HIPAA-Watch
for Security Speeds Up Compliance
Part Two: Phase III and IV, and Product and User Recommendations
Featured
Author - Laura
Taylor
- August 28, 2004
Introduction
The HIPPA-Watch for Security tool was developed by RiskWatch a company founded in Maryland (US) in 1993. The tool is designed to aid companies through US risk analysis to eventual US regulatory compliance. Its risk analysis engine is embedded in the product and consists of four phases. Phase I assists users with establishing compliance case boundaries, and phase II values are defined, audit questions are created, and respondents are determined in order to formulate boundaries. Phase III and IV pertain to evaluation and reporting.
This
is Part Two of a two-part note.
Part
One provided the vendor background and described Phase I and II of the HIPAA-Watch
for Security tool.
Part
Two will detail Phase III and IV, and will offer product suggestions and user
recommendations.
Phase III and IV: Evaluation and Reporting
Phase
III launches the risk analysis engine and performs the evaluation. Clearly preparing
for the evaluation is a lot more time consuming than running the evaluation
engine. Before you actually run the evaluation however, HIPAA-Watch allows you
to review the links created between Asset Categories with Loss Categories. If
you need to change the default recommendations for the links between Asset Categories
and Loss Categories, it is simple to make the change. You simply uncheck the
assets that are not prone to the type of loss indicated. For example, supplies
and consumables are likely not prone to data disclosure and therefore
should not be linked. Figure 4 illustrates how Assets are linked to Losses.
Figure
4. Linking Assets with Losses
In Phase III, you decide which calculations you want to compute based on the relationships of the threats, assets, vulnerabilities, and seriousness of potential incidents.
Phase IV generates a final report that has a variety of options that can be included. The options include
- an
executive summary
- recommendations
for resolving vulnerabilities
- a
full asset report
- a
summary by asset report
- a
full threat report
- a
summary by threat report
- a
full vulnerability report
- a
vulnerability distribution report
- a
full safeguard report
- a
cost benefit report
- a
safeguard threat report
- an
audit trail question report
- an
audit trail respondent report
The reports generate color pie charts and bar charts and can be saved in either rich text format or Microsoft Word format. While the reports are verbose in their recommendations, most organizations will want to apply some edits to customize them further.
Suggestions for Product Improvement
Relevant Technologies would like to see the aesthetics of the user interface improved in HIPAA-Watch for Security. The engineering of the tool is so sophisticated, that this product deserves a user interface with cutting edge aesthetics and a vanguard look. While the existing graphic design and reporting engine is adequate, it could evolve into a market sensation if the developers enlisted the help of a top-notch design artist. Relevant Technologies believes that software is art, and when a product excels, we expect the look and feel of it to excel also. The look and feel of HIPAA-Watch for Security is basic and for that reason, using it may not elicit as many "oos and ahs" as it might otherwise receive given its capabilities.
Relevant Technologies would prefer to see the survey questions worded in the form of a true interrogative sentence instead of a statement with a question mark at the end. For example, instead of "Access to system log data is restricted to approved personnel?", we would prefer the question to be worded, "Is access to system log data restricted to approved personnel?" However, it's fair to say that the survey questions that exist are certainly on topic and apropos to a HIPAA audit.
Since LAFE values vary according to geographic location, Relevant Technologies would like to see this feature automated so that when you put in your organization's zip code, the LAFE values are automatically adjusted. For example, if your organization is in Omaha, Nebraska (US), you would have a much higher likelihood of tornados that if your organization is in Portland, Maine (US). Today HIPAA Watch for Security allows you to manually adjust these values, however, this presumes that you know what the adjustment should be and it may take you some time to look it up and find out.
Recommendations for Users
HIPAA-Watch for Security works as advertised and has all the appropriate features that experts in risk analysis expect to see. It's ability to make appropriate calculations from which quantitative risk-based decisions can be made is first-rate. The automated reports that it generates will be useful for chief financial officers, chief information officers, and chief security and privacy officers. Since HIPAA-Watch for Security has the ability to accommodate multiple respondents that can login to the system from different locations, it can be particularly useful for large, disparate organizations. By using HIPAA-Watch for Security, it is possible to understand which safeguards will give you the greatest return on investment, ranking them from highest to lowest. If you are ready to tackle a HIPAA compliance risk analysis, and don't know where to start, using HIPAA-Watch for Security will likely speed up your ability to comply with the CFRs.
Aside
from helping your organization comply with the Final Security Rule, HIPAA-Watch
can help your organization make better business decisions by making recommendations
on how cost effective it is to apply particular safeguards. To take advantage
of the sophisticated business decision recommendations, users of HIPAA-Watch
may want to educate themselves on basic quantitative risk analysis equations
including how to calculate annualized loss expectancy (ALE), single
loss expectancy (SLE), annualized rate of occurrence
(ARO), and exposure factor (EF). The information HIPAA-Watch generates
can also be used to populate a Disaster Recovery planning exercise.
