Cisco Logo


Healthcare

Next in this 9 HIPAA Network Considerations blog series, I cover the third network consideration focusing on knowing where your PHI is.  Remember, the HIPAA Omnibus Rule was released January 23, 2013, became effective March 26, 2013 with compliance to the updates se for September 23, 2013.  Audits will also start up again for covered entities and business associates in late 2013 or early 2014.

The nine HIPAA network considerations:

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

Knowledge is a powerful weapon―know where your PHI is

Protecting critical data of any kind requires that you know where it is first so that you can protect it.  For HIPAA, the critical data is PHI.  Although not part of the HIPAA Security Rule, in the NIST 800-66 Revision 1 publication (Introductory Resource Guide for Implementing the HIPAA Security Rule), the first activity under the Administrative Safeguard is to ‘identify all information systems that house Protected Health Information (PHI)’.  You can’t begin to successfully protect PHI until you know where it is.

Data discovery commonly yields some surprising findings about where data resides throughout the network environment.

As BYOD becomes widespread, and in the healthcare industry this is already occurring, knowing where PHI may reside becomes more difficult and complex.  In many industries, companies don’t have ‘data discovery’ skillsets in-house.  Therefore, the data discovery cycle often gets skipped due to the lack of resources and lack of budget to outsource these services.  But it is a critical step in security best practices, and builds the foundation of your network security infrastructure.  You’ll learn a lot more than you expect, and maybe more than you want, about where your data is, with probably a few surprises included.

Know where your PHI is, and then you can properly protect it. Knowledge is a powerful weapon.

Recommendation: Hire a consultant (or do it in house) to perform PHI data discovery throughout your network.

Cisco’s Compliance Solutions teams focus on helping customers simplify meeting mandated compliance requirements. To learn more about Cisco® compliance solutions, please visit www.cisco.com/go/compliance.

In an effort to keep conversations fresh, Cisco Blogs closes comments after 90 days. Please visit the Cisco Blogs hub page for the latest content.

1 Comments.


  1. Although lack of budget is a cincen, the actuak outsourcing of the resouces may be a bigger problem n the healthcare industry. Privacy becomes less important and the risk of lost data substantially increases. In our own company Healthinsurancezoom.com we take great pride in handling everything in-house. And ths, privacy is at the forefront of every transaction.

       0 likes

  1. Return to Countries/Regions
  2. Return to Home
  1. All Healthcare
  2. Return to Home