HIPAA Compliance with

NetVision Security Administration

Framework™

An Executive White Paper

April 2005

1
EXECUTIVE SUMMARY

HIPAA Defined
HIPAA is U.S. Public Law 104-191 – the Health Insurance Portability and Accountability
Act of 1996. Congress created the Act to improve health care enabled by the nation's four
million-plus health plans and 1.2 million-plus providers. A series of rules are being
developed and issued by the Department of Health and Human Services ("the
Department"), mandating standards-based implementations of HIPAA by all health care
organizations that create, store or transmit health care data electronically. With
Department-specified deadlines are various civil penalties, including fines and/or
imprisonment for noncompliance.

Digital Security Focus

This paper focuses on the Department's new final rule for HIPAA digital security
requirements, including periodic audits, often called vulnerability assessment (VA). Security
rules are to assure people that the confidentiality and privacy of health care information
electronically collected, maintained, used, or transmitted is secure - especially when health
information can be directly linked to an individual.

The Department states, "[I] t is important to recognize that security is not a onetime project,
but rather an on-going, dynamic process." The Department therefore requires security-
related processes, many of which are often better implemented with technology. HIPAA
regulations do not mandate particular security technologies. Instead, they specify a set of
principles for guiding technology choices - principles that are nearly identical to those
underpinning the NetVision Security Administration Framework™ system.

HIPAA Security Regulations Cast Wide Impact on Health Care Industry

Congress enacted the Health Insurance Portability and Accountability Act as a broad effort
to incrementally improve health care. The Act details five major legislative areas. Our focus
in this paper is digital security, covered by Title II (Preventing Health Care Fraud and
Abuse), Subtitle F (Administrative Simplification), Section 262, Subsection 1173d (Security
Standards for Health Information). The Department addressed security standards for
subsection 1173d in three categories (see chart).

HIPAA Security in Perspective

See flow chart of HIPAA statutes--an overview of security standards in the overall HIPAA
regulation:
http://dchealth.dc.gov/hipaa/publiclaw104.shtm

Source: Washington, DC Dept. of Health

Categories of Final HIPAA Security Standards

Department of Health & Human Services

Technical Safeguards Physical Safeguards

Processes and technology for guarding against Processes for protecting data from fire and other
unauthorized access to data over natural/environmental hazards, and from
communications networks intrusion
Administrative Safeguards
The foundation for all HIPAA security safeguards, including documented, formal practices for
evaluating security and protecting data

Through HIPAA, congress directed the Department of Health & Human Services to draft
rules for complying with the Act. Proposed rules are published for user and industry
comment. The Department then addresses and incorporates comments in its final rules.
The final rule for HIPAA security was published on 20 Feb. 2003 in the Federal Register
as 45 CFR Parts 160, 162 and 164.

While the Privacy component of HIPAA was enforced on April 14, 2003, the security rule
mandates compliance by April 20, 2005.

The section entitled General Rules of the Final Rule on security compliance, issued
February 21, 2003, reads as follows:

Sec, 164.306 Security Standards

a. General requirements. Covered entities must do the following:
2
 i. ensure the confidentiality, integrity, and availability of all electronic protected health
information the covered entity creates, receives, maintains, or transmits.
ii. Protect against any reasonably anticipated threats or hazards to the security or
integrity of such information

Sec. 164.308 Administrative Safeguards

A covered entity must, in accordance with [164.306]:
[…] Implement procedures to regularly review records of information system activity, such as audit
logs, access reports, and security incident tracking reports.

This guide addresses applicable Administrative Safeguards specific to the network

infrastructure of covered entities. For an IT organization managing a Novell or Microsoft
infrastructure the implications of HIPAA are evident as the network is the backbone of
every organization – it is the medium through which its data is accessed. Therefore
controlling the way the network impacts internal policies is the best and only way to avoid
compliance violations.

Who Must Comply with HIPAA Security Regulations?

Any health care provider, health plan, hospital, health insurer, and health care
clearinghouse that electronically maintains or transmits any electronic protected health
information must comply with HIPAA Title II, Subtitle F, Section 262 security provisions.
According to the Department, the Act "draws no distinction between internal and external
data movement."

Penalties
• General Penalty. Section 1176 of the Act establishes a civil monetary penalty for non-
compliance. The Act limits penalties to $100 per person per violation with a maximum of
$25,000 per person for violations of a single standard for a calendar year.
• Wrongful Disclosure. Section 1777 establishes three penalties for "a knowing misuse of
unique health identifiers and individually identifiable health information: (1) A fine of not
more than $50,000 and/or imprisonment of not more than 1 year; (2) if misuse is under 'false
pretenses,' a fine of not more than $100,000 and/or imprisonment of not more than 5 years;
and (3) if misuse is with intent to sell, transfer, or use individually identifiable health
information for commercial advantage, personal gain, or malicious harm, a fine of not more
than $250,000 and/or imprisonment of not more than 10 years."

