HIPAA-Watch
for Security Speeds Up Compliance
Part One: Vendor and Product Information
Featured
Author - Laura
Taylor
- August 27, 2004
Executive Summary
HIPAA-Watch
for Security is a tool designed to guide organizations through the risk analysis
required by the Health Insurance Portability and Accountability Act (HIPAA)
compliance process (US). Relevant Technologies, a leading security research
and advisory firm, evaluated HIPAA-Watch for Security to verify how well it
performed in guiding organizations through the HIPAA security risk analysis
process.
Vendor Background and Information
RiskWatch was founded in 1993 in Landover, Maryland (US) with the idea of automating risk assessment modeling for the Department of Defense. Founder, Caroline Hamilton, a statistical modeling expert, put together a prototype for a risk analysis tool and then managed its development into an innovative risk analysis product which was adopted initially by NASA and then the US Patent and Trademark Office.
The original product grew into a full featured product line, and today, HIPAA-Watch for Security (HIPAA-Watch) is just one of seven products in the suite of risk analysis tools offered by RiskWatch. In the last three years, and with the aftermath of 9/11, RiskWatch has seen unprecedented growth and has expanded into international markets. RiskWatch anticipates that its biggest growth in the near term will be in HIPAA and financial compliance (Sarbanes Oxley and Gramm-Leach-Bliley). RiskWatch is actively looking for qualified investors who share the vision of becoming a world leader in risk analysis. Without new investment capital, Relevant Technologies expects that RiskWatch could become a potential acquisition target by a larger information security monolith.
Table 1. Company Information
| Company Name |
RiskWatch |
| Employees |
14 |
| Headquarters |
2568A Riva
Road, Suite 300, Annapolis, MD, 21401 |
| Product Name |
HIPAA-Watch
for Security |
| Key Features |
NIST 800-26
compliant, automatic reporting, auditing, multi-user response system, life
cycle management, automated financial calculations: annual loss expectancy,
cost benefit analysis, return on investment; customizable |
| Company URL |
www.riskwatch.com |
| Product URL |
www.riskwatch.com/hipaa.asp |
| Customer Contact |
800-448-4666 |
| Investor Inquiries |
invest@riskwatch.com |
This
is Part One of a two-part note.
Part
One provides a vendor background and describes Phase I and II of the HIPAA-Watch
for Security tool.
Part
Two will cover Phase III and IV and will offer product suggestions and user
recommendations.
HIPAA Regulation and Compliance Requirements
The
Health Insurance Portability and Accountability Act (HIPAA) was signed
into law by President Clinton on August 21, 1996 and authorized the Secretary
of Health and Human Services to provide Congress mandatory regulations to secure
and protect the privacy of patient medical records. The primary purpose of HIPAA
was to ensure that patient medical records are kept private and are not exploited.
However, the impact of keeping patient records private has been to secure the
information technology infrastructure that serves as the steward of patient
medical records. Securing the information technology infrastructure is the means
to the end for securing the data.
Securing
information technology systems, and the physical components that surround them,
is anything but simple. There are endless factors that need to be taken into
consideration when securing infrastructure, and thanks to HIPAA, non-compliance
is a crime with severe penalties including possible fines and prison sentences.
HIPAA compliance requires organizations to converge law, technology, and medical
information into an understandable mlange of sensibility.
HIPAA-Watch
for Security is an effort to guide organizations through the security risk
analysis and down the road to compliance, through a carefully thought-out, risk
methodology based on a survey approach. I tested out HIPAA-Watch after spending
considerable time thinking about all the manual ways to comply with HIPAA while
authoring three chapters of HIPAA Security Implementation (SANS, ISBN
0-9743727-2-2) including the chapter on risk analysis. Clearly a software tool
is not a replacement for reference books and true understanding; however, if
you're crunched for time, and you don't know where to start, what I found is
that HIPAA-Watch for Security will jump-start your project and navigate you
through a sea of intricate details.
