Man with Retina Display Laptop

The final privacy rules for securing electronic health care became effective April 14th, 2003. These regulations require health care companies to develop, implement, and document the measures they take to ensure that health information remains secure under the Health Insurance Portability and Accountability Act (HIPAA). HIPAA is intended to protect and simplify the exchange of health care data nationwide. Large health-care organizations will have until April 2005 to fully comply, while smaller entities will have until April 2006. The complete HIPAA information can be found at: http://www.aspe.hhs.gov/admnsimp/

Now federal law, compliance with HIPAA is mandatory and violators face up to $250,000 in fines and jail time of up to 10 years. HIPAA regulations are intended to protect such data as a patient’s medical records and personal health care information. HIPAA affects organizations that transmit protected health information in electronic form (e.g. health plans, health care clearinghouses, and health care providers).

The law maintains that health care organizations implement a wide variety of safeguards and security best-practices in order to adequately protect customer data. Full compliance requires that these entities understand the threats and liabilities and take proactive measures to maintain reasonable and appropriate safeguards in three areas: administrative, physical, and technical.

This document details the process needed to achieve compliance and breaks down the specific areas of HIPAA where BeyondTrust’s Retina Network Security Scanner plays a pivotal role.

HIPAA & Retina Enterprise Edition

There are several areas in HIPAA where BeyondTrust’s vulnerability assessment solution is key to attaining compliance. The sections include: Title II (Preventing Health Care Fraud and Abuse), Subtitle F (Administrative Simplification), Section 262, and Subsection 1173d (Security Standards for Health Information). As initially mentioned, Subsection 1173d contains the three security standards categories that are critical: administrative, physical, and technical. The final ruling on compliance requires all entities subject to HIPAA standards “to periodically conduct an evaluation of their security safeguards to demonstrate and document their compliance with the entity’s security policy and the requirements of this subpart.”

In terms of evaluation frequency, the regulations state that “covered entities must assess the need for a new evaluation based on changes to their security environment since their last evaluation, for example, new technology adopted or responses to newly recognized risks to the security of their information.” HIPAA regulations also point out, “it is important to recognize that security is not a product, but is an ongoing, dynamic process.” BeyondTrust’s Retina Enterprise Edition automates and fulfills these process-oriented safeguard requirements for entities of all sizes. It is important to recognize the significance of the word “process” from the HIPAA regulations as it pertains to security within an organization. A computer security audit is a systematic, measurable technical assessment of how the entity’s security policy is employed. Security audits do not take place in a vacuum and are part of the on-going methodology of defining, maintaining, and improving effective security throughout the organization.

Following an established vulnerability assessment and remediation process is a proven approach to attaining HIPAA network security compliance.