HIPAA's implications for privacy and security practices in American businesses, addressed in March of 2001 at the Employers' Summit on Health Care, by Stephen Cobb, CISSP. Uploaded in 2014 for the historical record.
Call Girls Service Amritsar Just Call 9352988975 Top Class Call Girl Service ...
HIPAA, Privacy, Security, and Good Business
1. Stepen Cobb, Rainbow Technologies, 1 of 18
HIPAA, Privacy, Security,
& Good Business
Stephen Cobb, CISSP
Dir. Research & Education
Rainbow Technologies, Spectria Division
Employers' Summit on Health Care
March 21 - 22, 2001
2. Stepen Cobb, Rainbow Technologies, 2 of 18
HIPAA, Privacy, Security, & Business
• HIPAA is about privacy, but not just privacy.
• HIPAA is also about systems and security.
• Privacy is not the same as security, but
• Without security, you can’t deliver privacy.
• HIPAA is not the only privacy legislation.
• HIPAA is not the only security legislation.
• Privacy is not the only reason for security.
• Businesses that “get” privacy and security today will
do better than those that don’t.
3. Stepen Cobb, Rainbow Technologies, 3 of 18
HIPAA is about privacy
• 164.502 Uses and disclosures of protected health
information: general rules.
– (a) Standard. A covered entity may not use or disclose
protected health information, except as permitted or
required by this subpart or by subpart C of part 160 of
this subchapter.
• 164.530 Administrative requirements.
– (c)(1) Standard: safeguards. A covered entity must have
in place appropriate administrative, technical, and
physical safeguards to protect the privacy of protected
health information.
4. Stepen Cobb, Rainbow Technologies, 4 of 18
HIPAA is not just about privacy
• Paraphrase: “appropriate safeguards to protect the
privacy of health information.”
• That is, to ensure privacy you need security.
• But HIPAA 160 is not specific about security:
– Implementation specification: safeguards.
– A covered entity must reasonably safeguard protected
health information from any intentional or
unintentional use or disclosure that is in violation of the
standards, implementation specifications or other
requirements of this subpart.
5. Stepen Cobb, Rainbow Technologies, 5 of 18
HIPAA may become more specific
• HIPAA 142 describes “a set of requirements with
implementation features that providers, plans, and
clearinghouses must include in their operations to
assure that electronic health information
pertaining to an individual remains secure.”
• “we are designating a new, comprehensive
standard...which defines the security requirements
to be fulfilled to preserve health information
confidentiality and privacy as defined in the law.”
– 45 CFR Part 142, Security & Electronic Signature
Standards, Federal Register, Vol. 63, No. 155, 8/12/98
6. Stepen Cobb, Rainbow Technologies, 6 of 18
If 142 follows160, then HIPAA will:
• require each health care entity engaged in
electronic maintenance or transmission of health
information
• to assess potential risks and vulnerabilities to the
individual health data in its possession in
electronic form,
• and develop, implement, and maintain appropriate
security measures.
• 142 stresses that these measures must be
documented and kept current.
7. Stepen Cobb, Rainbow Technologies, 7 of 18
We can call this the writing on the wall.
• We are looking at a Federally mandated standard
for security practices within companies involved
in healthcare or handling health-related
information.
• Note that these are considered:
– practices necessary to conduct business electronically
in the health care industry today.
• In other words, normal business costs,
– things you should be doing today, possibly pre-empting
arguments over the cost of such standards.
8. Stepen Cobb, Rainbow Technologies, 8 of 18
Security practices in the proposed standard
are divided into two categories
• Organizational Practices
– Security and confidentiality
policies
– Information security officers
– Education and training
programs, and
– Sanctions
• Technical Practices and
Procedures
– Individual authentication of users
– Access controls
– Audit trails
– Physical security
– Disaster recovery
– Protection of remote access points
– Protection of external electronic
communications
– Software discipline, and
– System assessment.
Use these as a check list for
comparison with your
current security practices.
