Smart Card Systems is a leading integrator and consultant of premier security products.
.
 
Products
Government Mandates
 


HIPAA ASSESSMENT

I. INTRODUCTION
II. HIPAA BACKGROUND
III. SCOPE OF WORK
IV. DATA COLLECTION
V. DELIVERABLES
VI. HIPAA REMEDIATION OPTIONS
QUESTIONAIRE
EXPERIENCE

Flow Chart

Appendix A - HealthSecure Methodology 8

Proposal -To Conduct an Assessment and Determine Recommendations to Comply with HIPAA Compliance


I. INTRODUCTION
This proposal provides for consulting services and software to support Said Name Company's work to comply with the legislation developed as part of HR 3103, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). This assistance is to be provided by a team of qualified consultants from Securesoft Systems, Inc. (SSI), who will specifically address the Administrative Simplification Legislation components of HIPAA as they relate to Security and Privacy. The objectives are to provide a detailed assessment of the current environment, identify the gaps between the current state and the HIPAA Security and Privacy standards and to provide recommendations. These recommendations will position Yuma Regional Medical Center to achieve HIPAA compliance within the required federal timeframes and to meet YRMC strategic objectives as well.

II. HIPAA BACKGROUND
Healthcare is faced with the requirement to satisfy H.R. 3103, the Health Insurance Portability and Accountability Act of 1996 (HIPAA). All health plans, healthcare providers and clearinghouses are required to comply. Likewise, because of business partner relationships, other healthcare businesses must also comply. Each organization must identify all areas of non-compliance and take corrective action in each identifiable area to achieve compliance. The HIPAA legislation states that compliance must be met. The timeframe to meet compliance is short and it is recommended that YRMC begin to aggressively address these HIPAA requirements within the timeframes identified in these regulations.

TOP
III. SCOPE OF WORK
Securesoft Systems, Inc. has developed a solution that addresses the HIPAA requirements. A team of program and technical consultants with exceptional credentials and a unique software suite will assess and identify gaps in the organization's infrastructure and compliance measures.

This effort will satisfy the following objectives:

  • Document Current State: Develop an assessment of the current state of the organization's compliance with HIPAA readiness by a review of policy documentation, assessment of operational functions and conduct of targeted interviews.
  • Determine Compliance Gaps and YRMC Vulnerabilities and Develop a Compliance Strategy - A Gap Analysis will be developed and recommendations will be submitted on how impacted areas can become compliant to include a report, project plan and specific remediation initiatives to be undertaken.
  • Employ Immunity Software Solution - Immunity enables management of information from the assessment activities to meet compliance for HIPAA. Recommendations derived from the assessment activities can be inserted into the Remediation Manager plug-in that can be added as part of the Immunity Security and Privacy Management Suite. The Remediation Manager is the platform providing protection measures through implementation software. Utilizing the Immunity solution, the organization maintains the ability to manage information beyond the initial assessment. The solution enables the organization to continue to conduct self-assessments for ongoing security and privacy compliance. YRMC Program Management team members will be trained on how to use these tools to manage information and to track additional information collected. A description of the Immunity software suite is included in this proposal.

To accomplish these objectives, two options are provided: 1) assessments will be conducted by SSI, or 2) a team of qualified consultants will partner with a core team of YRMC analysts. This collaborative approach will facilitate knowledge transfer and will work to reduce cost to YRMC by preparing management and staff with the information and training needed to actively participate in the YRMC Privacy and Security Program.

The teams will conduct interviews with key YRMC staff and evaluate functions and safeguards in order to gain a thorough understanding of the current practices concerning information privacy and data security.


IV. DATA COLLECTION
The successful completion of each objective outlined in this document will understandably require the assistance of YRMC personnel and data to include the following types of information:

  • Organizational charts
  • Contact personnel for each entity within YRMC
  • Interviews with staff, operational and senior level personnel
  • Copies of all known published and draft policies and procedures
  • Inventory of all known information systems used within the organization
  • Inventory of all enterprise assets
  • Inventory of all known commercial software used on all computers (desktop, mid-range and mainframe)
  • Inventory of all known partnerships with YRMC
  • Topology of the network(s)
  • Description of existing security software

TOP
V. DELIVERABLES

Deliverable 1: Current State Report on Privacy and Security
A report will be developed of the current state of the organization's compliance with HIPAA readiness by a review of policy documentation, assessment of operational functions and conduct of targeted interviews. This report will outline YRMC's current business practices by HIPAA regulation.


Deliverable 2: Gap Analysis and Recommendations
A Gap Analysis and Recommendations report will be created in order to assist YRMC to gain an understanding of current and future initiatives. This report will include a review of business and technical processes and systems, and interviews with key personnel. Gaps will be identified according to the required HIPAA standards. YRMC management will be assisted in developing solution recommendations that meet these requirements.

