for Security Speeds Up Compliance
Author - Laura
- August 27, 2004
Part One: Vendor and Product Information
for Security is a tool designed to guide organizations through the risk analysis
required by the Health Insurance Portability and Accountability Act (HIPAA)
compliance process (US). Relevant Technologies, a leading security research
and advisory firm, evaluated HIPAA-Watch for Security to verify how well it
performed in guiding organizations through the HIPAA security risk analysis
Vendor Background and Information
RiskWatch was founded in 1993 in Landover, Maryland (US) with the idea of automating risk assessment modeling for the Department of Defense. Founder, Caroline Hamilton, a statistical modeling expert, put together a prototype for a risk analysis tool and then managed its development into an innovative risk analysis product which was adopted initially by NASA and then the US Patent and Trademark Office.
The original product grew into a full featured product line, and today, HIPAA-Watch for Security (HIPAA-Watch) is just one of seven products in the suite of risk analysis tools offered by RiskWatch. In the last three years, and with the aftermath of 9/11, RiskWatch has seen unprecedented growth and has expanded into international markets. RiskWatch anticipates that its biggest growth in the near term will be in HIPAA and financial compliance (Sarbanes Oxley and Gramm-Leach-Bliley). RiskWatch is actively looking for qualified investors who share the vision of becoming a world leader in risk analysis. Without new investment capital, Relevant Technologies expects that RiskWatch could become a potential acquisition target by a larger information security monolith.
Table 1. Company Information
Road, Suite 300, Annapolis, MD, 21401
compliant, automatic reporting, auditing, multi-user response system, life
cycle management, automated financial calculations: annual loss expectancy,
cost benefit analysis, return on investment; customizable
is Part One of a two-part note.
One provides a vendor background and describes Phase I and II of the HIPAA-Watch
for Security tool.
Two will cover Phase III and IV and will offer product suggestions and user
HIPAA Regulation and Compliance Requirements
Health Insurance Portability and Accountability Act (HIPAA) was signed
into law by President Clinton on August 21, 1996 and authorized the Secretary
of Health and Human Services to provide Congress mandatory regulations to secure
and protect the privacy of patient medical records. The primary purpose of HIPAA
was to ensure that patient medical records are kept private and are not exploited.
However, the impact of keeping patient records private has been to secure the
information technology infrastructure that serves as the steward of patient
medical records. Securing the information technology infrastructure is the means
to the end for securing the data.
information technology systems, and the physical components that surround them,
is anything but simple. There are endless factors that need to be taken into
consideration when securing infrastructure, and thanks to HIPAA, non-compliance
is a crime with severe penalties including possible fines and prison sentences.
HIPAA compliance requires organizations to converge law, technology, and medical
information into an understandable mlange of sensibility.
for Security is an effort to guide organizations through the security risk
analysis and down the road to compliance, through a carefully thought-out, risk
methodology based on a survey approach. I tested out HIPAA-Watch after spending
considerable time thinking about all the manual ways to comply with HIPAA while
authoring three chapters of HIPAA Security Implementation (SANS, ISBN
0-9743727-2-2) including the chapter on risk analysis. Clearly a software tool
is not a replacement for reference books and true understanding; however, if
you're crunched for time, and you don't know where to start, what I found is
that HIPAA-Watch for Security will jump-start your project and navigate you
through a sea of intricate details.
Using HIPAA-Watch for Security
HIPAA-Watch for Security is based on RiskWatch's core risk analysis engine that is embedded in all their products and is currently released at version 9.2, which was released in June 2004. The embedded risk analysis engine guides you logically through four phases of HIPAA compliance enabling you to go back and make corrections, changes, and updates as necessary. The four phases that HIPAA-Watch for Security leads you through consist of the following:
Phase I assists you in setting up your compliance case boundaries. If you are a large health care organization, it is likely that you may want to create multiple cases. HIPAA-Watch gives you the ability to create as many new cases as necessary.
During Phase I, you define functional areas, asset categories, loss categories, threats, vulnerability areas, and safeguards.
Phase I helps you understand what is at risk, what the potential disasters are waiting to occur, and what impact those disasters could have on your organization. Phase I also prompts you to define and analyze your potential losses, vulnerabilities, threats, and safeguards, including how widely they are implemented in the organization.
Phase II, the assets that need to be protected are selected and valued, including
values for how much the organization depends on each asset; and the likelihood
of a threat occurrence is integrated into the assessment. HIPAA Watch for Security
presents you with default values for threat frequencies based on local annual
frequency estimates (LAFE) and standard annual frequency estimates.