9. Stepen Cobb, Rainbow Technologies, 9 of 18
We can see that HIPAA is also about
systems & security
• As we get to grips with 164.530(c)(1)
– “appropriate administrative, technical, and
physical safeguards to protect the privacy of
protected health information.”
• We have to anticipate what 142 will
consider appropriate, and plan accordingly.
10. Stepen Cobb, Rainbow Technologies, 10 of 18
But privacy is not the same as security
• Privacy is a value, and, to differing degrees, in
different cultures, a right.
• Security is a discipline, a methodology and a
technology.
• Security is neutral
– it can serve privacy or hinder it.
– e.g. security technology such as biometrics, which can
prevent unauthorized persons from accessing data, can
also be used to track people without their consent, often
considered an invasion of privacy.
11. Stepen Cobb, Rainbow Technologies, 11 of 18
But without security, you can’t deliver
privacy
• You need to make sure the vital ingredients
of security are in place:
– Policies, procedures, classification, officers,
training, awareness, sanctions.
– Strong, granular authentication, access controls,
intrusion detection.
– Software methodology, discipline, testing,
penetration testing.
12. Stepen Cobb, Rainbow Technologies, 12 of 18
HIPAA not the only privacy legislation
• Right to Financial Privacy Act
• Children's Online Privacy Protection Act
• Bank Secrecy Act
• Fair Credit Reporting Act
• Identity Theft and Assumption Deterrence
Act of 1998
• Fair Debt Collection Practices Act
• Financial Institution Data Match
• Title V, Gramm-Leach-Bliley Act
13. Stepen Cobb, Rainbow Technologies, 13 of 18
G-L-B affects wide range of companies
• Joint Final Rule of OCC, FRB, FDIC, OTS Privacy of
Consumer Financial Information.
• Requires a financial institution to provide notice to
customers about its privacy policies and practices;
• Describes the conditions under which a financial
institution may disclose nonpublic personal information
about consumers to nonaffiliated third parties; and
• Provides a method for consumers to prevent a financial
institution from disclosing that information to most
nonaffiliated third parties by “opting out” of that
disclosure.
14. Stepen Cobb, Rainbow Technologies, 14 of 18
HIPAA not the only security legislation
• require that each bank implement a comprehensive written
information security program that includes administrative,
technical and physical safeguards for customer records and
information appropriate to the size and complexity of the
bank and the nature and scope of its activities;
• require the bank's board of directors, or an appropriate
committee of the board, to approve and oversee the
development, implementation and maintenance of the
bank's information security program; and
• requires banks to exercise appropriate due diligence in
selecting and monitoring service providers, and that
service providers implement appropriate security measures
to meet the objectives of the guidelines.
15. Stepen Cobb, Rainbow Technologies, 15 of 18
Privacy not the only reason for security
• If you do security right, you also get
protection from:
– Malicious hackers, disgruntled employees.
– Malicious code, viruses, Trojan Horses.
– Industrial and government espionage.
– Stupid user errors and omissions.
– Allegations of negligence and shareholder
lawsuits if something does go wrong.
16. Stepen Cobb, Rainbow Technologies, 16 of 18
Businesses that “get” privacy & security
today will do better than those that don’t
• Privacy is about respect for individuals,
many of whom are your customers.
• Security is about the quality of your
company in the age of information.
• Tomorrow’s top companies will be those
that figure out today, how to respect privacy
and protect information systems while
efficiently marketing and delivering goods
and services.
17. Stepen Cobb, Rainbow Technologies, 17 of 18
And this is not just my opinion
• Companies must take a whole-view approach to
privacy
– To survive mounting consumer anxiety and the
growing labyrinth of US and foreign regulation, firms
need to institutionalize their commitment to protecting
and managing their customers’ privacy by taking a
comprehensive, whole-view approach to privacy.
– Anyone today who thinks the privacy issue has peaked
is greatly mistaken. As with environmentalism [in the
60s] we are in the early stages of a sweeping change in
attitudes that will fuel years of political battles and put
once-routine business practices under the microscope.
• Forrester Report, February 2001