Wireless security solutions for healthcare

CONTACT ME

First Name:
Last Name:
Email:
Phone:
Company:
Country:
State:
Primary Interest:
Your Question/Request:

Your privacy is important for us.

HIPAA Security Case Studies
Wireless Security Case Studies

HIPAA Security Products
- SpectraGuard Enterprise
- SpectraGuard SAFE

HIPAA Security

The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. According to the Centers for Medicare and Medicaid Services (CMS) website, Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.

The Administration Simplification provisions also address the security and privacy of health data. The standards are meant to improve the efficiency and effectiveness of the nation's health care system by encouraging the widespread use of electronic data interchange in the US health care system.

Following are the HIPAA details pertaining to security.

This page...

Next page...

HIPAA Security and WLAN

Title II: Preventing Health Care Fraud and Abuse; Administrative Simplification; Medical Liability Reform

Title II of HIPAA defines numerous offenses relating to health care and sets civil and criminal penalties for them. It also creates several programs to control fraud and abuse within the health care system. However, the most significant provisions of Title II are its Administrative Simplification rules. Title II requires the Department of Health and Human Services (HHS) to draft rules aimed at increasing the efficiency of the health care system by creating standards for the use and dissemination of health care information.

These rules apply to “covered entities” as defined by HIPAA and the HHS. Covered entities include health plans, health care clearinghouses, such as billing services and community health information systems, and health care providers that transmit health care data in a way that is regulated by HIPAA.

Per the requirements of Title II, the HHS has promulgated five rules regarding Administrative Simplification: the HIPAA Privacy Rule, the Transactions and Code Sets Rule, the HIPAA Security Rule, the Unique Identifiers Rule, and the HIPAA Enforcement Rule.

HIPAA Security Rule Organization

The HIPAA Security Rule is separated into six main sections that each include several standards and implementation specifications a covered entity must address. Each of the six sections is listed below.

Security standards: General Rules - includes the general requirements all covered entities must meet; establishes flexibility of approach; identifies standards and implementation specifications (both required and addressable); outlines decisions a covered entity must make regarding addressable implementation specifications; and requires maintenance of security measures to continue reasonable and appropriate protection of electronic protected health information.
Administrative Safeguards - are defined in the Security Rule as the “administrative actions and policies, and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity's workforce in relation to the protection of that information.”
Physical Safeguards - are defined as the “physical measures, policies, and procedures to protect a covered entity's electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion.”
Technical Safeguards - are defined as the “the technology and the policy and procedures for its use that protect electronic protected health information and control access to it.”
Organizational Requirements - includes standards for business associate contracts and other arrangements, including memoranda of understanding between a covered entity and a business associate when both entities are government organizations; and requirements for group health plans.
Policies and Procedures and Documentation Requirements – requires implementation of reasonable and appropriate policies and procedures to comply with the standards, implementation specifications and other requirements of the Security Rule; maintenance of written (which may be electronic) documentation and/or records that includes policies, procedures, actions, activities, or assessments required by the Security Rule; and retention, availability and update requirements related to the documentation.

Within the HIPAA Security Rule sections are standards which are required. Many of the standards contain implementation specifications which are either required or addressable. However, regardless of whether a standard includes implementation specifications, covered entities must comply with each standard.

Network considerations when applying HIPAA Security rule

Following are some of the Security Rules applicable to the organizations deploying network for data communications. For organizations using wireless for data communication, refer to the HIPAA Security and WLAN page.

Standard	Implementation Specifications
Section 164.308 Administrative safeguards
(a)(1) Security management process: Implement policies and procedures to prevent, detect, contain, and correct security violations.	- Risk analysis (Required) - Risk management (Required) - Sanction policy (Required) - Information system activity review (Required)
(a)(4) Information access management: Implement policies and procedures for authorizing access to electronic protected health information that are consistent with the applicable requirements of subpart E of this part.	- Isolating health care clearinghouse functions (Required) - Access authorization (Addressable) - Access establishment and modification (Addressable).
(a)(6) Security incident procedures: Implement policies and procedures to address security incidents. Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes.	- Response and Reporting (Required).
(a)(8) Evaluation: Perform a periodic technical and non-technical evaluation, based initially upon the standards implemented under this rule and subsequently, in response to environmental or operational changes affecting the security of electronic protected health information, that establishes the extent to which an entity's security policies and procedures meet the requirements of this subpart.
Section 164.312 Technical safeguards
(a) Access control: Implement technical policies and procedures for electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in Sec.164.308(a)(4).	- Unique user identification (Required) - Emergency access procedure (Required) - Automatic logoff (Addressable) - Encryption and decryption (Addressable)
(b) Audit controls: Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information.
(c) Integrity: Implement policies and procedures to protect electronic protected health information from improper alteration or destruction.	- Mechanism to authenticate electronic protected health information (Addressable)
(e) Transmission security: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network.	- Integrity controls (Addressable) - Encryption (Addressable)