atsec information security
HIPAA: Frequently asked question

Information Security, HIPAA, ISMS, and ISO/IEC 27001

Risk Assessment and Risk Management

Certification

What is information security?
Information security is the protection of information to ensure:
  • Confidentiality: ensuring that the information is accessible only to those authorized to access it.
  • Integrity: ensuring that the information is accurate and complete and that the information is not modified without authorization.
  • Availability: ensuring that the information is accessible to authorized users when required.Information security is achieved by applying a suitable set of controls (policies, processes, procedures, organizational structures, and software and hardware functions).

[up]

What is HIPAA security?
The Administrative Simplification provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA, Title II) required the United States Department of Health and Human Services (HHS) to establish national standards for electronic health care transactions and national identifiers for providers, health plans, and employers. It also addressed the security and privacy of health information. It required HHS to establish national standards for the security of electronic health care information. The final rule adopting HIPAA standards for security was published in the Federal Register on February 20, 2003. The final rule defines a set of administrative, technical, and physical security safeguards covered entities must implement to assure the confidentiality of electronic protected health information (ePHI). Each safeguard includes standards. The standards are delineated into either required or addressable implementation specifications.


click to enlarge

[up]

Who must comply with the HIPAA security rule?
All entities in health care management, both medical and non-medical, must comply with the Security Rule. In general, the standards, requirements, and implementation specifications of HIPAA apply to the following entities:

  • Health Care Providers - Any provider of health care services (medical and non-medical) or supplier who transmits health information (as defined by HIPAA) in electronic form in connection with an EDI transaction for which HHS has adopted a standard.
  • Health Plans - Any individual or group plan that provides or pays the cost of health care (e.g., Blue Cross/Blue Shield Insurance and the Medicare and Medicaid programs).
  • Health Care Clearinghouses - Any entity that processes another entity's health care transactions.
  • Medicare Prescription Drug Card Sponsors - Any nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act. This fourth category will remain in effect until the drug card program ends.

[up]

Why is a Security Rule needed?
Until the enactment of HIPAA, the U.S. health care industry was not required to abide by specific standards or requirements for securing health information. As physicians and clinicians began to demand online, real-time access to clinical information providers and payers turned to electronic processes and applications to replace paper processes. Hospital systems began utilizing web portals to provide anytime, anywhere access to ePHI.

Systems provide for computerized physician order entry (CPOE), electronic health records (EHR), and interfaces to radiology, pharmacy, and laboratory systems. Medical devices are being interfaced into networks to provide real-time clinical data updates to patients’ electronic health records. Health plan providers are developing member self-service applications in order to keep costs under control. These web-based applications allow online access to claims information and physician directories.

With the advent of these new technologies and the U.S. government’s goal of providing a National Health Information Infrastructure (NHII), the requirement for new administrative policies, including the need to secure all of this electronically-created and maintained health information, was escalated.

National Health Information Infrastructure (NHII)

On November 15, 2001, the National Committee on Vital and Health Statistics issued the following challenge:

"We as a Nation have a timely opportunity and an urgent need to build a 21st-century health support system - a comprehensive, knowledge-based system capable of providing information to all who need it to make sound decisions about health. Such a system can help realize the public interest related to disease prevention, health promotion, and population health."

This challenge led to the creation of the NHII Task Force in September 2002. This task force chose to focus on activities to help the healthcare industry create and adopt a national health information infrastructure (NHII). The scope of the NHII is represented by three overlapping circles, each representing a particular focus, with overlap into the adjacent areas. The three dimensions are:

  • Personal health - includes a personal health record that is created and controlled by the individual or family, plus non-clinical information such as self-care trackers and directories of health care providers. The confidentiality of personal health records and consumers' control over their own records are basic tenets of this vision, consistent with the HHS HIPAA privacy regulations.
  • Health care delivery - includes information such as provider notes, clinical orders, decision-support programs, digital prescribing programs, and practice guidelines. Healthcare providers will retain the responsibility for the privacy and security of their own patients' medical records.
  • Public health - enables sharing of information to improve the clinical management of populations of patients, such as vital statistics, population health risks and disease registries.

Example 1: (http://aspe.hhs.gov/sp/nhii/Documents/NHIIReport2001/report7.htm):
NHII Report and Recommendations From the National Committee on Vital and Health Statistics


click to enlarge

As the United States progresses towards its goal of an NHII, and entities continue to implement Electronic Medical Records (EMRs), protecting the confidentiality, integrity, and availability of health information has become a number one concern of providers and payers. The security standards in HIPAA are there to provide for the implementation of appropriate security safeguards in order to protect electronic health care information from unlawful use, while permitting the appropriate access and use of that information by the three NHII dimensions.

