RE: HIPAA certs

From: Robinson, Sonja (SRobinson@HIPUSA.com)
Date: 02/21/03

  • Next message: John Tolmachoff: "RE: Email headers"
    From: "Robinson, Sonja" <SRobinson@HIPUSA.com>
    To: 'Jason Hastain' <hastain@sbcglobal.net>, "'security-basics@securityfocus.com'" <security-basics@securityfocus.com>
    Date: Fri, 21 Feb 2003 10:20:44 -0500
    
    

    If they are just thinking about it now they're in some serious trouble.
    You've got until April 16th to basically comply or chance being fined
    heavily at a minimum and $20K is just for starters. If they comply with ISO
    17799 then they should be relatively OK EXCEPT where they are dealing with
    PHI and disclosing it. It's stuff they should have already been complying
    with anyway. They'll need to start writing FORMAL policies out the wazoo
    and actually complying with them.

    I will focus on the PHI security aspect of it for you since this is critical
    and I'm sure that the other general security measures you are well aware of.

    PHI is Protected Healthcare Info (individually identifiable health
    information)- that identifies the individual or can be a reasonable basis to
    believe the info can be used to identify and individual. Some examples are,
    Member ID, Group ID, SSN, Phone #'s, gender, zip code, address, age, etc.

    ANY PHI and I mean ANY that leaves that office by ANY means must be secured.
    If it is electronic, it must be encrypted, this includes FTP, e-mail,
    attachments, etc. And that includes info going between pharmacies, doctors,
    insurance companies, pharmaceutical companies, vendors, labs, hospitals,
    patients, etc. You only really have to worry about what leaves your office,
    not what comes in (but you still have to keep it secured while it's in your
    possession) If PHI leaves on removable media it has to be PHYSICALLY Secured
    and documented with Chain of Custody until delivery (i.e. FEDEX, UPS and
    Certified Mail are fine). If it leaves the office so that someone can work
    at home, you've got some issues. You have to make sure that NO ONE has
    access to that info - so the kids should not be able to access it on that
    Home PC. If it is FAXED, security measures must be in place to ensure that
    the info is being picked up by the right person. PHI documents (hard copy)
    must not be left where unauthorized people can see them (including other
    patients). Disclosure of any PHI is severely restricted - health care
    workers should be sure that their telephone conversations with patients are
    not overheard by unauthorized parties. PHI can not be disclosed to anyone
    other than the patient except under certain conditions. Obviously insurance
    companies, other doctors, etc. are exempt as long as they follow the rules
    above. Giving out info to a spouse, family member, etc is prohibited except
    under VERY STRICT circumstances, such as patient unconsciousness, life
    threatening instances, waivers signed, etc. These are obviously just
    examples and are not all encompassing.

    Doctors should NOT be accepting any PHI on any e-mail servers external to
    their network unless it is stored and viewed through an encrypted mechanism
    (i.e. AOL, MSN, YAHOO...) If it is sent to say an AOL address the Sender
    must ensure that it is sent encrypted. There are a number of e-mail
    encryption mechanisms (network and client based) but your doctor will want a
    "send anywhere" feature that is transparent to the recipient and so that
    anyone can receive it. Key management such as PGP may be too difficult for
    them so look for other options such as Kryptiq, Sigaba, Zix to name a
    few.... PGP of course is acceptable encryption as long as they are willing
    to do key exchanges with all of their e-mail recipients.

    As for investigations, that is up to the feds and since it hasn't hit the
    deadline. Best guess, they will investigate claims of PHI leaks and do ad
    hoc elsewhere since they don't have the manpower.

    Here is a good test for you to answer when securing the information and
    complying - if this was YOUR doctor would you want your Information in
    HIS/HER hands or his employees? Is it secure enough for you to feel
    comfortable? If the answer is no, then there is a problem. You also have
    to remember that these people are NOT security people and that IT is not
    their business so they don't have a clue what is really needed and why.
    They just need it easy to use/maintain and cheap. It'll be tough trying to
    get all those patches in and firewall rules set and consistently maintained.

    I just pray they are not wireless LAN's because odds are that traffic is NOT
    encrypted AND the SSID's are poor or default.

    Also, please remember that Security Awareness Training for doctor's
    employees is also required by HIPAA and by ISO 17799. This includes IT
    awareness as well as legal awareness and PHI security.

    To make matters worse, the feds still have not come up with some
    clarifications that they should have.

    Sonja

    **THESE STATEMENTS ARE NOT NECESSARILY THE OPINION OF MY EMPLOYER AND THEY
    SHOULD NOT BE CONSTRUED AS SUCH. THEY ARE WHOLLY AND INDIVIDUALLY MINE.**

    > -----Original Message-----
    > From: Jason Hastain [mailto:hastain@sbcglobal.net]
    > Sent: Thursday, February 20, 2003 1:29 PM
    > To: security-basics@securityfocus.com
    > Subject: HIPAA certs
    >
    >
    > hey all,
    >
    > I have a few clients who are doctors running small practices.
    > They have small LAN's and DSL connectinos behind a simple
    > NAT router/firewall in one case and persoanl FW's in the
    > other (unfortunatly not my decision in either case).
    >
    > Each has approached me about the HIPAA certs in the last
    > week. I have read through what seams reams of pages on it b
    > ut have been unable to deduce anything other than general
    > good security practices. Strong passwords, offsite encrypted
    > backups, real firewalls, etc and so on.
    >
    > Can anyone shed some light onto this subject or point me to a
    > document with only the IT requirements prefereably boiled
    > down to something simple?
    >
    > And also has anyone had any experience yet with the HIPAA
    > investigators or quality control people checking on a site?
    > any ideas what they are looking for?
    >
    > I understand it is a 20k dollar fine for each infraction so I
    > would hate for it to be on my watch.
    >
    > tia
    >
    > Jason Hastain
    > Hastain Consulting
    >

    **********************************************************************
    This message is a PRIVILEGED AND CONFIDENTIAL communication, and is intended only for the individual(s) named herein or others specifically authorized to receive the communication. If you are not the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender of the error immediately, do not read or use the communication in any manner, destroy all copies, and delete it from your system if the communication was sent via email.

    **********************************************************************



    Relevant Pages

    • RE: HIPAA certs
      ... PHI and disclosing it. ... I will focus on the PHI security aspect of it for you since this is critical ... PGP of course is acceptable encryption as long as they are willing ... This message is a PRIVILEGED AND CONFIDENTIAL communication, ...
      (Security-Basics)
    • Re: Newbie naive question, perhaps - - be kind
      ... > from the curious eyes of the computer service ... just about any form of encryption can be successfully attacked - the ... the server used for PHI is not encrypted, ... our local drives, or other network drives. ...
      (sci.crypt)