It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
HIPAA Question/Help Please!!!
page: 12
share:
Hi, my name is Rob. Long time lurker, first time poster. Great website, love the messages. And before I continue, Mods, if this is the wrong
location for this post please place it in the correct location. Ty!
I am a student studying Information Security, and am currently wrestling with several HIPAA questions. Specifically on the topic of computer security. Many websites, pages, and white papers that I read state that the computers handling the Electronic Protected Health Information (e-PHI) must be kept up-to-date with software upgradaes and available patches. (www.healthit.gov...) is one such document which is shown on the bottom of page 3 (28 on the actual page).
My question is this, besides the risk analysis clause which I don't feel is pertinent enough, and 164.306 (Security Standards), Setion A, Part 2 which states that the location must "protect against any reasonably anticipated threats or hazards to the security or integrity of such information", where does it specifically state that e-PHI must be protected/how? This is not a homework question per se, but something that I have been scouring the HIPAA Security Rule section(s) attempting to find.
To anyone who tries to help, I appreciate it very much! Ty!
I am a student studying Information Security, and am currently wrestling with several HIPAA questions. Specifically on the topic of computer security. Many websites, pages, and white papers that I read state that the computers handling the Electronic Protected Health Information (e-PHI) must be kept up-to-date with software upgradaes and available patches. (www.healthit.gov...) is one such document which is shown on the bottom of page 3 (28 on the actual page).
My question is this, besides the risk analysis clause which I don't feel is pertinent enough, and 164.306 (Security Standards), Setion A, Part 2 which states that the location must "protect against any reasonably anticipated threats or hazards to the security or integrity of such information", where does it specifically state that e-PHI must be protected/how? This is not a homework question per se, but something that I have been scouring the HIPAA Security Rule section(s) attempting to find.
To anyone who tries to help, I appreciate it very much! Ty!
a reply to: Rookseven
Not being from that side of the pond a lot of what i've read makes no sense as but your bit on "anticipated threats and hazards" just sounds like to me to read as make sure its burglar/arsonist proof or at the very worst you have a backup plan now they can't put a minimum level on security as things change all the time, its pretty much like the 2nd mentions firearms and leaves it at that as otherwise if it did mention that "the right to bear fred's flintlocks made from his upstairs room shall...etc...etc" would lead to people just meeting the minimum requirement and then if things go wrong just blaming the law
Not being from that side of the pond a lot of what i've read makes no sense as but your bit on "anticipated threats and hazards" just sounds like to me to read as make sure its burglar/arsonist proof or at the very worst you have a backup plan now they can't put a minimum level on security as things change all the time, its pretty much like the 2nd mentions firearms and leaves it at that as otherwise if it did mention that "the right to bear fred's flintlocks made from his upstairs room shall...etc...etc" would lead to people just meeting the minimum requirement and then if things go wrong just blaming the law
Are you talking just HIPPA or also PCI compliance?
Anyway this is a good place to look when you have HIPPA questions..
www.hhs.gov...
Anyway this is a good place to look when you have HIPPA questions..
www.hhs.gov...
originally posted by: Rookseven
where does it specifically state that e-PHI must be protected/how?
This could be one of the biggest conspiracy topics ever addressed on ATS.
HIPAA was never about protecting "Protected Healthcare Information" ... it was all about who it could be made legally available to and how (beyond the consent of the patient).
The 'how' of it is developed in the Information Assurance arena ... and that is via a mandate I've lost track of.
a reply to: Rookseven
Where I work we retain data that is PHI and Bank and Insurance related, the vast majority of the data we retain is stored via IBM 3940 tapes (yes they still use those) with a 99 year storage requirement and the data is handled by Z mainframes and linux servers, the method by with we move data to redundant backup locations varies by data type. Some is stored on a VTA (Virtual Tape Appliance) then copied to an offsite DR(Disaster Recovery) site, other data is maintained in the tape form, but most of the data in stored in a Santa Fe Shark RAID drive array. You will notice most of this tech IS NOT the latest and greatest, it is not the OS or the updates that determines system security, it is the operations and administration of the systems in question. Did you know the IBM mainframe platform has never been hacked??? You can not now and likely will never see an example of the Z/OS platform compromised. With a track record like that it is not upgrades and updates you have to worry about. Just gota make sure user credentials are not lost/stolen or otherwise mishandled. One example is many (if not most) ATM machines STILL run on OS/2, several banks and brokers in general STILL use Novell, heck there is still a Windows 3.1 system in use in our datacenter as well as several OS/2 Warp terminals.(they work really well as admin interfaces to the IBM mainframes) The primary reasons they have statements about maintaining updates is most people are dumb enough to have Windows servers in a production environment.(Well known fact that Windows
Where I work we retain data that is PHI and Bank and Insurance related, the vast majority of the data we retain is stored via IBM 3940 tapes (yes they still use those) with a 99 year storage requirement and the data is handled by Z mainframes and linux servers, the method by with we move data to redundant backup locations varies by data type. Some is stored on a VTA (Virtual Tape Appliance) then copied to an offsite DR(Disaster Recovery) site, other data is maintained in the tape form, but most of the data in stored in a Santa Fe Shark RAID drive array. You will notice most of this tech IS NOT the latest and greatest, it is not the OS or the updates that determines system security, it is the operations and administration of the systems in question. Did you know the IBM mainframe platform has never been hacked??? You can not now and likely will never see an example of the Z/OS platform compromised. With a track record like that it is not upgrades and updates you have to worry about. Just gota make sure user credentials are not lost/stolen or otherwise mishandled. One example is many (if not most) ATM machines STILL run on OS/2, several banks and brokers in general STILL use Novell, heck there is still a Windows 3.1 system in use in our datacenter as well as several OS/2 Warp terminals.(they work really well as admin interfaces to the IBM mainframes) The primary reasons they have statements about maintaining updates is most people are dumb enough to have Windows servers in a production environment.(Well known fact that Windows
Not interested in hijacking the thread based on silly lines like "people are dumb enough to have Windows servers in a production evt"
How are you making out OP?
