Ars Technica (Related) Ars OpenForum 3.0b (Related) Networking Matrix (Related) Network/servers for a doctors office, HIPAA compliance?
Go
New
Find
Notify
Tools
Reply
Admin
New PM!
et Subscriptor (Related) Subscriptor
Tribus: Anchorage, AK
Registered: May 08, 2001
Posts: 3666
(Related)
Posts: 3666
My brother asked me if I could design and setup a network with internet and a Database server + backup with 4-5 client machines, which is no problem really.
However I have no idea about HIPAA Compliance. I read the wiki on HIPAA and if I do not secure the data correctly, he would be on the hook for huge fines. And I can do security fine with VPNs, encryption and everything, and I understand there is online backup services that encrypt the backups so they are HIPAA compliant.
So how much of a pain in the butt is it to be HIPAA compliant? I am thinking that it would be better for him to contact a IT company/contractor that deals with issues like this everyday.
Ars Tribunus MilitumHowever I have no idea about HIPAA Compliance. I read the wiki on HIPAA and if I do not secure the data correctly, he would be on the hook for huge fines. And I can do security fine with VPNs, encryption and everything, and I understand there is online backup services that encrypt the backups so they are HIPAA compliant.
So how much of a pain in the butt is it to be HIPAA compliant? I am thinking that it would be better for him to contact a IT company/contractor that deals with issues like this everyday.
Tribus: Schuylkill Haven, PA 17972 USA
Registered: June 04, 1999
Posts: 2435
(Related)
Posts: 2435
There are companies that specialize in HIPAA compliance for doctors' offices so I would tell him to pony up the 5 times more expensive equipment now thru them and you should stay out of it or you will be dragged into the multiple lawsuits later as well.
Your brother will save $40K now but you will both lose $1+ MM later.
Your brother will save $40K now but you will both lose $1+ MM later.
Ignored post by
Sterling_Aug (Related)
posted
June 19, 2007 10:55Show Post (Related) Ars Praetorian
et Subscriptor (Related) Subscriptor
Tribus: Anchorage, AK
Registered: May 08, 2001
Posts: 3666
(Related)
Posts: 3666
quote:
Originally posted by Sterling_Aug:
There are companies that specialize in HIPAA compliance for doctors' offices so I would tell him to pony up the 5 times more expensive equipment now thru them and you should stay out of it or you will be dragged into the multiple lawsuits later as well.
Your brother will save $40K now but you will both lose $1+ MM later.
There are companies that specialize in HIPAA compliance for doctors' offices so I would tell him to pony up the 5 times more expensive equipment now thru them and you should stay out of it or you will be dragged into the multiple lawsuits later as well.
Your brother will save $40K now but you will both lose $1+ MM later.
That is exactly what I thought. Thanks.
Ignored post by
RawCode (Related)
posted
June 19, 2007 11:00Show Post (Related) Wise, Aged Ars Veteran
Tribus: Atlanta
Registered: August 09, 2006
Posts: 506
(Related)
Posts: 506
I work at a hospital, and I don't claim to be a HIPAA expert. However, many HIPAA guidelines when pertaining to computers, networks and electronic data follow best practices for keeping data secure in general. There is no reason why you can't set up the network, and then if so inclined, hire a HIPAA auditor or consultant to come in and point out the things that still need to be addressed. Also, HIPAA guidelines regarding data security sometimes falls into the "best effort" category...in essence, if your data is ever breached, liabilility is often directly tied to how you tried to protect the data. If it is shown that you followed industry best practices and still had data compromised, then you're much better off than if you ignored security concerns.
The following is a list (in no particular order, off the top of my head) that you should do.
PHYSICAL SECURITY
-Keep servers behind a door with a lock
-Use privacy filters on monitors so that casual onlookers can't read potentially confidential data on the screen
NETWORK SECURITY
-Use strong passwords (Use at least three of four...lower case, upper case, numbers, special characters) with minimum 8 characters that expire (typically 30-90 days)
-No generic logins...everyone needs a unique user ID and password
-Set up auditing for confidential data so that you can track who accesses it and when
-Encrypt data backups
-Run antivirus on all servers and workstations; run antispyware on all workstations
-Require authentication at the firewall for any remote access to the network. Ideally, user authentication should come from a RADIUS sever that will allow auditing
-Use IPSec for remote connections for maximum security
-If wireless is in place, minimally use WPA security
-Have defined, enforceable policy on what confidential data is placed on portable media/devices
OTHER (somewhat related) SECURITY
-Have a defined, auditable policy for who accesses confidential data
I'm sure there's a lot that I left out, but at least this gives you an idea of the kind of issues of which you need to be mindful. I'm sure others will add to the list.
The following is a list (in no particular order, off the top of my head) that you should do.