HIPAA Compliance Deadlines

Section 1175 of the Act requires health plans – and "each person to whom a standard or
implementation specification applies" – to comply with the standard within 24 months (or 36
months for small health plans) of its adoption under "final rules." The next chart shows
status and compliance deadlines for HIPPA statutes as of April 2005.

Regulation Status Deadline

Electronic health care Final rule issued 16 Oct. 2002
transactions & code sets Aug. 2000
Health information privacy Final rule issued Dec. 2000 14 Apr. 2003
Unique identifier for Final rule issued 30 Jul. 2004
employers May 31, 2002
Security requirements Final rule issued 21 Apr. 2005
Feb. 13, 2003 (except small health plans)
Unique identifier for Proposed rule issued Pending; final rule in
providers May 1998 development pending
Employer identifier standard Final rule issued August 1, 2005
May 31, 2002 (Small Health Plans)
Security requirements Final rule issued 21 Apr. 2006
Feb. 13, 2003 (small health plans)
National Provider Identifier Final rule issued May 23, 2007
(All covered entities except
small health plans)
National Provider Identifier Final rule issued May 23, 2008
(Small health plans)
Source: US. Dept. of Health & Human Services

Read Full Text of HIPAA Final Rule For Security Standards

U.S. Department of Health and Human Services 45 CFR parts 160, 162, and 164
Federal Register, 20 Feb. 2003
http://a257.g.akamaitech.net/7/257/2422/14mar20010800/edocket.access.gpo.gov/2003/03-3877.htm
3
NetVision Solutions—Instant Compliance with Key Security Rules
The final rule requires all entities subject to HIPAA compliance "to periodically conduct an
evaluation of their security safeguards to demonstrate and document their compliance
with the entity's security policy and the requirements of this subpart." In terms of
evaluation frequency the Department said, "Covered entities must assess the need for a
new evaluation based on changes to their security environment since their last evaluation,
for example, new technology adopted or responses to newly recognized risks to the
security of their information." As noted above, the Department also states, "[I] t is
important to recognize that security is not a product, but is an on-going, dynamic process."
NetVision automates and fulfills many key process-oriented Administrative Safeguards,
detailed below.
In the final rule, implementation specifications are designated as "required" or
"addressable." In the latter case, entities may document reasonable exceptions for their
non-compliance. With the exception of addressable Security Awareness and Training
provisions, all entities must comply with all 13 of the Administrative Safeguards specified.

Secure Audit Trails

Of the 13 required implementation specifications, two of the specifications can be satisfied
through the use of system audit trails:

• Section 164.308 (a) (1) (ii) (D) in the Security Rule requires an Information
System Activity review to be a part of a security management process in order
to detect security incidents. A security incident is defined in section 164.304 in
the Security Rule as the attempted or successful unauthorized access, use,
disclosure, modification, or destruction of information or interference with system
operations in an information system. The covered entity is expected to regularly
review records of information system activity, such as audit logs, access reports,
and security incident tracking reports.
• Section 164.312 (b) in the Security Rule requires implementing hardware,
software, and/or procedural mechanisms that record and examine activity in
information systems that contain or use electronic protected health information.

The inclusion of these two mandatory implementation specifications is consistent with

direction Congress provided the HHS Department, as stated within Subtitle F,
“Administrative Simplification” section 1173(d) in HIPAA:

“…(d) SECURITY STANDARDS FOR HEALTH INFORMATION… The Secretary shall adopt
security standards that (A) take into account … (iv) the value of audit trails in computerized
record systems…”

It should also be noted that the retention period for records that can demonstrate
compliance with the Security Standards is stated to be 6 years. When audit trails are used
to meet the standards, archived audit trails must be retained for 6 years.

Filtered Audit Data Requirement

The 13 mandatory implementation specifications, which the HHS Department specified
were influenced by (1) expertise of the Federal security experts; (2) generally accepted
industry practices and (3) recommendation from the Committee on Maintaining Privacy and
Security in the Health Care Application of the National Information Infrastructure, National
Research Council (NRC). Specifically the NRC acknowledged the need to produce usable
audit trails by employing effective tools, as indicated in recommendation 5.2 under the
subheading Audit Tools:
“Audit trails are useful as a deterrent to improper access only if there is some possibility that
an improper access will be recognized as such. However the collection of audit trails
routinely generated enormous amounts of data that must then be analyzed. Automated
tools to analyze audit trail data would enable much more frequent examination of accesses
and thus serve a more effective deterrent role. For example, intelligent screening agents
could be developed that would sort through audit trail data and flag some records for more
thorough analysis.”