Using HIPAA-Watch for Security
HIPAA-Watch for Security is based on RiskWatch's core risk analysis engine that is embedded in all their products and is currently released at version 9.2, which was released in June 2004. The embedded risk analysis engine guides you logically through four phases of HIPAA compliance enabling you to go back and make corrections, changes, and updates as necessary. The four phases that HIPAA-Watch for Security leads you through consist of the following:
- Phase
I: definition
- Phase
II: data
- Phase
III: evaluation
- Phase
IV: reports
Phase I assists you in setting up your compliance case boundaries. If you are a large health care organization, it is likely that you may want to create multiple cases. HIPAA-Watch gives you the ability to create as many new cases as necessary.
During Phase I, you define functional areas, asset categories, loss categories, threats, vulnerability areas, and safeguards.
Phase I helps you understand what is at risk, what the potential disasters are waiting to occur, and what impact those disasters could have on your organization. Phase I also prompts you to define and analyze your potential losses, vulnerabilities, threats, and safeguards, including how widely they are implemented in the organization.
In
Phase II, the assets that need to be protected are selected and valued, including
values for how much the organization depends on each asset; and the likelihood
of a threat occurrence is integrated into the assessment. HIPAA Watch for Security
presents you with default values for threat frequencies based on local annual
frequency estimates (LAFE) and standard annual frequency estimates.
The LAFE value should be a function of your local information such as penetration
test data and incident report data, and during phase II, you have the opportunity
to modify the LAFE value or use the standard defaults that are built into the
product. For example, if your organizational assets are in Kansas City (US)
there is a much greater LAFE value for a tornado in Kansas City, Kansas than
there would be for Portland, Maine (US) since tornados are much more likely
to occur in Kansas City.
During Phase II you can indicate what percentage of the identified potential and existing safeguards have been implemented which is a key feature to take into consideration for life cycle management and project management. At any given time, it is unlikely that all your safeguards are either completely implemented or not. You might have a security policy that is 75 percent completed, a firewall that just entered the procurement phase, and an intrusion detection system that has been implemented at six out of ten locations. You cannot accurately calculate a viable risk analysis without accurately indicating the percentage of implementation that has been completed for each safeguard, and HIPAA-Watch allows you to indicate projects that are not fully implemented as illustrated in figure 1.
Figure
1. Defining Safeguard Costs and Life cycle
Phase
II also encompasses setting up a survey of audit questions and setting up the
different respondents (by job category) who are best apt to be able to answer
these questions, (illustrated in figure 2). You can setup as many respondents
as necessary and assign particular questions to these individuals based on their
area of expertise which have been designated functional areas. As elsewhere
in HIPAA-Watch, these categories can be modified, deleted, or you can add your
own job categories. The current functional areas that come bundled with HIPAA-Watch
for Security include
- admissions
or patient intake
-
billing or collections
-
business associates
-
case management or disease management
-
claims processing
-
compliance or legal office
-
facilities management
-
financial management and budget
-
health education
-
health services or utilization management
-
human resources
-
information network management
-
information security officer
- information
services help desk or technical support
- information
systems management
-
internal audit
-
laboratory
-
marketing and fund raising
-
medical records department
-
medical staff
-
member, customer, or patient services
-
mental health or drug alcohol
-
operations department
-
patient or member communication
-
patient or member medical records
-
pharmacy
-
physical security officer
-
physician recruitment and services
-
policy administration
-
privacy officer
-
quality assurance
- radiology
- respiratory
- senior
management or executive officers
- skilled
care or rehabilitation
- support
services
- system
users
- systems
administration
- trading
partners
- underwriting
or statistics
- volunteer
services
The functional areas listed are just the defaults, and can be modified according to how your medical establishment is setup. You may need to add new functional areas such as oncology or pediatrics and HIPAA-Watch allows you to do that.
Figure
2. Identifying the Respondents
Once a respondent has been designated for each functional area, appropriate audit questions are assigned to each respondent. The survey of questions is extensive. Sample questions include the following:
- Does
your organization retain HIPAA security documentation for six years from the
date of creation?
- The
network automatically scans PCs and workstations for viruses before allowing
users to access the network?
- Network
servers, peripheral devices, and communications equipment are kept in secured
areas?
-
There is an up to date list of all vendors and support personnel who are authorized
to enter your building or facility?
-
Access to system log data is restricted to approved personnel?
When
you are setting up the survey questions, it is possible to reference the actual
HIPAA control standards with the individual sections cited by their Code
of Federal Regulations (CFR) number, depicted in figure 3.