Recommendations will be completed that will identify the actions required to implement the corrective actions (remediation), adequate enough to comply with the HIPAA requirements, and at the same time achieve sound business practices, make systems secure and establish a framework that will facilitate maintaining secure systems and privacy compliance for the future.

Gaps and Recommendations will be recorded in the Immunity software solution, and assistance will be provided to support YRMC in achieving compliance with HIPAA security and privacy guidelines for the protection of its medical information and healthcare systems. The report will include:

  • Summary of Findings and Relation to HIPAA Regulations
  • Status of Policies and Procedures for Privacy and Security
  • Physical and Information Security Surveys
  • Network and System Vulnerability Evaluation
  • Measures to protect patient health information


Deliverable 3: Compliance Project Plan and Cost Estimate
An overall project plan identifying individual solutions and timelines will be prepared and recorded in the Remediation Manager. This remediation plan identifies the recommended solutions and major tasks for each project with associated costs. These recommendations will be clearly communicated to YRMC through minimal and optimal solutions.

TOP
VI. HIPAA REMEDIATION OPTIONS
The following deliverables are provided as options and may be implemented by contract modification. The associated costs would be determined based on the assessment results.

Deliverable 4: (Optional) Implementation of Remediation Project Plan
The following are the proposed Implementation recommendations. These may need to be revised based upon the results of the HIPAA Assessment. These solutions match the requirements established by specific rule sets within the HIPAA regulations for protection strategies.

Requirements Recommended Solution Description

  • Access Control Application:
    • Biometric Access Control. Biometric fingerprint - single sign-on, integrated through Immunity software tool. Eliminates passwords.
  • Secure E-Mail:
    • Install Entity Authentication Software/ Email Security Secure Email to include non-repudiation as appropriate for executive and sensitive computers, entity authentication and audit. This application also ensures Transaction Code and Privacy data are secured in any related transmissions.
  • Develop Privacy and Security Policies documentation:
    • Establish authorizations, responsibilities, applicability, scope, program goals and objectives, compliance and readiness references, legal implications - status and fixes, HIPAA and state requirements for Assessment, Gap Analysis, Remediation and upgrades.
  • Prepare Privacy Procedural documents:
    • Procedures to include Patient Rights, Authorizations to Release, Content Controls, Consent Form and Release Procedures, Patient Health Information De-identification, etc.

Deliverable 5: (Optional) Training
This deliverable is provided as an option that may be implemented by contract modification to be determined following the assessment. These courses provide executive level information sessions, management and staff education, and IT technical training to assist organizations in their pursuit of HIPAA compliance. Educational Services provide the following:

  • Training the client's management and staff to help solicit executive support of the initiative.
  • Helping organizational departments to understand the work efforts involved within HIPAA endeavors, and
  • Providing those responsible for implementation tasks with the tools necessary to effectively manage the process of moving their organization toward compliance.

A HIPAA Training Program offers a wide range of training that can be easily customized to meet the specific needs of YRMC. The HIPAA Training Courses include the following:

:: HIPAA: Awareness and Action
:: Learning the Ropes: Privacy & Security Requirements
:: Defining HIPAA's Impact on the Organization
:: Security and Privacy Policies and Procedures
:: Monitoring HIPAA Compliance for the Long Haul
:: Tackling HIPAA Remediation


Deliverable 6: (Optional) EDI/TCI Assessment
This deliverable will provide YRMC a Current State Assessment and Gap Analysis in relation to EDI Transaction Code Sets in accordance with the mandated HIPAA regulations.

TOP

 

Appendix A - HealthSecure Methodology


This SSI HealthSecure methodology represents a phased, iterative approach to applying HIPAA information security practices and standards. Based on the dynamic nature of the security issues and the pace at which technology innovates, SSI's HealthSecure lifecycle remains a "work in progress" that delivers a scalable, distributed management service. This service, comprised of the Immunity software and the HealthSecure methodology, represents a cost-effective dependable solution to achieve integrity of system security and accelerated compliance with federal requirements.

The HealthSecure methodology ensures that security policies and objectives remain aligned with an organization's business strategies and performance goals that help compliance with federal requirements and concurrently install a program that provides continuity as well as making systems secure.

The HealthSecure methodology should be delivered to anyone that has to manage security where there has been a spiraling growth in the demand for the kinds of IT security offered by the HealthSecure methodology as a solution.