NetVision Secure Audit Trail Technology and Filtering

NetVision’s auditing technology not only automates the routine collection of security data,
but also performs real-time monitoring and automated remediation and alerting for any
suspicious directory, data and server activity. The solution monitors and audits: who
instigated the activity, what the actions were, when the actions occurred, and where the
actions took place. NetVision employs intelligent screening agents to streamline security
analysis by reporting only pertinent security data, filtering out excess or irrelevant data.
4
NetVision’s security offering also provides a wide variety of reporting methods to ensure
that security information remains secure. Audit data can be encrypted and sent to an
ODBC database that can only be accessed by authorized security officers. Audit logs can
be sent to and stored on any LDIF-capable directory, which allows original directory object
settings to be restored if an attack happens to cause damage to the directory. These
automated systems ensure that security data will be preserved and protected so
organizations will have an accurate security audit trail of activity on their enterprise
whenever needed and in a format that facilitates exact analysis.

Auditing at the Operating System (OS) and Directory Level

While the HHS Department does not specify exactly what system activities are to be
audited, the implication is that the level of auditing should be sufficient so unauthorized
access to electronic protected health care information can be recognized and acted upon.
Covered entities will need to consider various ways in which information can be
compromised in determining the most effective auditing policy. Opportunities may exist to
record activity from a number of vantage points including first and foremost the operating
system and enterprise directory perspective (using available system level auditing
capabilities).

NetVision’s OS and Directory level security solution

NetVision operates at the system level providing a combination of real-time and query-
based auditing of directories, OSs, and file systems. This directory-enabled intrusion and
access management approach combats security attacks that try to misappropriate access
rights and privileges maintained in enterprise directories. Organizations should also
consider auditing from multiple additional levels, including: The network communications
level (monitoring network traffic), the health information applications level (logging
applications transactions), and the database management level (logging database access).
However, network or host level monitoring which is not aware of user identities and
permissions is not granular enough to impose enterprise-wide policies over resources.

Policy-Based Solution Requirement

HIPAA requirements direct covered entities to assume a comprehensive life-cycle
approach to security management. Realizing as noted earlier that security is not a product,
nor a one-time project, but is an on-going dynamic process, organizations should seek
solutions for automating and controlling the quality of those processes. Much of what is
contained in the 13 required standards is focused on policy, procedure and process.
Examples include:

• Security Management Process (Risk analysis, Risk Management, Sanction Policy,

Information systems activity review)
• Assign Security Responsibility
• Workforce security policies and procedures
• Information Access Management
• Security Awareness and Training
• Contingency Plan
• Evaluation

NetVision’s Security Administration Framework™

NetVision goes beyond typical vendors who deliver either a product or a project for
achieving HIPAA compliance. NetVision delivers a “security life-cycle management”
solution complying with both the underlying intent as well as the specified standards of
HIPAA. Because the system is based on policy from beginning to end, covered entities can
automate and integrate the processes of developing and enforcing enterprise security
controls. The components address both the technology systems and the human elements
of security management:

• Security Policy development and guidance based on industry best practices

research and standards, arranged by computing platform
• Automated deployment of security policies combined with user awareness
and training and documentation
• Consistent authentication and access control through management of user
identities across the enterprise
• Vulnerability management through security assessment scans and notification
of critical, known and discovered vulnerabilities
• Real-time user “behavior management” by monitoring for intrusions, improper
access and security policy violations
• Automated policy enforcement to detect, intercept and stop violations and
attacks before they can do any damage
5
Summary
While regulatory compliance may drive organizations to implement security practices, the
opportunities for improvement and savings are also significant. Organizations that merely
seek to achieve HIPAA compliance will miss other, additional opportunities – to streamline
their business, eliminate manual processes, save money, and achieve a competitive
advantage.

NetVision solutions can help you establish the security programs and policies you need to
meet HIPAA requirements. The NetVision Security Administration Framework™ system
offers healthcare companies unique IT security solutions in the areas of security
management, automation, and lowered cost of ownership. With their unique capabilities of
policy management, auditing and change management, vulnerability management and
user identity and access management, NetVision solutions are already at work today in
over 600 organizations throughout the world including some of the leading companies in
the healthcare industry.

See the “NetVision HIPAA Regulations Matrix” for a full overview of the Final
Security Standards and Implementation Specifications, and NetVision’s solutions for
each
ftp://204.202.2.187/netvision/whitepaper/NetVisionHIPAAregulation
sMatrix.pdf.

Customer Success Stories

Read what healthcare customers like UC Davis Health System, Asante Health
System, Culpeper Regional Hospital, University of Utah hospital and Clinics, and
Southeastern Ohio regional Medical Center have to say about Netvision’s HIPAA and
healthcare solutions. http://www.netvision.com/new/userstories.html

Read more about NetVision products and solutions at www.netvision.com

NetVision Inc. 1500 N Technology Way, Bldg D, Suite 3300, Orem, Utah 84097
© 2005 NetVision Inc. All rights reserved. U.S. Patent No. 5,721,825 protects NetVision’s Global Event Services. GES is a registered
trademark and Global Event Services, NVPolicy Resource Center, NVMonitor, NVAsssess, NVIdentity, and Integrated Security Policy
Management are trademarks of NetVision, Inc. All other products not listed are the property of their respective owners.