Figure
3. US HIPAA Code is referenced in control standards.
Question sets can be prepared for the first time, or imported from previously composed question set libraries. Upon final configuration of the question sets, Phase III begins.
A highlight of HIPAA-Watch is the flexibility of the survey process. Respondents can be surveyed automatically over a server or over the web, questionnaires can be
e-mailed directly, or question diskettes can be created and distributed throughout the organization. Answers are directly imported back into the appropriate case and compiled with audit trails. Once the data has been compiled, then data is ready for Phase III of the risk analysis process: evaluation.
This
concludes Part One of a two-part note.
Part
One provided the vendor background and described Phase I and II of the HIPAA-Watch
for Security tool.
Part
Two will detail Phase III and Phase IV and will also offer product suggestions
and user recommendations.
References
Department
of Health and Human Services, What is HIPAA?
http://www.cms.hhs.gov/hipaa/hipaa1/content/more.asp
July 11, 2004
Department
of Health and Human Services, Health Insurance Reform: Security Standards;
Final Rule http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
February 20, 2003
Pabrai,
Uday, Getting Started with HIPAA, Premier Press, 2003
SANS
Institute, HIPAA Security Implementation, SANS Press, Version 1.0
January 2004
Stoneburner,
Goguen, and Feringa, Risk Management Guide for Information Technology Systems,
National Institute of Standards, Special Publication 800-30
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
October 2001
Taylor,
Laura, Risk Analysis Tools & How They Work, Relevant Technologies, Inc. http://www.riskwatch.com/Press/RiskAnalysis_Tool_EvalB.htm
May 5, 2002
Taylor,
Laura, Security Scanning is not Risk Analysis, Jupiter Media http://www.intranetjournal.com/articles/200207/pse_07_14_02a.html
July 14, 2002
Tipton
and Krause, Information Security Management Handbook, 4th Edition,
Auerbach Publications, 2004
About
the Author
Laura
Taylor is the President and CEO of Relevant Technologies (http://www.relevanttechnologies.com)
a leading provider of original information security content, research advisory
services, and best practice IT management consulting services.
Copyright 2004, Relevant Technologies, Inc. All rights reserved.
Demystifying SAP Solution Manager | Cloud Assets: A Guide for SMBs—Part 3 | I Want My Private Cloud | The Sum of All Malware Fears: Siemens on Stuxnet | Managing the Overflow of E-mails | Security Risk Assessment and Management in Web Application Security | Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | Enterprise Resource Planning Giants Eye the Shop Floor | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report
Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report
Part One: Market Overview and Technology Background | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part One: Event Summary and Market Impact |
Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations | EAM Versus CMMS: What's Right for Your Company? Part One | Using PKI to Protect Your Business Information | The CyberAngel: Laptop Recovery and File Encryption All-in-One | Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps?
Part Three: Knowledge Bases and User Recommendations | InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs | The Future of Secure Remote Password (SRP)
Part Two: Overcoming Obstacles to Success | The Future of Secure Remote Password (SRP) | Integrated Security: A New Network Approach
Part Two: The Shift Toward Integration | Integrated Security: A New Network Approach | Vendor Analysis: Kaspersky Anti-Virus Products Examined | 6 Immediate Business Improvements Offered by an Online SRM System:
Part 3: Other Points to Consider | Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? | Fourth Shift's evolution Within SoftBrands' DemandStream | OKENA Brews Up a StormSystem that Secures All Applications | Incident Handling and Response Capability: An IT Security Safeguard
Part 2: Establishing the Capability | Incident Handling and Response Capability: An IT Security Safeguard
Part 1: Are You Ready to Support an Incident Response Capability? | Outsourcing Security
Part 3: Selecting a Managed Security Services Provider | Outsourcing Security
Part 2: Measuring the Cost | Outsourcing Security
