HIPAA PHI Compliance

HIPAA Compliant email

admin — Mon, 12 Mar 2012 15:16:53 +0000

If you are looking for a HIPAA compliant email solution for your business make sure you understand the pitfalls. There is certainly no shortage of HIPAA compliant email solutions on the market today. I’ve seen ads for systems that fall into the freeware category all the way to full MS Exchange mailbox integration. Cloud based computing is making hosted solution more popular than ever. These solutions tend to be easier to roll out and less expensive and less complicated for small and medium sized companies. If easy is what you are looking for secure email may work for you, but if security is your priority you may want to look elsewhere.

Many encrypted secure email solutions suffer from a very simple flaw that can cause your business great harm with a single misspelling. That is correct; a single misspelling has the potential to cause a data breech that you would be obligated by law to report. Ironically the word that could cause all this trouble is “secure”. How could this happen you say? It is very simple, let me explain. In an effort to make the process of sending secure email easy for the user base many popular HIPAA Compliant email systems rely on the end user to enter the subject as “secure” which triggers the email route through an encryption path rather than the regular unsecure email pathways. What if a secretary, or doctor, or clerical office worker misspells the subject or simply forgets to use the subject trigger word? The email goes out unprotected without any security to any/all recipients. If that unsecure contained PHI you just created a data breech that you are obligated by law to report.

Most employees use email every day for a variety of business related tasks that do not involve patient data or PHI in any form. They understand email is not secure and never to use it as such. In my option, adding a feature that provides the necessary security to the email, then leaving the possible data breech in the hands of the end user by way of a typo, is a recipe for disaster. Site to site VPN, file level encryption, SSL, and even the good old fax machine are better options.

Encryption Requirements for HIPAA | Compliance MAP

admin — Fri, 11 Nov 2011 15:48:07 +0000

Does your organization need a HIPAA compliance map for 2012? Many small companies and even some large organizations are still behind in conforming their computer systems to include the required level of data security to comply with federal and state laws.

Don’t let your organization be the next big story on the news. Consider auditing your entire computer and network system in 2012. All end of life applications and operating systems should be phased out, upgraded or replaced. This includes Windows 2000 Servers which Microsoft stopped supporting on July 13, 2010. End of life operating systems like WIN2k (the bread and butter server choice in many industries) generally present the largest challenge for organizations who have built entire systems around older technology. Layered encryption and second level authentication should be considerations for any company that stores PHI or HIPAA protected data.

Windows 7 operating system Ultimate and Enterprise editions include BitLocker and when enabled it provides HIPAA compliant hard drive level of encryption. Windows XP is the still the most common office desktop operating system. Many companies have been slow to embrace Windows 7 because it presents some new challenges with regard to compatibility with legacy systems. With Windows XP desktops it is necessary to deploy some form of drive level encryption to remain compliant. Truecrypt Open source software is a popular choice for drive level encryption and PGP is widely used at the file level. Consideration must be given to all levels of data availability. Users should only be given access to the information they require to perform their job. Creating windows security groups to limit file access isn’t enough. A second level of authentication to protect PHI data is required. System backups need to be fully encrypted and protected, and the list goes on. Make a difference in 2012 by taking the steps to secure, document and monitor your network!

HIPAA Penetration Testing

admin — Wed, 31 Aug 2011 17:19:05 +0000

Is your (PHI) patient data secured? Are you in compliance with all HIPAA Regulations? The only real way to know is to preform extensive system penetration testing. Penetration testing of both internal and external systems is an extremely important step towards compliance and it serves as a valuable tool. Standard testing includes real world hacking techniques, the results of which can help an organization understand and address system vulnerabilities before a security breach occurs.

Testing often reveals actual, exploitable security threats. Identifying these issues early will allow you to safely identify which vulnerabilities are critical, which are insignificant, and which are false positives. Make informed decisions about the real risks to your network and assists you in prioritizing remediation efforts.

HIPAA IT security compliance regulations and guidelines require an organization to conduct independent testing of the Information Security Program, to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information.

Best Practices recommend that each organization perform an Internal and external Penetration Tests in addition to regular Security Assessments in order to ensure the security of their internal & external networks.

Disk Encryption, Data Security & RAM

admin — Fri, 19 Aug 2011 13:27:52 +0000

It’s no secret that computer scientists have discovered ways to bypass many of the popular forms of encryption used to secure the local hard disk in your desktop or laptop computer. Of course, fully realizing this is a little concerning, especially when you are in the IT field, and needing to protect and secure PHI.

Understanding the way disk encryption works will help you to understand some of the vulnerabilities. Without getting into the finer details encryption, keeping the technical jargon on the sideline, let’s just say successful encryption is based on a pair of keys, if the keys match the data is unlocked, it is really that simple. Not much different than how a lock in a door works. What if someone stole or copied your key? Well if it were your house key it would mean someone has access to your house and its contents and if it were your computer the reality isn’t much different.

Computers systems encryption technologies store the secret encryption key in memory (RAM) once the disk has been authenticated (unencrypted). The fact is that while the data (Secret key) is loaded into RAM, it is venerable. Unfortunately, there are no technologies that protect keys that are already in memory. This is a pretty serious issue if you use a laptop that contains sensitive information (PHI or HIPAA related protected information) and you travel with it in sleep mode because the RAM (random access memory) still contains the secret key. If your laptop were stolen by someone with the knowhow and bad intentions your data is not safe. However, if the computer is shut off while in transit, the random access memory is cleared within a few minutes under normal operating temps, and your data would be secure. This scenario applies to office computers that are encrypted but utilize the sleep feature rather than be shut down at night. Various methods, all including physical access to the encrypted PC (Firewire, USB, Serial Port access) have been used to discover secret encryption keys. Since these issues require physical access (unless otherwise infected with something that allows a remote attacker) the computer laptops are the greatest concern.

HIPAA Compliant File Encryption Security Software

admin — Thu, 23 Jun 2011 14:42:22 +0000

The most effictive File Encryption Security Server Software solutions provide the following features:

Data Protection and Encryption that protects your intellectual property and all files transferred over the Internet using secure protocols including FTPS (SSL/TLS), SFTP (SSH2), and HTTP/S (SSL).

Delivery and Data Integrity features extending the standard FTP protocol with strong reliability features, including post transmission integrity verification, mid-file recovery, and automatic restart.

Tracking and Auditing features including industry standard logging (W3C, NCSA, Microsoft IIS Extended), e-mail notification of completed transactions, and digital certificates for proof of identity.

User Account life cycle management services that help you quickly and efficiently manage users, temporary accounts, and expired or compromised public-keys or certificates.

Full support for password, public-key, or one-time-password authentication. User profiles can be managed internally or externally through NTLM, Active Directory (AD), or ODBC data sources.

Look for strong user and group management features including system resources bandwidth monitoring, folder access, file types, and more using granular or Site-wide controls provided for user and group management. Real-time monitoring and on-the-spot disconnection of users. Specify SSL ciphers and version levels providing administrators the ability to specify symmetric key cipher(s) and the ordering of those ciphers for establishing SSL sessions. Validate inbound SSL sessions and allows or denies connections based on specified or approved ciphers.