The LAFE value should be a function of your local information such as penetration
test data and incident report data, and during phase II, you have the opportunity
to modify the LAFE value or use the standard defaults that are built into the
product. For example, if your organizational assets are in Kansas City (US)
there is a much greater LAFE value for a tornado in Kansas City, Kansas than
there would be for Portland, Maine (US) since tornados are much more likely
to occur in Kansas City.
During Phase II you can indicate what percentage of the identified potential and existing safeguards have been implemented which is a key feature to take into consideration for life cycle management and project management. At any given time, it is unlikely that all your safeguards are either completely implemented or not. You might have a security policy that is 75 percent completed, a firewall that just entered the procurement phase, and an intrusion detection system that has been implemented at six out of ten locations. You cannot accurately calculate a viable risk analysis without accurately indicating the percentage of implementation that has been completed for each safeguard, and HIPAA-Watch allows you to indicate projects that are not fully implemented as illustrated in figure 1.
1. Defining Safeguard Costs and Life cycle
II also encompasses setting up a survey of audit questions and setting up the
different respondents (by job category) who are best apt to be able to answer
these questions, (illustrated in figure 2). You can setup as many respondents
as necessary and assign particular questions to these individuals based on their
area of expertise which have been designated functional areas. As elsewhere
in HIPAA-Watch, these categories can be modified, deleted, or you can add your
own job categories. The current functional areas that come bundled with HIPAA-Watch
for Security include
or patient intake
billing or collections
case management or disease management
compliance or legal office
financial management and budget
health services or utilization management
information network management
information security officer
services help desk or technical support
marketing and fund raising
medical records department
member, customer, or patient services
mental health or drug alcohol
patient or member communication
patient or member medical records
physical security officer
physician recruitment and services
management or executive officers
care or rehabilitation
The functional areas listed are just the defaults, and can be modified according to how your medical establishment is setup. You may need to add new functional areas such as oncology or pediatrics and HIPAA-Watch allows you to do that.
2. Identifying the Respondents
Once a respondent has been designated for each functional area, appropriate audit questions are assigned to each respondent. The survey of questions is extensive. Sample questions include the following:
your organization retain HIPAA security documentation for six years from the
date of creation?
network automatically scans PCs and workstations for viruses before allowing
users to access the network?
servers, peripheral devices, and communications equipment are kept in secured
There is an up to date list of all vendors and support personnel who are authorized
to enter your building or facility?
Access to system log data is restricted to approved personnel?
you are setting up the survey questions, it is possible to reference the actual
HIPAA control standards with the individual sections cited by their Code
of Federal Regulations (CFR) number, depicted in figure 3.
3. US HIPAA Code is referenced in control standards.
Question sets can be prepared for the first time, or imported from previously composed question set libraries. Upon final configuration of the question sets, Phase III begins.
A highlight of HIPAA-Watch is the flexibility of the survey process. Respondents can be surveyed automatically over a server or over the web, questionnaires can be
e-mailed directly, or question diskettes can be created and distributed throughout the organization. Answers are directly imported back into the appropriate case and compiled with audit trails. Once the data has been compiled, then data is ready for Phase III of the risk analysis process: evaluation.
concludes Part One of a two-part note.
One provided the vendor background and described Phase I and II of the HIPAA-Watch
for Security tool.
Two will detail Phase III and Phase IV and will also offer product suggestions
and user recommendations.
of Health and Human Services, What is HIPAA?
July 11, 2004
of Health and Human Services, Health Insurance Reform: Security Standards;
Final Rule http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
February 20, 2003
Uday, Getting Started with HIPAA, Premier Press, 2003
Institute, HIPAA Security Implementation, SANS Press, Version 1.0
Goguen, and Feringa, Risk Management Guide for Information Technology Systems,
National Institute of Standards, Special Publication 800-30
Laura, Risk Analysis Tools & How They Work, Relevant Technologies, Inc. http://www.riskwatch.com/Press/RiskAnalysis_Tool_EvalB.htm
May 5, 2002
Laura, Security Scanning is not Risk Analysis, Jupiter Media http://www.intranetjournal.com/articles/200207/pse_07_14_02a.html
July 14, 2002
and Krause, Information Security Management Handbook, 4th Edition,
Auerbach Publications, 2004
Taylor is the President and CEO of Relevant Technologies (http://www.relevanttechnologies.com)
a leading provider of original information security content, research advisory
services, and best practice IT management consulting services.
Copyright 2004, Relevant Technologies, Inc. All rights reserved.