PHYSICAL SECURITY
-Keep servers behind a door with a lock
-Use privacy filters on monitors so that casual onlookers can't read potentially confidential data on the screen
NETWORK SECURITY
-Use strong passwords (Use at least three of four...lower case, upper case, numbers, special characters) with minimum 8 characters that expire (typically 30-90 days)
-No generic logins...everyone needs a unique user ID and password
-Set up auditing for confidential data so that you can track who accesses it and when
-Encrypt data backups
-Run antivirus on all servers and workstations; run antispyware on all workstations
-Require authentication at the firewall for any remote access to the network. Ideally, user authentication should come from a RADIUS sever that will allow auditing
-Use IPSec for remote connections for maximum security
-If wireless is in place, minimally use WPA security
-Have defined, enforceable policy on what confidential data is placed on portable media/devices
OTHER (somewhat related) SECURITY
-Have a defined, auditable policy for who accesses confidential data
I'm sure there's a lot that I left out, but at least this gives you an idea of the kind of issues of which you need to be mindful. I'm sure others will add to the list.
Ignored post by
GTJack (Related)
posted
June 19, 2007 11:00Show Post (Related) Ars Praetorian
et Subscriptor (Related) Subscriptor
Tribus: Anchorage, AK
Registered: May 08, 2001
Posts: 3666
(Related)
Posts: 3666
quote:
Originally posted by GTJack:
I work at a hospital, and I don't claim to be a HIPAA expert. However, many HIPAA guidelines when pertaining to computers, networks and electronic data follow best practices for keeping data secure in general. There is no reason why you can't set up the network, and then if so inclined, hire a HIPAA auditor or consultant to come in and point out the things that still need to be addressed. Also, HIPAA guidelines regarding data security sometimes falls into the "best effort" category...in essence, if your data is ever breached, liabilility is often directly tied to how you tried to protect the data. If it is shown that you followed industry best practices and still had data compromised, then you're much better off than if you ignored security concerns.
The following is a list (in no particular order, off the top of my head) that you should do.
PHYSICAL SECURITY
-Keep servers behind a door with a lock
-Use privacy filters on monitors so that casual onlookers can't read potentially confidential data on the screen
NETWORK SECURITY
-Use strong passwords (Use at least three of four...lower case, upper case, numbers, special characters) with minimum 8 characters that expire (typically 30-90 days)
-No generic logins...everyone needs a unique user ID and password
-Set up auditing for confidential data so that you can track who accesses it and when
-Encrypt data backups
-Run antivirus on all servers and workstations; run antispyware on all workstations
-Require authentication at the firewall for any remote access to the network. Ideally, user authentication should come from a RADIUS sever that will allow auditing
-Use IPSec for remote connections for maximum security
-If wireless is in place, minimally use WPA security
-Have defined, enforceable policy on what confidential data is placed on portable media/devices
OTHER (somewhat related) SECURITY
-Have a defined, auditable policy for who accesses confidential data
I'm sure there's a lot that I left out, but at least this gives you an idea of the kind of issues of which you need to be mindful. I'm sure others will add to the list.
I work at a hospital, and I don't claim to be a HIPAA expert. However, many HIPAA guidelines when pertaining to computers, networks and electronic data follow best practices for keeping data secure in general. There is no reason why you can't set up the network, and then if so inclined, hire a HIPAA auditor or consultant to come in and point out the things that still need to be addressed. Also, HIPAA guidelines regarding data security sometimes falls into the "best effort" category...in essence, if your data is ever breached, liabilility is often directly tied to how you tried to protect the data. If it is shown that you followed industry best practices and still had data compromised, then you're much better off than if you ignored security concerns.
The following is a list (in no particular order, off the top of my head) that you should do.
PHYSICAL SECURITY
-Keep servers behind a door with a lock
-Use privacy filters on monitors so that casual onlookers can't read potentially confidential data on the screen
NETWORK SECURITY
-Use strong passwords (Use at least three of four...lower case, upper case, numbers, special characters) with minimum 8 characters that expire (typically 30-90 days)
-No generic logins...everyone needs a unique user ID and password
-Set up auditing for confidential data so that you can track who accesses it and when
-Encrypt data backups
-Run antivirus on all servers and workstations; run antispyware on all workstations
-Require authentication at the firewall for any remote access to the network. Ideally, user authentication should come from a RADIUS sever that will allow auditing
-Use IPSec for remote connections for maximum security
-If wireless is in place, minimally use WPA security
-Have defined, enforceable policy on what confidential data is placed on portable media/devices
OTHER (somewhat related) SECURITY
-Have a defined, auditable policy for who accesses confidential data
I'm sure there's a lot that I left out, but at least this gives you an idea of the kind of issues of which you need to be mindful. I'm sure others will add to the list.
Yeah, it would appear the "pain in ass" quotient is high for something like this. Plus with it being family, I don't want him to blame me in case I did forget something and I do not have the time to ensure that all the procedures would be followed consistently.
Any reliable websites that have lists of companies that specialize in HIPAA compliance?
Ignored post by
RawCode (Related)
posted
June 19, 2007 11:06Show Post (Related) Wise, Aged Ars Veteran
Tribus: Atlanta
Registered: August 09, 2006
Posts: 506
(Related)
Posts: 506
Honestly, doing business with family is a whole different issue in and of itself. That may be reason enough to stay away
Ignored post by
GTJack (Related)
posted
June 19, 2007 11:10Show Post (Related) Ars Tribunus Militum
Tribus: Schuylkill Haven, PA 17972 USA
Registered: June 04, 1999
Posts: 2435
(Related)
Posts: 2435
I would start looking in your local phone book, then search the Internet.
