The Joint Commission (TJC) is an independent, not-for-profit organization, The Joint Commission accredits and certifies more than 17,000 health care organizations and programs in the United States.

The TJC has recently updated and expanded its information management (IM) accreditation standards for healthcare organizations. New readiness standards for information management and IT risk management are requiring hospitals to rethink how they protect and secure sensitive information, audit, and improve continuity of operations and disaster recovery planning.

To maintain and earn accreditation, organizations must have an extensive on-site review by a team of Joint Commission healthcare professionals, at least once every three years. The purpose of the review is to evaluate the organization’s performance in areas that affect care. Accreditation may then be awarded based on how well the organizations met Joint Commission standards.

A hospital’s IT infrastructure is at the foundation of delivering quality care. TJC recognizes this in the enhanced information management readiness standards. Among numerous other topics, TJC specifically addresses three key areas of IT risk management in the new IM standards. These include:

1. Patient record security
2. System security from intrusion and data tampering
3. Continuity of operations and disaster recovery capabilities

Three Key Readiness Standards.

Plan for Continuity of IM Processes (IM.01.01.03)

The organization must have a written plan for managing interruptions to its information processes (paper-based, electronic, or a mix of paper-based and electronic). The hospital’s plan for managing interruptions to information processes must address the following:

• Have a back-up of electronic information systems
• Plan for interruptions of electronic information systems
• Provide training for staff and licensed independent practitioners on alternate procedures to follow when electronic information systems are unavailable
• Establish a plan to handle interruptions to information processes is tested for effectiveness according to time frames defined by the hospital
• Implement its plan for managing interruptions to information processes to maintain access to information needed for patient care

Protect Privacy of Health Information (IM.02.01.01)

• Use health information only for purposes as required by law and regulation or further limited by its policy on privacy
• Disclose health information only by authorization from the patient or as otherwise consistent with law and regulation
• Monitor compliance with its policy on the privacy of health information

Maintain Security & Integrity of Health Information (IM.02.01.03)

• Protect against unauthorized access, use, and disclosure of health information
• Protect health information against loss, damage, unauthorized alteration, unintentional change, and accidental destruction
• Control the intentional destruction of health information
• Monitor compliance with its policies regarding the security and integrity of health information

TJC’s move to enhance its information management readiness standards is consistent with the growing number of ID theft incidents and regulatory pressures from many government and private sources. A typical hospital, for example, is subject to HIPAA regulations, PCI compliance (credit card), and often Sarbanes Oxley.

The Common Denominator

Common among these regulations and other information security best practice standards is the need to protect all patient, credit card and other confidential data from intrusion, tampering, and theft – at all times.

Katherine Janiszewski plays a crucial role as Marketing Manager of netForensics. Founded in 1999, netForensics is based on a culture of excellence and innovation. Their team of leading experts understands the ever-evolving security threat and compliance needs of today’s organizations, including HIPAA IT Compliance.

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 has fostered the use of electronic transactions, simplifying healthcare administration and reducing overhead.

However, the computerization of patient records has created an increased security risk from various sources, such as intrusion attempts, unauthorized internal access and other security attacks. HIPAA therefore mandates security measures be taken to protect sensitive data, ensuring that only patients and their healthcare providers have access to patient medical information. According to the Final Rule of the Act’s Health Insurance Reform: Security Standards, HHS states:

“Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. These safeguards must also otherwise ensure compliance with the statute by the officers and employees of the covered entities.”

The Title II Administrative Simplification Security Rule states that specific security issues related to transmitting and storing patient data must be addressed. Safeguard initiatives where solutions must be implemented include:

• Security Management Process
• Administrative Safeguards
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts and Other Arrangements
• Physical Safeguards
• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls
• Technical Safeguards
• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

To comply with HIPAA regulations and protect patient information, healthcare organizations need to update their legacy computer systems, ramping up their information security capabilities, and defining and implementing business processes that align with security objectives.