Part 1: Noting the Benefits | Vendor Review: SecureWave Protects Microsoft Operating System Platforms | Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security | Feds Buckle Down on Customer Information Security | Identix Leads Biometric Authentication | Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards | Vendor Analysis: Interliant's Security Vulnerability Assessment | OKENA Pioneers Next-Generation Intrusion Prevention | Social Engineering Can Thwart the Best Laid Security Plans | Application Single-Sign On: Netegrity, Securant, or Evidian? | Lost Your Laptop? The CyberAngel® Brings It Back | InsideOut Makes Firewall Reporting Useful | The SOAP Opera Progresses - Helping XML to Rule the World | Talarian and NextSet Team for B2B Solutions | Tempest Creates a Secure Teapot | E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response | My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? | Human-Machine Interaction Company Ramps Up Firewall Product Line | Security Information Market Heading for Growth | Alibris Charged with Intercepting Email | Cart32 in Need of Duct Tape | Deutsche Telekom to Acquire VoiceStream Wireless | Study Shows: FBI Alienates Industry Security Experts | Firewall Cowboyz Set the Stage to Free Innocent Convict | Symantec Swallows AXENT; Takes on Network Associates | Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems | Windows 2000 Bug Fixes Posted | Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting | The Whys and Hows of a Security Vulnerability Assessment | Earthlink Leads the Way in DSL Security | PKI and Biometrics Ready for Take-Off | Secure Transport of EDI and XML for Trading Exchanges | Can You Trust Entrust? | Standard & Poor's Announces Security Certification | Check Point Leads Firewall Market | Fighting Cybercrime on the Internet | NetWare for Small Business – NetWhy? | Let Your Hard Drives Tell You Where they Are! | E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services | With Record Revenues, AXENT Puts Down a Solid Fist | NAI Will Pay Trend $12.5 Million Resulting from Law Suit | Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle | E-Cash Rollout Replaces Amex | GSA Schedule Partnership Gets Network-1 in the Door | Los Alamos Loses Top-Secret Information, Again! | Standard & Poor's Exposes Customers' Security | The AS/400 Takes You Securely Where You Want to Go | Trend Micro Steps into PDA/Wireless AntiVirus Information Market | CryptoSwift Takes Rainbow Revenues Up 620% | Smart Shoppers Go Abroad for Affordable Information Security Programs | Anti-Virus Advisories: Rating Them | The 7 Habits of Highly Effective Security | Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos | Abandon All Insecurity, Ye Who Enter Here | Top 10 Excuses For Not Securing Your Website or Network | Ernst & Young Leads Big 5 in Security | 6 Days After Advisory Posted, AboveNet Gets Hit | A Firewall is Cheaper Than a Lawyer | Fixing Security Backdoors:
Red Hat 1, Microsoft 0 | WAP Forum Specifies RSA’s RC5 Encryption For Wireless | Netpliance Responds Quickly to Hardware Hack | Security Stocks Burn Rubber | DSL Provider Scoops up Netscreen Firewall Goldmine | Cyclone Untangles Digital Partnerships | Security Begins on Your Desktop | Network Associates Hopes to Rekindle the Flame | Hacker Publication Gets Top Defense Attorney | Saudi Arabian Network Security Provokes Local Considerations | Gosh, There’s a Bug in Windows 98 | Robust Systems are Built from the Bottom Up | DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! | Security Breach: Now What? | Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security | Is Your Financial Transaction Secure? | Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance | Expect Boom in Electronic Signatures | Secure Your Search Engine | President Proposes Security of Medical Records | Sendmail Takes Security to the Next Level with Version 3.0 for NT | CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance | Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. | Security Snafu at NetBank | Freeware Vendor's Web Tracking Draws Curses | The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) | Content Technologies releases MIMEsweeper PolicyPlus | Hackers Will Be Out in Full Force On New Year's Eve | Analysis of Virgin Net's Hacker Scare | Network Associates RePositions Itself as a Security E-Village | Lexiguard™: The Coming "Adobe Acrobat" of Encryption | CyberPeepers from Korean Sites Peek at U.S. Networks | Would You Hire a Hacker? What Would Your Mother Say? | @Home Scans Own Customers | CIOs Need to Be Held Accountable for Security | New Market for Security Insurance | At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! | PrettyPark Virus Litters Cyberspace | Packard Bell / NEC Leads Secure Etoken Deployment | Congress Acknowledges Outdated Banking Laws | How Secure is Your E-Mail? | Trend Virus Control System - A Centralized Approach to Protection | VPNs Are Hot, but What Are They? | ATM Machines Hacked in Moscow | How To Mitigate Holiday Cybercrime | Surf's Up at Akamai |