Cisco Blogs


Cisco Blog > Healthcare

6 of 9 HIPAA Network Considerations

The HIPAA Omnibus Final Rule, released January 2013, goes into effect this month – Sept 23, 2013. Over the last several weeks, I’ve been posting a blog series around nine HIPAA network considerations.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

This blog focuses on #6 – Risk Management is Continuous.

You can look at the Risk Management implementation specification as the actions taken in response to the Risk Assessment.  The HIPAA Security Rule defines Risk management (Required):  “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [§ 164.306(a)]”

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information

One common mistake companies make in compliance programs is taking the approach that once the work is done, the network doesn’t have to be looked at again for compliance.  If they put the security programs, processes, and technologies in place, they don’t have to spend time on compliance until next year (or the year after that, or even longer).

This makes compliance a onetime effort that is then ignored.  Worse, securing PHI often follows the same path, making it easy to hack and steal, causing a lot of problems for everyone involved.  Risk management―reducing risk―needs to be a continuous activity.   Through your risk assessment, you’ll know where your PHI is, what your highest risk factors are, and where to implement more continuous risk management tools in the network.

Continuous risk management does not mean tracking every single event on every single device throughout the network.  It may mean turning on automatic alerts on critical devices, setting traffic thresholds in network areas where PHI resides, logging anomalous events in those critical areas, and using network management tools to make sense of all this information the network devices are collecting.

Risk management is about a lot more than achieving HIPAA compliance, reducing risk to PHI and helping to prevent theft of PHI is of critical value.

Recommendation: Understand where you should implement continuous risk management, and what logging, alert, detection, and management tools you already have that can help with risk management.

To learn more about Cisco® compliance solutions and HIPAA services, please visit http://www.cisco.com/go/compliance

Tags: , , ,

5 of 9 HIPAA Network Considerations

Over the last several weeks, I’ve been posting a blog series around nine HIPAA network considerations.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

This week we focus on #5 – Risk Assessment drives your baseline.

Read More »

Tags: , , ,

4 of 9 HIPAA Network Considerations

The fourth consideration in this 9 HIPAA Network Considerations blog series, we look at whether ‘not knowing’ is a valid defense post-breach. Is Ignorance Bliss, or will that get you into trouble?

Remember, the HIPAA Omnibus Rule was released January 23, 2013, became effective March 26, 2013 with compliance to the updates se for September 23, 2013. Audits will also start up again for covered entities and business associates in late 2013 or early 2014. Read More »

Tags: , ,

3 of 9 HIPAA Network Considerations

Next in this 9 HIPAA Network Considerations blog series, I cover the third network consideration focusing on knowing where your PHI is.  Remember, the HIPAA Omnibus Rule was released January 23, 2013, became effective March 26, 2013 with compliance to the updates se for September 23, 2013.  Audits will also start up again for covered entities and business associates in late 2013 or early 2014.

Read More »

Tags: , , , , ,

Nine HIPAA Network Considerations

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Omnibus Final Rule, released January 2013, introduced some significant changes and updates. At the same time, over 100 HIPAA audits concluded in 2012. The Office of Civil Rights (OCR) released initial analysis of these audits in May 2013. The HIPAA Omnibus Final Rule and 2012 HIPAA audit results may influence how you run your network in the future. Here are nine network considerations that could impact your network and IT processes.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Risk Assessment drives your baseline
  5. Risk Management is continuous
  6. Security best practices are essential
  7. Ignorance is not bliss
  8. Your business associate(s) must be tracked
  9. Breach discovery times: know your discovery tolerance

Each of these considerations will be explored in a nine-part blog series, posted on the healthcare blogs site.

Tags: , ,