[up]

What is the Security Rule?
The Security Rule is a set of standards for ensuring that only those who should have access to electronic protected health information (ePHI) will have access and the access is appropriate for their job function. The Security rule is made up of three safeguards, which are comprised of a number of standards, which, in turn, have implementation specifications that are either required or addressable. The three safeguards are divided into the categories of administrative, physical, and technical. Each standard has additional implementation specifications to provide detailed instructions. The safeguards can be found in the Security Rule at 45 CFR § 164.304.

  • Administrative safeguards: These are the administrative functions that should be implemented to meet the security standards.
  • Physical safeguards: These are the mechanisms required to protect electronic systems, equipment, and the data they hold, from threats, environmental hazards and unauthorized intrusion.
  • Technical safeguards: These are the automated processes used to protect data and control access to data.
  • Implementation Specifications: An "implementation specification" is an additional detailed instruction for implementing a particular standard. Implementation specifications which are required must implement policies and/or procedures to address the standard. If an implementation specification is defined as addressable, then the covered entity must, through the risk assessment process, assess whether it is a reasonable and appropriate safeguard in the entity's environment.

[up]

How does the HIPAA security rule relate to other security management system standards?
HIPAA is aligned with other standards such as ISO/IEC 27001, FISMA, and SOX. It is most closely aligned with ISO/IEC 27001. The ISO/IEC 27001 controls (safeguards) generally have a 1:1 match with HIPAA at the standards level. They share a policy, standard and procedure hierarchy.

[up]

What is an ISMS?
An Information Security Management System (ISMS) is a management system based on a systematic business risk approach, to establish, implement, operate, monitor, review, maintain, and improve information security. It is an organizational level approach to information security.

[up]

Why should I invest in implementing an ISMS to meet HIPAA regulations?
If you are an entity that must comply with the HIPPA regulations and your electronic protected health information (ePHI) is considered an asset to your business, you should consider implementing an ISMS in order to protect those assets within a sustainable framework.

If you decide to implement an ISMS, you should consider joining the growing number of organizations around the world that have already gone through the process to be certified against the ISO/IEC 27001 standard. A successful ISMS certification provides an assurance that an independent team of evaluators has audited your information security management system and certified your adherence to the international standard. This can be a differentiating factor and provide a defensible position during federal and state compliance audits.

[up]

What is the history of the standards? What is the future?
The ISMS standard was first published as a British Standard, BS 7799. It came in two parts:

The code of practice: BS 7799-1 which later became ISO/IEC 17799 and is planned to be renumbered as ISO/IEC 27002.

The management system, that can be used as a standard for certifying an organization, which was originally published as BS 7799-2, and is now released as an International standard, ISO/IEC 27001.

Throughout this FAQ we emphasize the new names for the standards.


click to enlarge

[up]

What is ISO/IEC 27001, and how does an ISMS relate to it?
British Standard 7799 (BS 7799) is an internationally-recognized standard describing the protection of information assets. It is now an International Standard (ISO/IEC 27001)

  • ISO/IEC 17799 (also known as BS 7799 Part 1), a code of practice for information security management
  • ISO/IEC 27001 (formerly BS 7799 Part 2), the specification for an ISMS that can be used as the basis for certification

[up]

Why does ISO/IEC 17799 matter?
ISO/IEC 17799 is a code of practice for information security managers. It matters because it provides guidance for planning and implementing a program to protect information assets. It also provides a list of controls (safeguards) that closely match HIPAA safeguards.

[up]

Why does ISO/IEC 27001 matter?
ISO/IEC 27001 (BS 7799 Part 2) is the specification for an ISMS. It explains how to apply ISO/IEC 17799. It matters because it provides the standard against which certification is performed.

All electronic protected health information (ePHI) created, received, maintained or transmitted by a covered entity is regulated by the Security Rule. Covered entities are required by law to implement reasonable and appropriate security measures to protect against reasonably anticipated threats or hazards to the confidentiality, integrity and availability of EPHI. The Security Rule requires covered entities to evaluate the risks and to implement policies and procedures to address those risks.

The Security Management Process standard, at §164.308(a)(1)(i)) in the Administrative Safeguards section of the Security Rule, requires covered entities to "implement policies and procedures to prevent, detect, contain, and correct security violations." The Security Management Process standard has four required implementation specifications. Two of the implementation specifications are Risk Analysis and Risk Management.

What is risk analysis?
The required implementation specification at §164.308(a)(1)(ii)(A), for Risk Analysis, requires a covered entity to, "conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health formation held by the covered entity."