How are you making out OP?
originally posted by: opethPA
Not interested in hijacking the thread based on silly lines like "people are dumb enough to have Windows servers in a production evt"
How are you making out OP?
Not a silly line, the known issues with keeping a windows server secure is why they have the updates bit in the different guidelines, when you have a secure platform you don't have to worry about every last KB and hotfix. Windows has it's place but a production data environment isn't it. You spend more time installing updates and rebooting than you do serving up the user data.
originally posted by: sycomix
originally posted by: opethPA
Not interested in hijacking the thread based on silly lines like "people are dumb enough to have Windows servers in a production evt"
How are you making out OP?
Not a silly line, the known issues with keeping a windows server secure is why they have the updates bit in the different guidelines, when you have a secure platform you don't have to worry about every last KB and hotfix. Windows has it's place but a production data environment isn't it. You spend more time installing updates and rebooting than you do serving up the user data.
Except for all the production DC's that have Windows servers running and dont have issues..of course it's all moot if your edge isn't secured..Im sure we can find a way to blame MSFT for that.. hell Im not even a MSFT fan but blanket statements dont work in the IS world.. Except maybe to say that a Spanning tree loop at 3am blows..i think everyone would say that.
We could gladly sit here and go back and forth on things but im more interested in seeing if the OP was able to get his question answered.
Thank you guys for the help! So far what I've been able to come up with are the following (from the Final Rule of the HIPAA Security Rule). If I'm
wrong, please correct me, but these seem to speak to the heart of what I was wondering.
> 164.308(a)(5)(ii)(B) Protection from Malicious Software says "Procedures for guarding against, detecting, and reporting malicious software."; My take: If the OS or browser isn't updated with security vulnerability updates your chances of finding or guarding against them are on a downward curve
> 164.310((c) The Workstation Security Standard to "Implement physical safeguards for all workstations that access e-PHI, to restrict access to authorized users; My take: If the OS is no longer supported how can you be sure that user access controls and policies have not been compromised?
> 164.312(c)(1) The Integrity Standard "Implement policies and procedures to protect e-PHI from improper alteration or destruction; My take: How do you know new vulnerabilities haven't been found that allow users access to your system?
> 164.308(a)(5)(ii)(B) Protection from Malicious Software says "Procedures for guarding against, detecting, and reporting malicious software."; My take: If the OS or browser isn't updated with security vulnerability updates your chances of finding or guarding against them are on a downward curve
> 164.310((c) The Workstation Security Standard to "Implement physical safeguards for all workstations that access e-PHI, to restrict access to authorized users; My take: If the OS is no longer supported how can you be sure that user access controls and policies have not been compromised?
> 164.312(c)(1) The Integrity Standard "Implement policies and procedures to protect e-PHI from improper alteration or destruction; My take: How do you know new vulnerabilities haven't been found that allow users access to your system?
It means that where records are kept or the computers they are stored on must be in a locked and lockable room when not in use.
new topics
-
Biden FINALLY allows Ukraine to use US missiles inside of Russia.
General Conspiracies: 4 hours ago -
The Martian Lafayette Meteorite Interacted with Water Just 742 million years ago
Space Exploration: 9 hours ago -
My Body Of Release…
Philosophy and Metaphysics: 10 hours ago -
Well, here we go red lines crossed Biden gives the go ahead to use long range missiles
World War Three: 10 hours ago
top topics
-
Well, here we go red lines crossed Biden gives the go ahead to use long range missiles
World War Three: 10 hours ago, 26 flags -
The Martian Lafayette Meteorite Interacted with Water Just 742 million years ago
Space Exploration: 9 hours ago, 7 flags -
My Body Of Release…
Philosophy and Metaphysics: 10 hours ago, 4 flags -
Biden FINALLY allows Ukraine to use US missiles inside of Russia.
General Conspiracies: 4 hours ago, 0 flags
active topics
-
Well, here we go red lines crossed Biden gives the go ahead to use long range missiles
World War Three • 84 • : putnam6 -
Tesla cutting 14,000 jobs
Global Meltdown • 54 • : Irishhaf -
President-Elect DONALD TRUMP's 2nd-Term Administration Takes Shape.
Political Ideology • 217 • : WeMustCare -
Encouraging News Media to be MAGA-PAF Should Be a Top Priority for Trump Admin 2025-2029.
Education and Media • 72 • : WeMustCare -
POLLS - Leading Up To The November 2024 USA Elections.
2024 Elections • 322 • : WeMustCare -
it's not a statue or an Alien woman on Mars.
Aliens and UFOs • 21 • : EduardoLopez -
Waterloo in 20mm world's largest diorama (on view at NAM Chelsea Oct 20 & 21) new pics added 10 -16
Member Art • 50 • : Asktheanimals -
RFK is Trumps health pick
2024 Elections • 12 • : WeMustCare -
My Body Of Release…
Philosophy and Metaphysics • 6 • : JJproductions -
The Great Reckoning
Rant • 55 • : VariedcodeSole
2