While many security firms offer point solutions and tactical advice, HealthSecure offers consulting methodologies with a complete turnkey end-to-end security framework that consolidates information security functions and satisfies federal and industry requirements. HealthSecure staff has expertise in industry best practices and standards, federal compliance requirements of Government, Health (HIPAA) and Federal Reserve guidelines and has developed a new approach that maps security to Information Technology (IT) and medical privacy practices.

This proprietary software solution is called "Immunity" and the implementation (remediation) procedure applied is called the "HealthSecure Methodology". They provide a comprehensive framework to address enterprise security management issues from a single console supported by a structured security risk management procedure. The HealthSecure solution is designed to create the plan, coordinate discovery of shortcomings and implementation of security requirements and continuously monitor the achievement of IT security policies and objectives defined.

The application of this Implementation (remediation) tool is based on our HealthSecure Methodology and "Immunity" software.


Professional Services
This implementation methodology HealthSecure consists of an end-to-end security framework that enables our assessment teams to identify, manage and secure from threats to the network environment and provide privacy protection. We begin the HealthSecure program at the first meeting at each facility and we continue the HealthSecure process until the system/facility has achieved the desired security results. The continuity of this approach helps to achieve measurable benefits quickly to discover gaps and identify the requirements to mediate risks and maintain a continuously secure environment.

HealthSecure methodology approach is outlined below:

TOP

  • We begin by conducting an Assessment and Gap Analysis to determine shortcomings in the present system and then create a plan, based on federal and industry requirements, business objectives and policies of the organization.
  • We then analyze and audit the organization's current information security systems and implement the security solution (Immunity) that will close the gap between the present status of security and the policies and objectives defined in the planning stage and contained in the federal requirements documents.
  • Next, we help the organization execute the Immunity software to provide integration, auditing and management of security services and automated compliance functions.
  • By providing managed services, we then help the organization to reduce the cost/effort of deploying, supporting and maintaining their new security solution.

The lifecycle of the HealthSecure methodology is a "work in progress", for the threat to a network is dynamic. By applying HealthSecure, we can ensure that security guidelines, policies and objectives remain in compliance 365 days a year.

Immunity, the core software, has a powerful, patented communications architecture that enables the application of several IT and security technologies that are applied and managed to keep systems SECURE.

The overall HealthSecure program provides the primary benefits reflected as follows:

  • Simplifies and directs the evaluation of system security requirements.
  • Automates the identification and correction of security vulnerabilities and shortcomings identified in the Gap Analysis.
  • Manages and guides the security planning, integration and auditing functions.


The Need for HealthSecure and the Immunity Software
The genesis for the development of HealthSecure and the Immunity software is based on the rapid growth of system security problems, including:

  • Continuing increases in intrusions and in the requirements for systems integrity and privacy along the distributed network of computer and servers.
  • Growth of numerous individual security software "solutions" that require controls.
  • Inadequacy of present system applications and shortcomings in complying with federal standards.

The Inadequate Approach
In a typical scenario, systems are scanned for vulnerabilities and penetration tests are conducted, both discovering that there are weaknesses. Before vulnerabilities can be corrected another computer is added to the system that is NOT secure or another new vulnerability is announced that has not yet been recognized, let alone scheduled for correction. None of this activity is accountable or recorded in a relational database. There are no records of security management maintained that are retrievable or that provide line system reports on the status of security or insecurity.

Need for a Single Solution
While there are many individual security software "solutions" that attempt to solve one or more of these problems, currently there is no single "solution" capable of doing so. In fact, the current stand-alone "solutions" often amplify the problem and in some cases present a false sense of security that the problem is solved when in reality it is not. For the most part, the present generation of security software applications works more toward highlighting problems rather than fixing them.

Discover and Correct Vulnerabilities (immunize)
The present security emphasis has been to DISCOVER vulnerabilities. Immunity works on a SEARCH & DESTROY basis to find vulnerabilities quickly and fix them. HealthSecure and Immunity represent an accountable, retrievable database that effectively solves these problems by integrating system security into the IT mainstream and directing the use of integrated solutions. To our knowledge, HealthSecure and Immunity are the only products on the market today that provide a truly comprehensive approach to managing network security and protecting information systems enterprise-wide.

