Policy Based Management Network Security Zoning Network Security Zoning Network Security Zoning Security Zoning for Virtualized Environments Payment Card Industry Data Security Network Segmentation Policy Based Management


Who Needs EpiForce?
PCI Compliance
Home arrow Who Needs EpiForce? arrowHIPAA Compliance

Electronic Protected Health Care Information through HIPPA Compliance

Challenge

In 2009 the Open Security Foundation reported that companies within the medical industry exposed an estimated 6.6 million records.  Social Security Numbers, medical records, birthdates and other personally identifiable information (PII) were stolen, lost or exposed to the public.  In another 2009 report Open Security Foundation revealed that 64% of all data breaches were external, 32% were internal and 5% were unknown. Insider threat to privacy either due to gross negligence or with malicious intent is a huge concern to IT departments in the medical industry.

Recognizing these security risks early on, the HIPAA Security Rule was proposed to secure the Electronic Protected Healthcare Information (EPHI). The primary objective of the HIPAA Security Rule is to protect the confidentiality, integrity, and availability of Electronic Protected Healthcare Information (EPHI) when it is stored, maintained, or transmitted. The regulation applies to all health care entities such as health plans providers (HMOs, group health plans, etc.), health care clearinghouses (billing companies, etc.), or health care providers (doctors, dentists, hospitals, etc.) who transmit any EPHI.

The HIPAA Security Rule contains two measures that IT managers must address:

  • Administrative Safeguards: Implement and maintain policies and procedures to prevent, detect, contain and correct security violations.

  • Technical Safeguards: Implement and maintain policies and procedures that protect and monitor information access and prevent unauthorized access to data transmitted over a network

Solution

EpiForce Security enables a healthcare business to achieve or maintain compliance with these relevant technical and administrative sections of the act:

  • Access Control (164.312(a)(1)) - Through cross-platform server isolation, EpiForce Security delivers host based access control that manages secure access to the systems that contain Electronic Protected Healthcare Information (EPHI) in logical security zones. Trusted computers may be configured to communicate only with trusted computers in the security zone and that communication is encrypted to restrict unauthorized access to that data. Logical security zones can be based on IP addresses or ranges, ports, geographic regions and user groups – almost any factor.

  • Audit Controls (164.312(b)) - The admin server and endpoint security agents maintain and store an activity log of system activity. An admin change log is also created to report on modifications to determine what historical changes were made.

  • Integrity (164.312(c)(1)) - EpiForce Security encrypts EPHI data in motion, which ensures that the data is confidential and protects it from improper alteration or destruction. EpiForce Security also identifies all users who have been authorized to access the EPHI if the information is isolated in a logical security zone through cross-platform server isolation.

  • Person or Entity Authentication (164.312(d)) – EpiForce Security, combined with industry standard login credentials, provides confidence that a person or entity seeking access to critical data is the one claimed. Once server isolation is established, users on a trusted computer are governed by their passwords to authenticate access to EPHI.

  • Transmission Security (164.312(e)(1)) - EpiForce Security protects data in motion by performing encryption. The following algorithms are available with EpiForce Security: AES- 128, AES-256, Triple DES (3DES), DES

  • Security Incident Procedures (164.308(a)(6)) - EpiForce Security isolates servers and clients into one or more private communities or “logical security zones” to mitigate the risk of a security incident. Users can monitor operations of all client software through real-time alerts on penetration attempts via activity logs in standard Syslog and Windows Events Log formats. When a rogue system attempts to access a trusted system, reports can be created on those attempts, but that rogue system will be denied access to the zone.

 

Related Resources:

  • California Agencies Become HIPAA Compliant
    Here is how California agencies complied with HIPAA regulations by establishing and maintaining secure communications within a proprietary healthcare records management system. Initial Microsoft IPSec deployment had limited effectiveness and no scalability due to significant management issues and multi-vendor incompatibilities.

  • Insurance Company Succeeds at Protecting PII
    Insurance company succeeds at protecting personal identity information (PII) and complying with banking partner security requirements, without changing the network infrastructure or modifying the insurance software application.

Network Security Zoning

HIPPA


 
What is EpiForce? | Who Needs EpiForce? | Technology | Resources | Partners | About Us | Free Trial | Sitemap   Privacy Policy   ©2010 Apani, All rights reserved.