The HIPAA Security Standards do not specify particular technology requirements, so each affected healthcare organization must assess its own risk and develop security measures accordingly. Organizations must then certify their security programs through self-certification or by a private accreditation entity.

Addressing the HIPAA Security Rule and implementing the technical, administrative, and physical safeguards that will ensure compliance requires a comprehensive information security program.

Katherine Janiszewski plays a crucial role as Marketing Manager of netForensics. Founded in 1999, netForensics is based on a culture of excellence and innovation. Their team of leading experts understands the ever-evolving security threat and compliance needs of today’s organizations, including HIPAA Data. For more information, visit netForensics.com.

Mission Critical Systems for the Energy Industry

Supervisory Control and Data Acquisition (SCADA) systems that collect and manage data across a large facility from a central computer, play a major role in the utility industry, helping to manage large and diverse information loads from power plants of all types. Inter-connectivity has made these systems increasingly vulnerable to cyber attacks.

The Growing Vulnerability of SCADA Systems

The control systems for the electric grid used to operate in a stand-alone environment without computer or communication links to an external Information Technology (IT) infrastructure. Over the past fifteen years such stand-alone enclaves have been increasingly connected to both the corporate environment and the external world, and the utility SCADA systems are no exception. Computer and communication network interconnection brings with it the
potential for cyber attacks on these systems by adversaries. This is a critical problem since such an attack can affect several entities across the country simultaneously. Such attacks have the enhanced potential to cause a cascading negative effect to the Bulk Power System.

SCADA System Threats Are More Vulnerable Than Ever

• SCADA systems are coming in line with standard networking technologies. The current generation of SCADA systems is increasingly using open system architecture to distribute functionality across a wide-area network (WAN) for communication between the master station and communications equipment.
• SCADA systems are becoming ubiquitous. Thin clients, web portals, and web-based products are gaining popularity with most major vendors. The increased convenience of end users viewing their processes remotely introduces security considerations resulting in SCADA-based systems being vulnerable to cyber-attacks.
• The mission-critical nature of a large number of SCADA systems makes them targets of cyber-terrorist. In a worst case scenario, failure of a SCADA system could cause massive financial losses through loss of data or actual physical destruction, misuse or theft, even loss of life, either directly or indirectly.
• SCADA systems no longer have the benefit of security-through obscurity that may have existed in the past from the use of specialized protocols and proprietary interfaces. Increasingly, SCADA networks are being connected to the Internet.
• Similar to other networked technologies, SCADA networks must have physical, administrative, and technical security safeguards.
• Security and authentication in designing, deploying, and operating SCADA networks is paramount. For example, security devices such as IPS/IDS, firewalls, and other technological security measures must be deployed to help protect SCADA systems. Automated security information management solutions are also needed to help consolidate the security logs across the SCADA system wide-area network.

Katherine Janiszewski plays a crucial role as Marketing Manager of netForensics. Founded in 1999, netForensics is based on a culture of excellence and innovation. Their team of leading experts understands the ever-evolving security threat and compliance needs of today’s organizations, including NERC requirements. For more information, visit netForensics.com.

A 360 Degree Approach to HIPAA Compliance

An effective approach to meeting HIPAA security compliance requirements begins with a security management solution – one that enables real-time monitoring, compliance reporting and control management. Technology alone however, is not the answer. The best route to compliance is a 360 degree approach that integrates existing people, processes, and policies with technology. The foundation of a compliance solution for all healthcare organizations is an enterprise-class Security Information Management (SIM) solution.

Seven Critical HIPAA Initiatives

1. Policy

Define a policy-driven security management program that can be incorporated early on into business processes – Identify the people and technology controls needed to satisfy an organization’s security mission and ensure HIPAA compliance. Also, ensure that security initiatives are integrated into business processes at their onset, rather than after the fact.

2. Security Controls

Validate security controls – Provide for the monitoring and reporting of controls on human actions and decisions, process controls, and information technology controls.

