HIPAA PHI Compliance

Encryption Requirements for HIPAA | Compliance MAP

admin — Fri, 11 Nov 2011 15:48:07 +0000

Does your organization need a HIPAA compliance map for 2012? Many small companies and even some large organizations are still behind in conforming their computer systems to include the required level of data security to comply with federal and state laws.

Don’t let your organization be the next big story on the news. Consider auditing your entire computer and network system in 2012. All end of life applications and operating systems should be phased out, upgraded or replaced. This includes Windows 2000 Servers which Microsoft stopped supporting on July 13, 2010. End of life operating systems like WIN2k (the bread and butter server choice in many industries) generally present the largest challenge for organizations who have built entire systems around older technology. Layered encryption and second level authentication should be considerations for any company that stores PHI or HIPAA protected data.

Windows 7 operating system Ultimate and Enterprise editions include BitLocker and when enabled it provides HIPAA compliant hard drive level of encryption. Windows XP is the still the most common office desktop operating system. Many companies have been slow to embrace Windows 7 because it presents some new challenges with regard to compatibility with legacy systems. With Windows XP desktops it is necessary to deploy some form of drive level encryption to remain compliant. Truecrypt Open source software is a popular choice for drive level encryption and PGP is widely used at the file level. Consideration must be given to all levels of data availability. Users should only be given access to the information they require to perform their job. Creating windows security groups to limit file access isn’t enough. A second level of authentication to protect PHI data is required. System backups need to be fully encrypted and protected, and the list goes on. Make a difference in 2012 by taking the steps to secure, document and monitor your network!

HIPAA Penetration Testing

admin — Wed, 31 Aug 2011 17:19:05 +0000

Is your (PHI) patient data secured? Are you in compliance with all HIPAA Regulations? The only real way to know is to preform extensive system penetration testing. Penetration testing of both internal and external systems is an extremely important step towards compliance and it serves as a valuable tool. Standard testing includes real world hacking techniques, the results of which can help an organization understand and address system vulnerabilities before a security breach occurs.

Testing often reveals actual, exploitable security threats. Identifying these issues early will allow you to safely identify which vulnerabilities are critical, which are insignificant, and which are false positives. Make informed decisions about the real risks to your network and assists you in prioritizing remediation efforts.

HIPAA IT security compliance regulations and guidelines require an organization to conduct independent testing of the Information Security Program, to identify vulnerabilities that could result in unauthorized disclosure, misuse, alteration, or destruction of confidential information.

Best Practices recommend that each organization perform an Internal and external Penetration Tests in addition to regular Security Assessments in order to ensure the security of their internal & external networks.

Disk Encryption, Data Security & RAM

admin — Fri, 19 Aug 2011 13:27:52 +0000

It’s no secret that computer scientists have discovered ways to bypass many of the popular forms of encryption used to secure the local hard disk in your desktop or laptop computer. Of course, fully realizing this is a little concerning, especially when you are in the IT field, and needing to protect and secure PHI.

Understanding the way disk encryption works will help you to understand some of the vulnerabilities. Without getting into the finer details encryption, keeping the technical jargon on the sideline, let’s just say successful encryption is based on a pair of keys, if the keys match the data is unlocked, it is really that simple. Not much different than how a lock in a door works. What if someone stole or copied your key? Well if it were your house key it would mean someone has access to your house and its contents and if it were your computer the reality isn’t much different.

Computers systems encryption technologies store the secret encryption key in memory (RAM) once the disk has been authenticated (unencrypted). The fact is that while the data (Secret key) is loaded into RAM, it is venerable. Unfortunately, there are no technologies that protect keys that are already in memory. This is a pretty serious issue if you use a laptop that contains sensitive information (PHI or HIPAA related protected information) and you travel with it in sleep mode because the RAM (random access memory) still contains the secret key. If your laptop were stolen by someone with the knowhow and bad intentions your data is not safe. However, if the computer is shut off while in transit, the random access memory is cleared within a few minutes under normal operating temps, and your data would be secure. This scenario applies to office computers that are encrypted but utilize the sleep feature rather than be shut down at night. Various methods, all including physical access to the encrypted PC (Firewire, USB, Serial Port access) have been used to discover secret encryption keys. Since these issues require physical access (unless otherwise infected with something that allows a remote attacker) the computer laptops are the greatest concern.

HIPAA Compliant File Encryption Security Software

admin — Thu, 23 Jun 2011 14:42:22 +0000

The most effictive File Encryption Security Server Software solutions provide the following features:

Data Protection and Encryption that protects your intellectual property and all files transferred over the Internet using secure protocols including FTPS (SSL/TLS), SFTP (SSH2), and HTTP/S (SSL).

Delivery and Data Integrity features extending the standard FTP protocol with strong reliability features, including post transmission integrity verification, mid-file recovery, and automatic restart.

Tracking and Auditing features including industry standard logging (W3C, NCSA, Microsoft IIS Extended), e-mail notification of completed transactions, and digital certificates for proof of identity.

User Account life cycle management services that help you quickly and efficiently manage users, temporary accounts, and expired or compromised public-keys or certificates.

Full support for password, public-key, or one-time-password authentication. User profiles can be managed internally or externally through NTLM, Active Directory (AD), or ODBC data sources.

Look for strong user and group management features including system resources bandwidth monitoring, folder access, file types, and more using granular or Site-wide controls provided for user and group management. Real-time monitoring and on-the-spot disconnection of users. Specify SSL ciphers and version levels providing administrators the ability to specify symmetric key cipher(s) and the ordering of those ciphers for establishing SSL sessions. Validate inbound SSL sessions and allows or denies connections based on specified or approved ciphers.

Video Encryption Requirements

admin — Fri, 04 Mar 2011 12:30:49 +0000

The big question – What are the specific HIPAA requirements for securing or encrypting video conferencing communication? Wherever healthcare and technology overlap the privacy and security of electronic transactions are governed by the Health Care & Portability Act. The use of video conferencing technology in health care is common practice today. Telemedine and Telehealth are used all over the country but specific HIPAA guidelines for encrypting video conferencing communications do not exist. My interpretation of the HIPAA rules as they apply to video conferencing are simply to treat the video conference connection like any other PHI data stream. All the major VC players seem to be using 128 bit Advanced Encryption Standard (AES). A 128bit encryption key is the minimum key size you can use for secure video communication and still maintain compliance.

Data communications are generally secured using 256 AES. The smaller 128 bit video encryption key algorithm is probably better suited for real-time video communications.

Some popular choices often used in secure unified communication systems are:
LifeSize Video Conferencing Products
Polycom Video Conferencing Products
Vidyo Video Conferencing Products