 


 

  • HIPAA Requirements Questionnaire: SSI assessment personnel developed a questionnaire that reflects current 'good business' practices and HIPAA rules. This questionnaire was used in the interviews. Individuals in various departments were asked to answer general and specific questions about policies, process and security procedures, and other variables. The responses to this questionnaire were summarized by the Evaluators and inputted into the findings and ultimately, the Assessment Report and Gap Analysis. The results of the Questionnaires were logged into the HIPAA Assessment Tool.
  • Assessment Guidelines: The SSI assessment team, with the organizations' management approval, addressed the various roles and user functions in the organization in order to create general guidelines for the review.
  • Data Collection Checklist: The assessment coordinator distributed a checklist of items required to complete the reviews to the designated authority. The checklist included sections to complete the physical assessment (building layout and floor plans, etc.), vulnerability assessment for operating systems, interview assessment, and policy assessment to assemble a clear picture of the organization. These items were entered into the HIPAA Assessment Tool.
  • Asset Inventory List: A current list of the computer workstations and server systems hardware were targeted for conducting the vulnerability scans tests. This list included information on location of the computer, IP address, Operating System and other facts about each computer system under the responsibility of the organization. The asset information was loaded into the Assessment Tool and can be viewed alongside the scan results interactively. This provides detail on items that require corrections to be compliant.
  • System Scanning Vulnerability Results: The Scanning vulnerability results were collected and a summary report generated. The report was sorted by host IP address and vulnerability and saved in text or HTML format and is available in the Assessment Tool.
  • HIPAA Privacy and Security Requirements Documentation: A matrix of the HIPAA privacy and security requirements documentation that specified the details of the privacy and proposed security regulations was used in the assessment tool.
  • SSI's HIPAA Assessment Tool: SSI's HIPAA Assessment Tool aggregated and correlated information ranging from policy to network compliance and maintained a "Current State Assessment Log" to help identify those areas of non-compliance. These observations are linked with the HIPAA Regulations to aid in identifying the gaps and programming Remediation actions. The Security Plan Manager facilitates long-term, maintainable enterprise Security and Privacy Policy compliance. The assessment project also delivered a "Gap Analysis" report that compared the current state with HIPAA regulations to determine the areas where compliance needed to be addressed. Immunity contains templated recommendations for most gaps identified according to the regulations. Immunity has a variety of ways this report can be printed to be tailored for the specific information being sought: department, severity, regulation number, according to hospital-wide or facility, etc.
  • Remediation Manager: This program is based on the successful progress in the Los Angeles County healthcare facilities. This represents a complete set of remediation applications that satisfy all the security and privacy compliance requirements. The applications meet the specific rule sets contained in HIPAA.
  • Web-based Application: The advantage of the SSI software for Privacy and Security is its web-based single centralized console capabilities. This capability provides for the capacity for centralized management and the advantages inherent in web-based access and operational functions.
TOP

SSI Deliverables Experience
The deliverables prepared by SSI for HIPAA Privacy and Security include application of the Immunity Security Management Suite for required HIPAA directed requirements, analysis, plans and reports including Risk Assessments & Gap Analyses, Program and System Protection Plans, Access Control Systems, Technology Protection Guidelines, compliant IT security and privacy remediation applications, Threat Analysis, Penetration Testing and Technical Controls, Certification and Accreditation and Security Plans, Protections of Privacy as well as sensitive mission critical data. Complete IT Security Awareness and Training initiatives were conducted to include certification courses and conferences.

The requirements addressed in the federal, state and industry standards are the type that have been previously met by applying SSI products and services implemented in the SSI software tools. SSI has demonstrated the ability to work effectively with diverse organizational structures and highly technical network systems and has a substantial set of partner companies that provide privacy and security integrated solutions. The following are key applications:

  • Continued Privacy and Security Policy Compliance Management
    A specialized software module, described as the Policy Compliance Manager, monitors information systems to assure that the systems brought up to requirements, continue to remain secure and that management is notified when they become insecure. That may result from a new insecure machine being added to the system or the development of a new operating system vulnerability.
  • Privacy Rights, Permissions and Authorizations
    These key functions are tracked within the compliance application. Interviews and reviews of policy and implementation procedures are imported to the assessment tool database.

  • Security Awareness Training and Program Implementation
    The combined SSI resources have conducted substantial Security Awareness programs worldwide. These addressed mandatory training sessions such as required by NASA the Air Force, HIPAA, programs for key government and commercial organizations like the New York Stock Exchange and comprehensive agency programs by SSI (dba NDI) for several organizations.

    These programs included training materials, video productions, demonstrations of malicious software, development of web-based security awareness training and preparation of an agency-wide program of instruction.
  • Penetration Testing, Vulnerability Analysis and Security Configuration Controls
    SSI and predecessor companies have conducted several Penetration Tests and Vulnerability Analysis applying requirements across the spectrum. Clients have included six hospitals and healthcare facilities Kennedy Space Center, the Library of Congress and others such as Applied Materials, Inc.

  • Remediation Application
    SSI integrates all required HIPAA security software to include: secure email, to include non-repudiation, biometric entity and authentication, access controls functions to achieve true single sign-on and related software and implementation activities.
TOP