No one can have missed the proliferation of scary stories that abound in the media about security threats from a wide range of sources, including computer-assisted fraud, espionage, sabotage, vandalism, fire or flood. Sources of damage such as computer viruses, computer hacking and denial of service (when a website is flooded with data) attacks have become more common, more ambitious and increasingly sophisticated. The damage to an organisations reputation in the marketplace can be immeasurable in terms of lost customer confidence and trust.
It is important to realise that the standard addresses security of information, not just IT security. Information can exist in many forms - it can be printed or written on paper, stored electronically transmitted by post or using electronic means, shown on films, spoken in conversation or on the telephone. Whatever form the information takes, or by which means it is stored, shared or used, it should always be appropriately protected.
HIPAA is the Heath Insurance Portability and Accountability Act of 1996. The HIPAA security rule aims to safeguard the confidentiality, integrity and availability of Electronic Protected Health Information (EPHI). Information security is characterized within HIPAA as the preservation of:
Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits
Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI
Protect against reasonably anticipated uses or disclosures of such information that are not permitted
Drawing on the concept of risk assessment, the standard enables all types and sizes of organisations to create an information security management system that is most appropriate for their needs. It is not prescriptive as controls shown to be irrelevant for a particular organisation can be omitted, and additional controls not in the standard can be included later to address unusual circumstances.
The continuing push to utilise IT to conduct business electronically and globally requires a high degree of trust between customer and supplier and between trading partners. It demands confidence in the effective management of the technology and processes that look after data and information. Increased fear of losing, corrupting or exposing information has driven organisations to look for effective means to allay customer concerns and deliver business benefits.
The HIPAA Security rule aims to protect created, received, maintained and transmitted EPHI from anticipated threats, hazards, impermissible use and disclosure.
The HIPAA Security Rule specifically focuses on the safeguarding of EPHI. All HIPAA covered entities, which includes some federal agencies, must comply with the Security Rule. The Security Rule specifically focuses on protecting the confidentiality, integrity, and availability of EPHI, as defined in the Security Rule. The EPHI that a covered entity creates, receives, maintains, or transmits must be protected against reasonably anticipated threats, hazards, and impermissible uses and/or disclosures. In general, the requirements, standards, and implementation specifications of the Security Rule apply to the following covered entities:
Covered Healthcare Providers — Any provider of medical or other health services, or supplies, who transmits any health information in electronic form in connection with a transaction for which Health and Human Services (HHS) has adopted a standard.
Health Plans — Any individual or group plan that provides or pays the cost of medical care (e.g., a health insurance issuer and the Medicare and Medicaid programs).
Healthcare Clearinghouses — A public or private entity that processes another entity’s healthcare transactions from a standard format to a nonstandard format, or vice versa.
Medicare Prescription Drug Card Sponsors — A nongovernmental entity that offers an endorsed discount drug program under the Medicare Modernization Act
Security Rule Goals and Objectives
Each covered entity must:
• Ensure the confidentiality, integrity, and availability of EPHI that it creates, receives, maintains, or transmits
• Protect against any reasonably anticipated threats and hazards to the security or integrity of EPHI
• Protect against reasonably anticipated uses or disclosures of such information that are not permitted by the Privacy Rule. In complying with the Security Rule, covered entities must be aware of the definitions provided for confidentiality, integrity, and availability:
• Confidentiality is “the property that data or information is not made available or disclosed to unauthorized persons or processes.”
• Integrity is “the property that data or information have not been altered or destroyed in an unauthorized manner.”
• Availability is “the property that data or information is accessible and useable upon demand by an authorized person.”
Copyright@2012 MIEL e-Security Pvt Ltd I All rights reserved I Site Map
Designed by Design Accent