Medical Healthcare and Network Security
The regulations from the Health Insurance Portability and
Accountability Act of 1996 (HIPAA) have a number of implementing
effects that set a new standard for the healthcare market,
specifically in regard to the security of digital networks that
are increasingly used to transmit patient data. Patient data is
being created in electronic form and the old paper records are
being migrated to digital form for efficiency and cost savings.
There is an increasing volume and flow of electronic patient
health data.
The HIPAA regulations have created a new legal standard related
to the privacy and security of those electronic medical records.
The part of the HIPAA regulations that we are most interested in
involves the electronic transmission of patient records. More
and more of the medical worlds business relies on digital
communication systems. Those are the telecommunications
networks. Those networks have a number of vulnerabilities, that
is, they have security weaknesses. Those security weaknesses
make it possible for outside hackers or malicious insiders to
compromise the privacy of the data in the network. The new HIPAA
regulations have implemented a stringent legal requirement for
the privacy of patient data and related security requirements
for systems transmitting that data. Past practice is no longer
acceptable. Security of the networks that are used to transmit
and access the medical data is increasingly important. To date
(mid-2004), most hospital network administrators have only dealt
with the security of the data while it is in their computer,
that is, they have considered the privacy issue. In general,
they have not started to address the security issues related to
the sensitive medical data while it is in transit over a
network. That will change as more requirements of the HIPAA
regulations, such as the security regulations, take effect.
Engedi Technologies, Inc
has two technologies, the SRM and Key2 technology (K2t), that
enhance network security. The Engedi SRMa addresses a number of
the vulnerabilities not currently addressed in most operating
networks. Engedi is working to ensure health care companies know
about the security advantages of an SRMa enabled network. There
are a number of known and reasonably anticipated vulnerabilities
in the network systems now in use. The Engedi products, the
SRMa and complimentary Key2 technology (K2t), help an entity
seeking to be HIPAA compliant to eliminate or reduce those known
and reasonably anticipated security vulnerabilities.
Implications for network systems affected by the HIPAA
regulations
Let’s think about the implications of new regulations that have
in effect raised the bar for the security of systems storing or
transmitting electronic medical records. Think of all the health
care organizations out there transmitting data over networks
that currently don’t, or won’t, meet the new HIPAA mandated
security requirements. As an example, consider if a law was
passed mandating seat belts in cars meet a certain performance
standard and auto manufactures then ignored that standard. What
would be the implications? What would the implications be if
each auto manufacturer had clearly been put on notice that the
seatbelt standard had changed, that what they had for seatbelts
now was not in compliance with regulations, and that there was a
way to meet the new standard? If the auto manufacturers ignored
that notice and opportunity to meet the new standard, what would
be the legal exposure and ramifications? HIPAA is mandating a
new network security standard. The Engedi SRMa solution helps
networks meet that new standard.
Here is a web-link to the portion of the HIPAA security
regulations of interest: -
t.asp" rel="nofollow">HIPAA security regulations
The HIPAA compliance deadline dates are presented on this site:
-
A compliance deadline dates
Network systems have a long list of vulnerabilities. There’s no
single product out there that removes all vulnerabilities. An
Intrusion Detection System (IDS) might reduce or eliminate a
number of known network system vulnerabilities, and a network
firewall might reduce or eliminate another set of the
vulnerabilities, some the same as the IDS does, and another
product might close another group of vulnerabilities. The Engedi
SRMa closes or reduces a set of vulnerabilities left exposed by
the product solutions currently available on the market. Closing
vulnerabilities is like caulking the hull of a ship - the goal
is to plug as many holes as possible. There are a significant
group of vulnerabilities that the SRMa and Key2 technology
(K2t) uniquely close. Acting to reduce those network
vulnerabilities is necessary. Security breaches are costly. How
much would the loss of a list of 100,000 credit card IDs from a
hospitals billing center be valued in dollar terms? How
important is the privacy and security of the list of AIDS
infected people in a community? What’s the legal liability if
that list, or a similar private list, is hacked and made public?
The HIPAA regulations are setting a new standard.
This intersection of digital networks, the health care industry,
and government regulation presents an opportunity for forward
thinking individuals and companies to define standards, become
recognized thought leaders, and motivate constructive change for
legal compliance in this evolving area.
The HIPAA privacy requirements phased-in on 14 April, 2003. The
HIPAA security requirements have a compliance date of Spring
2005.
The Difference between Security and Privacy in HIPAA terms
Security relates to the means by which an entity protects the
privacy of health information. The goal of security measures is
to keep information secured, and decrease the means of
tampering, destruction, or inappropriate access. There are four
categories of requirements:
* Administrative Procedures–documented, formal practices to
protect data
* Physical Safeguards–protect data from fire, other natural and
environmental hazards, and intrusion * Technical Security
Services–protect information and control individual access to
information * Technical Security Mechanisms–guard against
unauthorized access to data over communications network
Privacy refers to the individual’s right to keep certain
information private, unless that information will be used or
disclosed with his or her permission. Privacy topics include:
* Scope of Providers who must Comply * Rights of Individuals *
Consent/Authorization Issues/Procedures/Processes * Business
Associates Requirements
* Organized Health Care Arrangements
There are civil penalties under HIPAA when entities or
individuals violate the privacy rule.