Risk assessment is the process of identifying risks by analyzing threats to, impacts on, and vulnerabilities of information and information systems and processing facilities, and the likelihood of their occurrence.

[up]

What is risk management?
The required implementation specification at §164.308(a)(1)(ii)(B), for Risk Management, requires a covered entity to “implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level to comply with §164.306(a) [(the General Requirements f the Security Rule)].”

Risk management is the process of identifying, controlling, and minimizing or eliminating security risks.

[up]

Why is risk analysis and risk management relevant to HIPAA?
In the real world, the cost of protecting information must be balanced against the potential cost of security breaches. A covered entity must fully understand the security risks it faces in order to determine the appropriate management action and to implement controls selected to protect against these risks.

Both risk analysis and risk management is critical to a covered entity's Security Rule compliance efforts. As stated in the responses to public comment in the preamble to the Security Rule, risk analysis and risk management will "form the foundation upon which an entity's necessary security activities are built." (68 Fed. Reg. 8346.)

[up]

How is risk analysis related to ISO/IEC 27001?
Selecting the right set of controls requires the use of a risk assessment-based approach. This approach is a mandatory part of the PLAN (identify, analyze and evaluate the risks), DO (select, implement, and use controls to manage the risks to acceptable levels), CHECK, and ACT cyclic process defined in ISO/IEC 27001 for the establishment, implementation, and maintenance of an ISMS.

[up]

Does ISO/IEC 27001 define the methodology for risk assessment?
The standard specifies only that the organization should use a systematic approach to risk assessment (method of risk assessment, legal requirements, policy and objectives for reducing the risks to an acceptable level). A specific methodology is not prescribed.

Several methodologies are published and available for use. NIST SP 800-30 (Risk Management Guide for Information Technology Systems) http://csrc.nist.gov/publications/nistpubs/ is the referenced source by HHS for HIPAA compliance. The Security Rule does not stipulate that an organization use a specific risk analysis or risk management methodology.

[up]

After implementation, must the organization re-assess risks?
According to HHS, risk analysis and risk management are the foundation of a covered entity's Security Rule compliance efforts. Risk analysis and risk management are on going processes. A covered entity must maintain documentation which outlines the risks to EPHI and the security measures needed to effectively manage those risks. Performing these processes using a standards based methodology will ensure the confidentiality, availability and integrity of EPHI, protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI, and protect against any reasonably anticipated uses or disclosures of EPHI that are not permitted or required under the HIPAA Privacy Rule.

An organization that manages change effectively has a better chance of survival. The PDCA process model provides a means of assessing the risks an organization is challenged with as a result of changes in the business environment.

What is certification?
Currently the standard is published as ISO/IEC 27001 and this will be the standard that is commonly used for certification.ISO/IEC 27001 certification (also called BS 7799 registration) is the process by which an organization's ISMS is examined against the ISO/IEC 27001 (BS7799-2) specification by an accredited certification body.

[up]

What is a certification body?
A certification body (also called a registration body, assessment and registration body, or registrar) is a third party that assesses and certifies that the ISMS of an organization meets the requirements of the standard.

[up]

Who accredits certification bodies?
Accreditation organizations accredit the competence of certification bodies to perform services in the areas of product and management system approval. These accreditation organizations are often, but not always national in scope.

[up]

What is the certification process?
The certification process includes:

  • Part 1 audit (also known as a desktop audit) Here the CB examines the pertinent documentation.
  • Taking action on the results of the part 1 audit.
  • Part 2 audit (on site audit). Here the CB sends an audit team to examine your implementation of the reviewed documented ISMS.
  • Correction of audit findings.
  • Agreeing a surveillance schedule·
  • When your ISMS is found to be conformant, the issuance of Certificate. (Depending on the CB this can take a few weeks to several months)

Following initial certification, the ISMS is subject to surveillance as specified by the CB and then re-certification after three years.

[up]
RESOURCES:
- CC Evaluations
- FIPS 140-2
- ISO/IEC 27001
- PCI
- PIV
- SCAP
- Algorithm Testing

FAQs
Requests for Quotes
PCI SERVICES
atsec is accredited as a Qualified Security Assessor (QSA) and Approved Scanning Vendor (ASV).
CERTIFICATIONS
Please take a look at our certifications and accreditations
PUBLICATIONS
atsec employees' expertise is in demand: we are members of international boards, speakers on conferences, and authors of books and articles. [more]
JOBS
We are currently looking for new colleagues in US and Europe. [more]
Legal notice ->
Site map ->
   
atsec information security | info@atsec.com