Ignored post by
Sterling_Aug (Related)
posted
June 19, 2007 12:45Show Post (Related) Smack-Fu Master, in training
Registered: September 01, 2005
Posts: 13
(Related)
Posts: 13
Don't be scared of HIPAA. The saying among lawyers is that you only attempt a suit leveraging HIPAA if you're a bad lawyer. There's plenty of other stuff to sue for concerning personal data.
GTJack covered the basic stuff. But, in the end, none of the technical stuff matters if the office administrator has people put SSNs (not required for service) on forms which the greeter leaves within plain view of patients signing in, and then leaves the desk unattended for lunch. Point is, don't get immensely wrapped up in doing sooper sekurity on the technical side, just focused on RISK BASED solutions. Yes, there is a small risk of "X" technical exploit because two l33t hackers in Romania know about it, but it's more likely he will run afoul (state attorneys general are far more likely to run small shops up the pole than the feds are) by stupid human error or ignorance.
Look for sample ISO17799 policies (the standard itself is by license only, but the framework of policies can pretty much be gleaned by googling it.
It will be nearly impossible to find anyone that will "certify" any business as "compliant." Consulting firms typically will *not* "interpret" law, and law firms typically don't have the expertise to attack it from a technical angle. There is too much risk liability involved in giving someone a "compliant" stamp.
If you want to investigate the risk based approach, check out the first few chapters of a CISSP study guide. You're looking for terms like Annualized loss expectancy, etc. If you'll notice in the safeguards provision in the actual statute (go ahead and read that section, it's pretty easy), it's full of words like "reasonable" and "appropriate." How are you going to certify what's reasonable and appropriate without documenting the risks? You can't.
Point is, nothing you do to the gadgets can make him "compliant." It goes way beyond technology, and it sounds like he doesn't have a firm grasp of that concept. Now, using our risk based model, it's unlikely that anything will happen that constitutes a reportable incident (if they're not putting you on service contract, there won't be anyone to notice the hax0rs).
Do some poking around on https://www.privacyassociation.org/ (Related) (That's the IAPP) and http://www.privsecblog.com/ (Related) (that's a law firm). The IAPP may have a Knowledgenet or roundtable meeting somewhere near Anchorage where you could listen in .
GTJack covered the basic stuff. But, in the end, none of the technical stuff matters if the office administrator has people put SSNs (not required for service) on forms which the greeter leaves within plain view of patients signing in, and then leaves the desk unattended for lunch. Point is, don't get immensely wrapped up in doing sooper sekurity on the technical side, just focused on RISK BASED solutions. Yes, there is a small risk of "X" technical exploit because two l33t hackers in Romania know about it, but it's more likely he will run afoul (state attorneys general are far more likely to run small shops up the pole than the feds are) by stupid human error or ignorance.
Look for sample ISO17799 policies (the standard itself is by license only, but the framework of policies can pretty much be gleaned by googling it.
It will be nearly impossible to find anyone that will "certify" any business as "compliant." Consulting firms typically will *not* "interpret" law, and law firms typically don't have the expertise to attack it from a technical angle. There is too much risk liability involved in giving someone a "compliant" stamp.
If you want to investigate the risk based approach, check out the first few chapters of a CISSP study guide. You're looking for terms like Annualized loss expectancy, etc. If you'll notice in the safeguards provision in the actual statute (go ahead and read that section, it's pretty easy), it's full of words like "reasonable" and "appropriate." How are you going to certify what's reasonable and appropriate without documenting the risks? You can't.
Point is, nothing you do to the gadgets can make him "compliant." It goes way beyond technology, and it sounds like he doesn't have a firm grasp of that concept. Now, using our risk based model, it's unlikely that anything will happen that constitutes a reportable incident (if they're not putting you on service contract, there won't be anyone to notice the hax0rs).
Do some poking around on https://www.privacyassociation.org/ (Related) (That's the IAPP) and http://www.privsecblog.com/ (Related) (that's a law firm). The IAPP may have a Knowledgenet or roundtable meeting somewhere near Anchorage where you could listen in .
Ignored post by
Nonleg (Related)
posted
June 21, 2007 07:07Show Post (Related)
Previous Topic (Related) | Next Topic (Related) powered by eve community (Related)
Please Wait. Your request is being processed...
Ars Technica (Related) Ars OpenForum 3.0b (Related) Networking Matrix (Related) Network/servers for a doctors office, HIPAA compliance?
Contact Us (Related) | Ars Technica (Related) | Privacy Statement (Related) | Terms of Service (Related)
© Ars Technica, LLC 1998-2007.
Looking for more chatting insanity? Visit the Ars OpenIRC Server (Related) !
Quick Reply to:
Network/servers for a doctors office, HIPAA compliance? Guest Name Close (Related) | Use Full Posting Form (Related) | Quick Quote (Related)
No comments:
Post a Comment