The basic purpose of the rule is to protect the confidentiality, integrity, and availability of EPHI when it is received, created, maintained, or transmitted.  Covered entities (CEs) must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect against any reasonable anticipated threats or hazards to the security or integrity of EPHI.

The Dilemma
The final HIPAA Security Rule requires each covered entity to assess its own security needs and risks and then devise, implement, and maintain appropriate measures as business decisions. Each entity must balance their resources and business requirements against the risks to EPHI. But, where to start?

The SMP Solution
SMP has developed a program to help CEs implement the rule.  The SMP solution mirrors the standards in the administrative, physical, and technical safeguards. Particulars of our solution are provided below.

EPHI Infrastructure Assessment – SMP develops an understanding of an organization’s existing security posture and its security culture by interview, review of documentation, and first hand observation.  Examples of categories covered in this phase include:

§  Administrative Safeguards – A review of the controls and current work processes and flows.  Does the organization have defined risk analysis, risk management, and sanction policies in place?

§  Physical Safeguards – An assessment of the environment and the level of physical security currently in place.  This includes not only electronic systems, but paper records as well.

§  Technical Safeguards – All aspects of technical infrastructure are addressed including access methods, authentication, and authorization.  We concentrate on how policy driven features have been implemented such as what techniques each system uses to encrypt passwords and are there tools that electronically enforce your password policy?

§  Security Policies and Procedures – Security policies represent a statement of information values, protection responsibilities, and organizational commitment for a system. Controls and procedures can be developed for both compliance with and enforcement of these policies.  Our review provides an evaluation of existing policies and processes relating to security to determine such this as does the organization have the correct number and type of policies in place; are the procedures adequately detailed; how are they implemented, and how compliant is the organization with its existing policies and procedures?

Vulnerability Assessments – This next step includes actual testing of systems and can be customized to meet the specific requirements of the organization.  It includes a variety of practices ranging from simplistic discovery to in-depth penetration testing.  Vulnerability Assessments generally include targeted testing of components of the both the external and internal networks. It typically includes the following actions:  research, reconnaissance, exploitation, and documentation.  The Security Rule states that CEs must maintain reasonable and appropriate administrative, physical, and technical safeguards to protect against any reasonably anticipated threats or hazards to the security or integrity of EPHI.  Vulnerability Assessments provide answers to how well the existing safeguards are meeting this requirement. They validate an organization’s efforts to achieve this goal. Vulnerability Assessments can include vulnerability and penetration testing over the internet, modem, PBX, wireless, and an in-depth review of internal systems and applications.

 Documentation, Analysis and Results –  At the conclusion of our assessments, SMP produces a detailed report presenting a review of the current state of security that exists, identifying areas and locations with risk, explaining their potential impact, and providing specific recommendations for remediation..  It presents a summary of findings by rule element. The report comments on the infrastructure, controls and safeguards.  It validates that specific security measures are in place such as integrity and encryption.  The report provides a baseline of the existing security posture and identifies gaps with specific reference to the HIPAA regulations. SMP offers detailed instructions on how to rectify the vulnerabilities and assigns a severity level to each instance to assist with risk management.  SMP recommends remediation solutions to meet HIPAA guidelines and essential practices.

Our report is the foundation by which reasonable solutions to security concerns can be realized, helps prioritize your efforts, and serves as a benchmark for measuring progress. SMP makes judgments of reasonability based on language contained in the final HIPAA Security standards.  Our recommendations will also be sensitive to an organization’s business and economic concerns.  
 
Recurrent Validations
Once the initial program is in place, it is necessary to perform repeat assessments on a regularly scheduled basis. With the constantly changing nature of information security, including new threats and new defenses, follow-up tests or validations are a must for maintaining adequate protection. Client networks are always being updated, new technologies are constantly being offered, and knowledge of client staff must be continuously augmented in order to keep up with the latest trends. Clients’ infrastructure will most likely grow with its network as time progresses and new complexities are added.

Strong security is good business. With SMP’s help, organizations can develop a balanced security approach that provides due diligence without impeding business operations. Organizations can be confident that they have taken reasonable measures to protect confidential information and have reduced potential liabilities.