Security and privacy are much intertwined — security assures
privacy.
Application of Engedi Solutions to HIPAA Requirements
Reviewing the ‘Health Insurance Reform: Security Standards’
final rule it seems that the Engedi Key2 Technology would be a
powerful tool for protection against “reasonably anticipated
threats or hazards to the security or integrity of the
information and unauthorized use or disclosure of the
information”. This represents a large market need.
Quoting again, “The standards require covered entities to
implement basic safeguards to protect electronic protected
health information from unauthorized access, alteration,
deletion, and transmission”. That’s the Engedi K2t and SRMa
nicely described. A ‘covered entity’ is defined as “one of the
following: (1) A health plan; (2) a health care clearinghouse;
(3) a health care provider who transmits any health information
in electronic form in connection with a transaction covered by
[the regulations].”
Quoting again, “the scope of the Security Rule is more limited
than that of the Privacy Rule. The Privacy Rule applies to
protected health information in any form, whereas [the Security]
rule applies only to protected health information in electronic
form”.
The Security Regulations become effective in Spring 2005.
HIPAA Regulations Create a New Security Standard for Network
Operations
The HIPAA regulations affect medical and healthcare providers in
many ways. The new security regulations coming out of HIPAA are
raising the performance bar for telecommunications networks used
to transmit or access medical data. Specifically medical data in
electronic form.
Entities covered by the HIPAA regulations must assess their
current systems and operations to ensure their business
practices conform to these new security rules. One important
area coming from HIPAA is the security of the network systems
used to access or transmit electronic healthcare information.
Telecommunications network systems have a large number of
vulnerabilities. The networks are complex and growing. New
technologies are being added. There are constantly changing
network users with access to various layers of the network.
Protecting the privacy and security of patient data in
electronic form is a challenge. There is a long list of
vulnerabilities in networks. Some of the vulnerabilities can be
addressed by the use of various products and technologies such
as firewalls, traffic monitoring systems, virus protection
software and other solutions that protect against various known
vulnerabilities. There are other known and reasonably
anticipated vulnerabilities in operating networks affecting the
privacy and security of protected medical data that Engedi
Technologies has unique and patent-pending solutions designed to
address.
The remote management of the distributed infrastructure of
networks is an area in which many networks have security
vulnerabilities. Engedi’s Secure Remote Management (SRM)
technology is designed to provide a highly secure, multi-pathed
capability for network administrators to quickly and securely
access and manage the remotely located equipment and devices in
their networks. Engedi’s SRM technology meets the pressing need
to improve the security of networks during remote management of
the distributed network infrastructure. The vulnerabilities that
exist in networks during remote management are well known and
can be addressed today by the use of Engedi’s patent pending
SRM technology.
Another area of network operations that is of particular concern
is the damaging effect of the malicious insider. Over half of
successful network attacks come from the insider, that is, the
attacks come from a person with some level of administrative
rights and access that place him or her on the inside of the
network. The malicious insider is a very well known and
reasonably anticipated threat to the security and privacy of
network operations. Engedi Technologies has a solution to the
malicious insider with a technology called “Key2 technology
(K2t)”. This multi-party authorization solution protects the
network from the compromised or inexperienced insider. Networks
that transmit data or permit access to data that is private and
needs to be secure have a pressing need for a solution to the
malicious insider. Engedi’s Key2 Technology (K2t) is that
solution.
Engedi Technologies works with partners to deliver and implement
Engedi’s advanced technology solutions to networks operating
under HIPAA security guidelines and regulations. HIPAA mandates
that known and reasonably anticipated threats and
vulnerabilities affecting the security and privacy of patient
medical data be addressed. Engedi has solutions for two of the
needs that operating networks must address for HIPAA compliance.
New standards exist under the HIPAA security rules for the
remote management of networks and for protection against the
malicious insider. It is no longer acceptable to ignore or allow
security vulnerabilities to known and reasonably anticipated
network threats to continue unaddressed or unabated. Engedi
Technologies delivers needed solutions in the Secure Remote
Management (SRM) and Key2 Technology (K2t) to create and
maintain networks systems in compliance with the new HIPAA
mandated security rules.
For more information on Engedi’s network security solutions
please contact Engedi
Technologies, Inc or one of their partners. When security of
the network is important and the privacy of data is paramount,
Engedi Technologies provides solutions every operating network
should have and can have today.
==========================
Article date: May 15, 2004
Article Links: - Engedi
Technologies, Inc - -
appliance (SRMA) -
(K2t)
© 2005 Engedi Technologies, Inc. ( http://engedi.net ) You may
reprint this article online and in print provided the links
remain live and the content remains unaltered (including the
“About the Author” message).