Next in this 9 HIPAA Network Considerations blog series, I cover the third network consideration focusing on knowing where your PHI is.  Remember, the HIPAA Omnibus Rule was released January 23, 2013, became effective March 26, 2013 with compliance to the updates se for September 23, 2013.  Audits will also start up again for covered entities and business associates in late 2013 or early 2014.

The nine HIPAA network considerations:

  1. HIPAA Audits will continue
  2. The HIPAA Audit Protocol and NIST 800-66 are your best preparation
  3. Knowledge is a powerful weapon―know where your PHI is
  4. Ignorance is not bliss
  5. Risk Assessment drives your baseline
  6. Risk Management is continuous
  7. Security best practices are essential
  8. Breach discovery times: know your discovery tolerance
  9. Your business associate(s)must be tracked

Knowledge is a powerful weapon―know where your PHI is

Protecting critical data of any kind requires that you know where it is first so that you can protect it.  For HIPAA, the critical data is PHI.  Although not part of the HIPAA Security Rule, in the NIST 800-66 Revision 1 publication (Introductory Resource Guide for Implementing the HIPAA Security Rule), the first activity under the Administrative Safeguard is to ‘identify all information systems that house Protected Health Information (PHI)’.  You can’t begin to successfully protect PHI until you know where it is.

Data discovery commonly yields some surprising findings about where data resides throughout the network environment.

  • Servers, yes―but where are all those servers?  Patient profile information, sure―but where is that information at any given time?  Most likely, it is in more places than the servers.
  • Registration and admissions departments, how many locations exist that can register and admit patients? Patient care―how many floors, rooms, computers and mobile devices have people that use patient care information?
  • Financial and Billing – quite possibly.  And where is that work done―in the office, by remote employees using their own computers?
  • Studies, pilots, research?  Where is that information created, stored, used?

As BYOD becomes widespread, and in the healthcare industry this is already occurring, knowing where PHI may reside becomes more difficult and complex.  In many industries, companies don’t have ‘data discovery’ skillsets in-house.  Therefore, the data discovery cycle often gets skipped due to the lack of resources and lack of budget to outsource these services.  But it is a critical step in security best practices, and builds the foundation of your network security infrastructure.  You’ll learn a lot more than you expect, and maybe more than you want, about where your data is, with probably a few surprises included.

Know where your PHI is, and then you can properly protect it. Knowledge is a powerful weapon.

Recommendation: Hire a consultant (or do it in house) to perform PHI data discovery throughout your network.

Cisco’s Compliance Solutions teams focus on helping customers simplify meeting mandated compliance requirements. To learn more about Cisco® compliance solutions, please visit www.cisco.com/go/compliance.


Terri Quinn

Security Solutions Manager

Security Technology Group