patient information on a need to know basis. But when I look around for real tech guidelines all I get is loose “policy” information, nothing like “You must use at least 104 bit WEP on WAPS” or anything technical. My question is, what does HIPAA really mean from a security tech’s perspective? How do you know your “compliant”? I've gottend some good info on another forum, but I figured I'd ask the BinRever's too.

0

Share this post


Link to post
Share on other sites

I don't know of the exacts of the HIPAA law's but I do work in a medical laboratorie and I may be able to request a copy of the standards and if I can i will either scan em or send a copy to u.

Edited by xof7
0

Share this post


Link to post
Share on other sites
I don't know of the exacts of the HIPPA law's but I do work in a medical laboratorie and I may be able to request a copy of the standards and if I can i will either scan em or send a copy to u.

I'm a student at a big medical complex/school...and all I know about HIPPA and security is that when I access patients' medical records, I have to do so through wired ethernet. No wireless access at all...and the area where we can plug into the Intranet system has no wireless access at all, actually, providing wireless access is prohibited just in case you have a trojan or whatnot on your laptop.

We're not supposed to store patient records on our laptops at any time either.

0

Share this post


Link to post
Share on other sites
No wireless access at all...and the area where we can plug into the Intranet system has no wireless access at all, actually, providing wireless access is prohibited just in case you have a trojan or whatnot on your laptop.

We're not supposed to store patient records on our laptops at any time either.

HIPAA doesn't actually require that but your school, in order to implement HIPAA, may have taken those steps.

HIPAA really came into effect in two stages, Privacy and Security. The Privacy portion was mostly non-techie. It covered access to patient records, both for only authorized personnel and providing the ability for the patient to request a "Full" copy of their medical record. Mostly policy and procedure stuff.

Now Security did have techie portions, however it never specified a specific technology. So it would say transactions that occur over the internet that contain PHI (Protected Health Information) must be encrypted, but it wouldn't specific a minimum requirement. For example a password protected zip file would qualify as "encryption".

It also required, organizations to audit each other for compliance(which is annoying) and had disaster recovery plans (duh), pointed heavily toward using NIST guidelines for policy and procedure(there was a lot of copy/paste going on). Also obvious things like applications have unique usernames and passwords for each user, or where possible enable auditing.

Most of HIPAA requires that health care providers look at the regulations and either comply or document why they are not in compliance. Oddly enough the regs allow for "costs too much" to be an excuse.

Edited by SisterChristian
0

Share this post


Link to post
Share on other sites

One "P", two "A"'s. <_<

0

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now