Cisco Blogs


Cisco Blog > Healthcare

7 of 9 HIPAA Network Considerations

The HIPAA Omnibus Final Rule is now in effect and audits will continue in 2014. At the HIMSS Privacy and Security Forum in Boston on Sept. 23, Leon Rodriguez, director of the Department of Health and Human Services’ Office for Civil Rights said to those who are wondering how the new rule will be enforced: “You’ll see a picture of where we’ll spend our energies” based on previous enforcement actions.  Enforcement actions to date have focused on cases involving major security failures, where a breach incident led to investigations that revealed larger systemic issues, Rodriguez said.

On our list of 9 HIPAA Network Considerations, it is timely that our topic in this blog is on #7, Security best practices are essential.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

The general rule for the HIPAA Security Rule is to ensure the confidentiality, integrity, and availability of ePHI that is created, received, maintained, or transmitted [45 CFR 164.306(a)].  Protect against threats to PHI.  That relates directly to network security best practices.  In the 2012 HIPAA audits, security had more than its share of findings and observations, accounting for 60% of the HIPAA audit findings and observations, even though the Security Rule accounted for only 28% of the audit questions.  At the NIST OCR Conference in May, OCR presented the summary below.

7 of 9

Read More »

Tags: , , ,

6 of 9 HIPAA Network Considerations

The HIPAA Omnibus Final Rule, released January 2013, goes into effect this month – Sept 23, 2013. Over the last several weeks, I’ve been posting a blog series around nine HIPAA network considerations.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

This blog focuses on #6 – Risk Management is Continuous.

You can look at the Risk Management implementation specification as the actions taken in response to the Risk Assessment.  The HIPAA Security Rule defines Risk management (Required):  “Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with [§ 164.306(a)]”

(1) Ensure the confidentiality, integrity, and availability of all electronic protected health information the covered entity creates, receives, maintains, or transmits.

(2) Protect against any reasonably anticipated threats or hazards to the security or integrity of such information.

(3) Protect against any reasonably anticipated uses or disclosures of such information

One common mistake companies make in compliance programs is taking the approach that once the work is done, the network doesn’t have to be looked at again for compliance.  If they put the security programs, processes, and technologies in place, they don’t have to spend time on compliance until next year (or the year after that, or even longer).

This makes compliance a onetime effort that is then ignored.  Worse, securing PHI often follows the same path, making it easy to hack and steal, causing a lot of problems for everyone involved.  Risk management―reducing risk―needs to be a continuous activity.   Through your risk assessment, you’ll know where your PHI is, what your highest risk factors are, and where to implement more continuous risk management tools in the network.

Continuous risk management does not mean tracking every single event on every single device throughout the network.  It may mean turning on automatic alerts on critical devices, setting traffic thresholds in network areas where PHI resides, logging anomalous events in those critical areas, and using network management tools to make sense of all this information the network devices are collecting.

Risk management is about a lot more than achieving HIPAA compliance, reducing risk to PHI and helping to prevent theft of PHI is of critical value.

Recommendation: Understand where you should implement continuous risk management, and what logging, alert, detection, and management tools you already have that can help with risk management.

To learn more about Cisco® compliance solutions and HIPAA services, please visit http://www.cisco.com/go/compliance

Tags: , , ,

5 of 9 HIPAA Network Considerations

Over the last several weeks, I’ve been posting a blog series around nine HIPAA network considerations.

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

This week we focus on #5 – Risk Assessment drives your baseline.

Read More »

Tags: , , ,

Attend the 2013 PCI Community Meeting for the Latest Core PCI Standards

The Payment Card Industry (PCI) Security Standards Council (SSC) is an open global forum for the ongoing development, enhancement, storage, dissemination, and implementation of security standards for account data protection. The 2013 meeting will focus on the updates to core PCI standards: PCI DSS, PTS PA-DSS.

Getting the latest information about the PCI Data Security Standard (DSS) is vital as products and technologies continue to change at a rapid pace. Being part of the conversations, networking with like-minded professionals, and interacting directly with payment card brands are just a few of the benefits of attending the seventh annual PCI SSC North American Community Meeting. The meeting runs September 24–26, 2013, at the Mandalay Bay Convention Center in Las Vegas, Nevada.

Read More »

Tags: , , ,

4 of 9 HIPAA Network Considerations

The fourth consideration in this 9 HIPAA Network Considerations blog series, we look at whether ‘not knowing’ is a valid defense post-breach. Is Ignorance Bliss, or will that get you into trouble?

Remember, the HIPAA Omnibus Rule was released January 23, 2013, became effective March 26, 2013 with compliance to the updates se for September 23, 2013. Audits will also start up again for covered entities and business associates in late 2013 or early 2014. Read More »

Tags: , ,