A 360 Degree Approach to HIPAA Compliance
An effective approach to meeting HIPAA security compliance requirements begins with a security management solution – one that enables real-time monitoring, compliance reporting and control management. Technology alone however, is not the answer. The best route to compliance is a 360 degree approach that integrates existing people, processes, and policies with technology. The foundation of a compliance solution for all healthcare organizations is an enterprise-class Security Information Management (SIM) solution.
Seven Critical HIPAA Initiatives
Define a policy-driven security management program that can be incorporated early on into business processes – Identify the people and technology controls needed to satisfy an organization’s security mission and ensure HIPAA compliance. Also, ensure that security initiatives are integrated into business processes at their onset, rather than after the fact.
2. Security Controls
Validate security controls – Provide for the monitoring and reporting of controls on human actions and decisions, process controls, and information technology controls.
3. Risk Management
Implement a risk management approach to information security – Comprise active monitoring of risk as defined and measured by key control indicators (KCIs) and key risk indicators (KRIs), correlating the relative value of information assets, the threats to the confidentiality, integrity, and availability of the assets, and the vulnerability of the systems and architecture that store and carry the assets.
4. Due Diligence
Demonstrate due diligence in the application of internal controls – Create a link between the security infrastructure and policy by capturing all security events from all network hosts, devices, and assets in an auditable database.
5. Incident Management
Develop and implement an effective security-incident management process – Demonstrate that the proper steps were taken to correct systems and adjust policy if a non-compliant situation is identified.
Enable reporting that can help demonstrate compliance – Demonstrate the ongoing security of compliance-related assets over a period of time, recreating the organization’s security posture if needed to obtain HIPAA certification, and enabling security performance management against metrics that can be leveraged for corporate governance initiatives.
7. Preserving Data
Establish capabilities for archiving and preserving data – Preserve near-term and long-term data in its purest form for forensics and evidentiary presentation. By leveraging SIM to implement effective, comprehensive policies and procedures for establishing accountability and consistent reporting practices, healthcare organizations can successfully meet HIPAA regulatory compliance directives.
Example: Security Information Management and HIPAA Compliance
Wheaton Franciscan Healthcare a nonprofit healthcare organization based in Wheaton, Illinois needed to enhance their visibility into network security and improve reporting capabilities to enable HIPAA compliance. The organization size created enormous challenges.
With 17 hospitals and more than 70 clinics in Colorado, Illinois, Iowa, and Wisconsin, the initiative involved nearly100 security devices, including firewalls, intrusion protection systems, virtual private network concentrators, and authentication services..The organization manually reviewed many of its security devices, though some were unmanageable due to the enormous volume of event log data. Wheaton turned to a leading Security Information Management solution to bring its security initiatives under control.
Wheaton was able to reduce its monitoring workload and minimize downtime by leveraging this solution to react more quickly to threats. With improved visibility into the network and the ability to assess its risk posture at any given point in time, Wheaton raised security and reporting to the level required for HIPAA compliance.