It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

HIPAA Question/Help Please!!!

page: 1
2

log in

join
share:

posted on Sep, 25 2015 @ 08:47 AM
link   
Hi, my name is Rob. Long time lurker, first time poster. Great website, love the messages.
And before I continue, Mods, if this is the wrong location for this post please place it in the correct location. Ty!

I am a student studying Information Security, and am currently wrestling with several HIPAA questions. Specifically on the topic of computer security. Many websites, pages, and white papers that I read state that the computers handling the Electronic Protected Health Information (e-PHI) must be kept up-to-date with software upgradaes and available patches. (www.healthit.gov...) is one such document which is shown on the bottom of page 3 (28 on the actual page).

My question is this, besides the risk analysis clause which I don't feel is pertinent enough, and 164.306 (Security Standards), Setion A, Part 2 which states that the location must "protect against any reasonably anticipated threats or hazards to the security or integrity of such information", where does it specifically state that e-PHI must be protected/how? This is not a homework question per se, but something that I have been scouring the HIPAA Security Rule section(s) attempting to find.

To anyone who tries to help, I appreciate it very much! Ty!



posted on Sep, 25 2015 @ 09:06 AM
link   
a reply to: Rookseven

Not being from that side of the pond a lot of what i've read makes no sense as but your bit on "anticipated threats and hazards" just sounds like to me to read as make sure its burglar/arsonist proof or at the very worst you have a backup plan now they can't put a minimum level on security as things change all the time, its pretty much like the 2nd mentions firearms and leaves it at that as otherwise if it did mention that "the right to bear fred's flintlocks made from his upstairs room shall...etc...etc" would lead to people just meeting the minimum requirement and then if things go wrong just blaming the law



posted on Sep, 25 2015 @ 09:15 AM
link   
Are you talking just HIPPA or also PCI compliance?

Anyway this is a good place to look when you have HIPPA questions..

www.hhs.gov...



posted on Sep, 25 2015 @ 10:46 AM
link   

originally posted by: Rookseven
where does it specifically state that e-PHI must be protected/how?


This could be one of the biggest conspiracy topics ever addressed on ATS.


HIPAA was never about protecting "Protected Healthcare Information" ... it was all about who it could be made legally available to and how (beyond the consent of the patient).

The 'how' of it is developed in the Information Assurance arena ... and that is via a mandate I've lost track of.



posted on Sep, 25 2015 @ 11:08 AM
link   
a reply to: Rookseven

Where I work we retain data that is PHI and Bank and Insurance related, the vast majority of the data we retain is stored via IBM 3940 tapes (yes they still use those) with a 99 year storage requirement and the data is handled by Z mainframes and linux servers, the method by with we move data to redundant backup locations varies by data type. Some is stored on a VTA (Virtual Tape Appliance) then copied to an offsite DR(Disaster Recovery) site, other data is maintained in the tape form, but most of the data in stored in a Santa Fe Shark RAID drive array. You will notice most of this tech IS NOT the latest and greatest, it is not the OS or the updates that determines system security, it is the operations and administration of the systems in question. Did you know the IBM mainframe platform has never been hacked??? You can not now and likely will never see an example of the Z/OS platform compromised. With a track record like that it is not upgrades and updates you have to worry about. Just gota make sure user credentials are not lost/stolen or otherwise mishandled. One example is many (if not most) ATM machines STILL run on OS/2, several banks and brokers in general STILL use Novell, heck there is still a Windows 3.1 system in use in our datacenter as well as several OS/2 Warp terminals.(they work really well as admin interfaces to the IBM mainframes) The primary reasons they have statements about maintaining updates is most people are dumb enough to have Windows servers in a production environment.(Well known fact that Windows



posted on Sep, 25 2015 @ 01:36 PM
link   

edit on 25-9-2015 by opethPA because: (no reason given)



posted on Sep, 25 2015 @ 01:38 PM
link   
Not interested in hijacking the thread based on silly lines like "people are dumb enough to have Windows servers in a production evt"

How are you making out OP?



posted on Sep, 25 2015 @ 01:57 PM
link   

originally posted by: opethPA
Not interested in hijacking the thread based on silly lines like "people are dumb enough to have Windows servers in a production evt"

How are you making out OP?


Not a silly line, the known issues with keeping a windows server secure is why they have the updates bit in the different guidelines, when you have a secure platform you don't have to worry about every last KB and hotfix. Windows has it's place but a production data environment isn't it. You spend more time installing updates and rebooting than you do serving up the user data.



posted on Sep, 25 2015 @ 02:00 PM
link   

originally posted by: sycomix

originally posted by: opethPA
Not interested in hijacking the thread based on silly lines like "people are dumb enough to have Windows servers in a production evt"

How are you making out OP?


Not a silly line, the known issues with keeping a windows server secure is why they have the updates bit in the different guidelines, when you have a secure platform you don't have to worry about every last KB and hotfix. Windows has it's place but a production data environment isn't it. You spend more time installing updates and rebooting than you do serving up the user data.


Except for all the production DC's that have Windows servers running and dont have issues..of course it's all moot if your edge isn't secured..Im sure we can find a way to blame MSFT for that.. hell Im not even a MSFT fan but blanket statements dont work in the IS world.. Except maybe to say that a Spanning tree loop at 3am blows..i think everyone would say that.

We could gladly sit here and go back and forth on things but im more interested in seeing if the OP was able to get his question answered.



posted on Sep, 25 2015 @ 02:35 PM
link   
Thank you guys for the help! So far what I've been able to come up with are the following (from the Final Rule of the HIPAA Security Rule). If I'm wrong, please correct me, but these seem to speak to the heart of what I was wondering.

> 164.308(a)(5)(ii)(B) Protection from Malicious Software says "Procedures for guarding against, detecting, and reporting malicious software."; My take: If the OS or browser isn't updated with security vulnerability updates your chances of finding or guarding against them are on a downward curve

> 164.310((c) The Workstation Security Standard to "Implement physical safeguards for all workstations that access e-PHI, to restrict access to authorized users; My take: If the OS is no longer supported how can you be sure that user access controls and policies have not been compromised?

> 164.312(c)(1) The Integrity Standard "Implement policies and procedures to protect e-PHI from improper alteration or destruction; My take: How do you know new vulnerabilities haven't been found that allow users access to your system?



posted on Sep, 25 2015 @ 06:22 PM
link   
It means that where records are kept or the computers they are stored on must be in a locked and lockable room when not in use.




top topics



 
2

log in

join