Network security meeting HIPAA/ePHI compliancy?

[EntryIT]

I provide desktop support for a start-up company. The company owns a few pharmacies in the area. Each pharmacy has at least 3-5 computers and are connected to the internet to receive/transmit data providing medical and patient data by software. Right now they are being protected by a router along with Symantec Norton Business class acting as firewall and anti-virus. 

 

My question is, and where we require assistance: is this sufficient for HIPAA/ePHI compliancy? Multiple Google searches provide only very broad and vague information on HIPAA rules & regulations. Do we require hardware firewalls in conjunction with a software firewall/anti-virus? Does anyone have experience in this field or can provide some concrete info in this spectrum?

 

Thanks in advance..

[Barney T. Administrators]

HIPAA compliance standards can be found HERE and HERE. I deleted the reference to your specific brand as including it is spamming our site. You are required to safeguard patient data and limit access to those who have direct patient care needs. If your software and / or hardware does this and provides sufficient safeguards as listed above, including access from unauthorized intrusions, you will be safe. The method by which you do this is your own choice.

 

Barney

Registered Nurse

[neufuse Veteran]

Oh HIPPA, the law that required (well, forced because of the amount of legal we had to understand) us to hire 2 lawyers full time on staff, have a dedicated security officer that goes to jail if we F up, and have to have all our software we create ran through auditing.... what an annoying law in the end.... every single change we make to our network we have to do a "risk assessment" and record our findings... we fall under the strict guidelines because we house VERY confidential data and process it for carriers and hospitals...

 

every year it seems like more strict parts are put into action, use to be "best effort" now its more like you better do it right or else... we just heard of one place that we worked with in the past getting fined $1.5 million for not securing their network well enough... kinda rattled a few people in legal here...

[Barney T. Administrators]

Well, the law might be annoying, however it also keeps organizations like health insurance companies from illegally obtaining your health records and increasing your rates due to some "condition". I am glad that this safeguard is in place.

[neufuse Veteran]

yep, I'm just saying its annoying because of the massive amount of work we have to do to comply

Well, the law might be annoying, however it also keeps organizations like health insurance companies from illegally obtaining your health records and increasing your rates due to some "condition". I am glad that this safeguard is in place.

[+theblazingangel MVC]

A couple things that pop into mind from a general security perspective:

1) The data transmission between pharmacies, how is this protected if at all? Are you using an encrypted VPN for this?

2) Is the data that is kept on the machines encrypted? I.e. if these machines were to be stolen, would the data be secure (relatively speaking, depending upon strength of the encryption key & algorithm) or exposed to the thief?

[neufuse Veteran]

A couple things that pop into mind from a general security perspective:

1) The data transmission between pharmacies, how is this protected if at all? Are you using an encrypted VPN for this?

2) Is the data that is kept on the machines encrypted? I.e. if these machines were to be stolen, would the data be secure (relatively speaking, depending upon strength of the encryption key & algorithm) or exposed to the thief?

data at rest is suppose to be encrypted yes, but only if not in a secure facility (ie. laptops, desktops etc) if it's on servers that are locked in a secure area that is monitored it's not required to be encrypted just protected...

 

data in motion is suppose to be encrypted all the time (ie: VPN traffic, LAN traffic, P2P traffic, etc)

[spenser.d]

data at rest is suppose to be encrypted yes, but only if not in a secure facility (ie. laptops, desktops etc) if it's on servers that are locked in a secure area that is monitored it's not required to be encrypted just protected...

 

data in motion is suppose to be encrypted all the time (ie: VPN traffic, LAN traffic, P2P traffic, etc)

Data at rest isn't always protected however. There are plenty of reports out there of healthcare organization laptops being stolen that contain patient data. As long as the org notifies those affected by the breach appropriately, there usually isn't much recourse (I imagine, or it wouldn't keep happening). One org was caught recently with patient data in Google Docs...

It almost seems irrelevant though if you think about the fact that some freeware EHR vendors sell "deidentified" patient data to other companies (usually pharma). It's been said that it doesn't take much to match that data to the people it belongs to.

[neufuse Veteran]

well, like I said, it's suppose to be encrypted, doesn't mean it always is

Data at rest isn't always protected however. There are plenty of reports out there of healthcare organization laptops being stolen that contain patient data. As long as the org notifies those affected by the breach appropriately, there usually isn't much recourse (I imagine, or it wouldn't keep happening). One org was caught recently with patient data in Google Docs...

It almost seems irrelevant though if you think about the fact that some freeware EHR vendors sell "deidentified" patient data to other companies (usually pharma). It's been said that it doesn't take much to match that data to the people it belongs to.