Regulatory Compliance IT Managed Services
The Health Insurance Portability and Accountability Act (HIPAA)
Compliance with the Final Security Rule
The Health Insurance Portability and Accountability Act (HIPAA) was enacted by the U.S. Congress in 1996. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers. [Learn more...]
Administrative Procedures to Guard Data Confidentiality,
Integrity and Availability
| Requirement |
SOTEC Remote Monitoring/Partner |
- Periodic inventory of hardware/software assets
|
|
- Periodic security testing, including hands-on functional testing, penetration testing, and verification
|
- SOTEC Remote Monitoring vulnerability scanning and vulnerability assessment
- Intrusion monitoring
- Firewall monitoring
- Patch assessment
|
- Business partner agreements
|
- Appropriate contractual language to preserve "chain of trust"
|
- Contingency plan requiring formal assessment of the sensitivity, vulnerabilities, and security of covered entities
|
- SOTEC Remote Monitoring vulnerability scanning and vulnerability assessment
- Intrusion monitoring
- Firewall monitoring
- Patch assessment
|
- Section 164.308 a (1.ii.A) Conduct accurate and thorough assessment of potentials risks and vulnerabilities
|
- Network vulnerability assessment
- Windows intrusion monitoring
- Vulnerability scanning
- Patch assessment
|
Technical Security Services
| Requirement |
SOTEC Remote Monitoring/Partner |
- Ongoing monitoring of information system to determine if system has been compromised, misused or accessed by unauthorized individuals
|
- Overall IT monitoring
- Off-site monitoring and management
- Intrusion monitoring/alerting
|
- Section 164.308 a (5ii.A) Periodic security updates
|
- Vulnerability scanning
- Patch scanning
|
- Section 164.308 a (7.ii.A) Establish and implement procedures to create and maintain retrievable exact copies of electronic protected health information
|
- Logfile monitoring templates for APC, ArcServe, Backup Exec, CA Brightstor
|
Technical Security Mechanisms
| Requirement |
SOTEC Remote Monitoring/Partner |
- Event reporting mechanisms
|
- Automated security alerts, notification, and escalation capabilities
- Threshold-setting
|
- Alarm system
- Audit trails
- Incident tracking
|
- Real-time intrusion alerts; monthly intrusion summaries: login/logout activity by user/device; failed login details report; account modification activity by user/account report
|
- Section 164.306 a (2) Protect against anticipated threats or hazards to integrity of information
|
- Scheduled reporting for security/firewalls
- Vulnerability scanning
- Patch scanning
- Ensure vendor-specific firewall/intrusion detection tools are monitored (e.g., Cisco Pix, SonicWALL, Trend Micro IPS)
|
- Section 164.308 a (5.ii.B) Procedures for guarding against, detecting, and reporting malicious software
|
- Ensure anti-virus tools are working and up-to-date
- CA eTrust
- McAfee Anti-Virus
- Norton Anti-Virus
|
- Section 164.308 a (3.ii.A) Implement policies and procedure for authorization/supervision of workforce members who work with electronic protected health information
|
- RSA Authentication Windows Service Monitor
- Windows Security Event Monitor
|
- Section 164.308 a (5.ii.C) Procedures for monitoring log-in attempts and reporting discrepancies
|
- Login, logoff, lockout activity event monitor
- Windows Security Event Monitor
|
- Section 164.308 a (5.ii.D) Procedures for creating, changing, and safeguarding passwords
|
- Windows Security Event Monitor
|
- Section 164.308 a (6.iii) Identify and respond to suspected or known security incidents; mitigate and document security incidents and outcomes
|
- Current and resolved fault reports against all policies outlined herein
- Scheduled reports for historical tracking
|
- Section 164.312 a (1) Implement procedures for electronic information systems that allow access only to persons or software programs that have been granted access rights
|
- Login, logoff, lockout activity event monitor
- Windows Security Event Monitor
- Remote access templates for Citrix, Terminal Services
|