3. Risk Management

Implement a risk management approach to information security – Comprise active monitoring of risk as defined and measured by key control indicators (KCIs) and key risk indicators (KRIs), correlating the relative value of information assets, the threats to the confidentiality, integrity, and availability of the assets, and the vulnerability of the systems and architecture that store and carry the assets.

4. Due Diligence

Demonstrate due diligence in the application of internal controls – Create a link between the security infrastructure and policy by capturing all security events from all network hosts, devices, and assets in an auditable database.

5. Incident Management

Develop and implement an effective security-incident management process – Demonstrate that the proper steps were taken to correct systems and adjust policy if a non-compliant situation is identified.

6. Reporting

Enable reporting that can help demonstrate compliance – Demonstrate the ongoing security of compliance-related assets over a period of
time, recreating the organization’s security posture if needed to obtain HIPAA certification, and enabling security performance management against metrics that can be leveraged for corporate governance initiatives.

7. Preserving Data

Establish capabilities for archiving and preserving data – Preserve near-term and long-term data in its purest form for forensics and evidentiary presentation. By leveraging SIM to implement effective, comprehensive policies and procedures for establishing accountability and consistent reporting practices, healthcare organizations can successfully meet HIPAA regulatory compliance directives.

Example: Security Information Management and HIPAA Compliance

Wheaton Franciscan Healthcare a nonprofit healthcare organization based in Wheaton, Illinois needed to enhance their visibility into network security and improve reporting capabilities to enable HIPAA compliance. The organization size created enormous challenges.

With 17 hospitals and more than 70 clinics in Colorado, Illinois, Iowa, and Wisconsin, the initiative involved nearly100 security devices, including firewalls, intrusion protection systems, virtual private network concentrators, and authentication services..The organization manually reviewed many of its security devices, though some were unmanageable due to the enormous volume of event log data. Wheaton turned to a leading Security Information Management solution to bring its security initiatives under control.

Wheaton was able to reduce its monitoring workload and minimize downtime by leveraging this solution to react more quickly to threats. With improved visibility into the network and the ability to assess its risk posture at any given point in time, Wheaton raised security and reporting to the level required for HIPAA compliance.

Katherine Janiszewski plays a crucial role as Marketing Manager of netForensics. Founded in 1999, netForensics is based on a culture of excellence and innovation. Their team of leading experts understands the ever-evolving security threat and compliance needs of today’s organizations, including HIPAA Compliance. For more information, visit netForensics.com.

The Health Insurance Portability and Accountability Act (HIPAA) has changed the healthcare information security landscape in the U.S. Compliance has become a critical issue for all organizations that come in contact with health information. Here is a summary the HIPAA basics.

HIPAA, also known as the Kennedy-Kassebaum Act, was signed into law by the U.S. Congress in 1996 to establish health insurance reform and healthcare administrative simplification for various healthcare entities including: health plans, healthcare clearinghouses such as billing services and community health information systems, and healthcare providers that transmit healthcare data in a way that is regulated by HIPAA.

Governed by HHS, HIPAA Title I supports the continuation of health insurance coverage for workers and their families when they change or lose their jobs. Title II defines numerous offenses relating to healthcare and healthcare-related information and sets civil and criminal penalties for agencies that fail to abide by HIPAA standards.

The most significant provisions of Title II for IT organizations are its Administrative Simplification rules. Per the requirements of Title II, HHS has established five rules regarding Administrative Simplification:

• Privacy Rule
• Transactions and Code Sets Rule
• Security Rule
• Unique Identifiers Rule
• Enforcement Rule

Various security standards apply to each of these rules, particularly for the Security Rule, which establishes three main security objectives: Administrative Safeguards, Physical Safeguards, and Technical Safeguards. Each safeguard area includes both required and addressable implementation specifications. Required specifications must be adopted and administered as dictated by the rule.

Addressable specifications are more flexible. Yet according to the rules for both required and addressable specifications, how organizations satisfy individual security requirements and which technology they choose are left to the business decisions of each entity.

Healthcare organizations face fines for noncompliance with HIPAA regulations. Penalties include the following: general fines of up to $25,000 per incident, as well as up to $50,000, imprisonment for not more than one year, or both for wrongful disclosure of individually identifiable health information.

HIPAA Fines are Real

In July 2008, HHS announced a formal action against Providence Health & Services. HHS required Providence to pay $100,000 and implement a detailed Corrective Action Plan to ensure that it will appropriately safeguard identifiable electronic patient information against theft or loss.

This case emphasizes that there is a renewed interest in HIPAA and sends a clear message that HHS has the authority and intent to take enforcement action. This has been a debate of sorts ever since the passage of HIPAA. These matters are frequently resolved on a consultative basis with HHS Office of Civil Rights (OCR).They prefer to work with the healthcare organization to resolve problems. The HHS Office of Inspector General (OIG), however, has been critical of HHS’ lack of enforcement activity in the past. Providence is an example that shows HHS can and will act for HIPAA violations.

Katherine Janiszewski plays a crucial role as Marketing Manager of netForensics. Founded in 1999, netForensics is based on a culture of excellence and innovation. Their team of leading experts understands the ever-evolving security threat and compliance needs of today’s organizations, including HIPAA IT Technology. For more information, visit netForensics.com.

A fundamental benefit of HIPAA is that it encourages the wider use of electronic transactions, greatly simplifying healthcare administration and reducing administrative overhead costs.

Yet with the computerization of patient medical records, healthcare organizations face an increased security risk from various sources, such as unauthorized internal access, intrusion attempts, and other security attacks. HIPAA therefore mandates security measures be taken to protect this sensitive data, ensuring that only patients and their healthcare providers have access to patient medical information. According to the Final Rule of the Act’s Health Insurance Reform: Security Standards, HHS states:

“Section 1173(d) of the Act provides that covered entities that maintain or transmit health information are required to maintain reasonable and appropriate administrative, physical, and technical safeguards to ensure the integrity and confidentiality of the information and to protect against any reasonably anticipated threats or hazards to the security or integrity of the information and unauthorized use or disclosure of the information. These safeguards must also otherwise ensure compliance with the statute by the officers and employees of the covered entities.”

To comply with HIPAA regulations and protect patient information, healthcare organizations are tasked with updating their legacy computer systems, ramping up their information security capabilities, and defining and implementing business processes that align with security objectives.

According to the Title II Administrative Simplification Security Rule, specific security issues must be addressed and solutions implemented as they relate to transmitting and storing patient data. Safeguard initiatives include the following:

• Security Management Process
• Administrative Safeguards
• Assigned Security Responsibility
• Workforce Security
• Information Access Management
• Security Awareness and Training
• Security Incident Procedures
• Contingency Plan
• Evaluation
• Business Associate Contracts and Other Arrangements
• Physical Safeguards
• Facility Access Controls
• Workstation Use
• Workstation Security
• Device and Media Controls
• Technical Safeguards
• Access Control
• Audit Controls
• Integrity
• Person or Entity Authentication
• Transmission Security

The HIPAA Security Standards do not specify particular technology requirements, so each affected healthcare organization must assess its own risk and develop security measures accordingly. Organizations must then certify their security programs through self-certification or by a private accreditation entity.

Therefore, to address the HIPAA Security Rule and ensure that Administrative, Physical, and Technical Safeguards are implemented that will lead to HIPAA compliance, a comprehensive and effective information security program is necessary.

Katherine Janiszewski plays a crucial role as Marketing Manager of netForensics. Founded in 1999, netForensics is based on a culture of excellence and innovation. Their team of leading experts understands the ever-evolving security threat and compliance needs of today’s organizations, including HIPAA Data. For more information, visit netForensics.com.