An auxiliary addition to HIPAA-Watch is a bonus CD that includes a data collection kit, that has forms, PowerPoint presentations, and various shortcuts and tips that will make the analyst's job easier. A complete risk analysis project plan is included both in Microsoft Project and in Excel formats for reference purposes.
Consultancies that specialize in assisting healthcare organizations on the road to HIPAA compliance may want to consider using HIPAA-Watch for Security as a tool for standardizing their service offering. Since the audit questions can be refined and added to, it is possible to build up comprehensive question libraries that can be used with different types of covered entities. The different types of covered entities that can take advantage of HIPAA-Watch for Security include
- health
care providers
- health
care plans
- health
care clearinghouses
Health
care providers include hospitals, doctors, clinics, pharmacists, and mental
health care specialists. Health care plans include insurance companies, health
maintenance organizations (HMOs), medicare plans, Medicaid Plans, veteran's
health care Programs, and Indian health service programs. Health care clearinghouses
include organizations that process or facilitate billing or transmittal of electronic
health information data for other covered entities such as community or local
health information systems.
Conducting a risk analysis manually is not an intuitive process and use of
HIPAA-Watch for Security will be a definite timesaver for any organization that wants to conduct a true risk analysis. A two-day training class is available every month at RiskWatch's headquarters in Annapolis (US).
A
feature that Relevant Technologies found to be particularly notable was the
ability to actually see the HIPAA Final Security Rule, which is expressed as
a control standard. This feature enables organizations to actually understand
why they need to pay attention to a particular security policy and whether or
not it is considered a required or addressable CFR. While
Required CFRs are mandatory, addressable CFRs are optional.
Relevant Technologies spent a considerable amount of time researching possible market competitors and was not able to find any other HIPAA security compliance products that appeared competitive with HIPAA-Watch for Security. However, since the market for HIPAA compliance products is still young, Relevant Technologies expects new competing products to emerge within the coming year.
US
federal agencies will like that the safeguards list includes the deliverables
that are typically required to pass a FISMA-based security certification and
accreditation audit. Federal agencies that already have a Certification
and Accreditation (C&A) package can apply these C&A reports to their HIPAA
risk analysis and reuse much of the pre-existing information.
This
concludes Part Two of a two-part note.
Part
One provided the vendor background and described Phase I and II of the HIPAA-Watch
for Security tool.
Part
Two detailed Phase III and IV and also offered product suggestions and user
recommendations.
References
Department
of Health and Human Services, What is HIPAA?
http://www.cms.hhs.gov/hipaa/hipaa1/content/more.asp
July 11,
2004
Department
of Health and Human Services, Health Insurance Reform: Security Standards;
Final Rule http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
February 20, 2003
Pabrai,
Uday, Getting Started with HIPAA, Premier Press, 2003
SANS
Institute, HIPAA Security Implementation, SANS Press, Version 1.0
January 2004
Stoneburner,
Goguen, and Feringa, Risk Management Guide for Information Technology Systems,
National Institute of Standards, Special Publication 800-30
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
October 2001
Taylor,
Laura, Risk Analysis Tools & How They Work, Relevant Technologies, Inc. http://www.riskwatch.com/Press/RiskAnalysis_Tool_EvalB.htm
May 5, 2002
Taylor,
Laura, Security Scanning is not Risk Analysis, Jupiter Media http://www.intranetjournal.com/articles/200207/pse_07_14_02a.html
July 14, 2002
Tipton
and Krause, Information Security Management Handbook, 4th Edition,
Auerbach Publications, 2004
About
the Author
Laura
Taylor is the President and CEO of Relevant Technologies (http://www.relevanttechnologies.com)
a leading provider of original information security content, research advisory
services, and best practice IT management consulting services.
Copyright 2004, Relevant Technologies, Inc. All rights reserved.
The Sum of All Malware Fears: Siemens on Stuxnet | Managing the Overflow of E-mails | Security Risk Assessment and Management in Web Application Security | Are You Adequately Protecting Your IT Infrastructure Components Inside the Firewall? | Enterprise Resource Planning Giants Eye the Shop Floor | Who Else is Using Your Wireless Network? | Information Security Firewalls Market Report
Part Two: Current Market Trends and User Recommendations | Information Security Firewalls Market Report
Part One: Market Overview and Technology Background | Automated Enterprise: Many High-ROI Opportunities | Secure Transfers of Large Files Over the Internet Using YouSendIt | Fed Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part Two: Challenges and User Recommendations | Feds Warms Up to ERP Spending, but Will Contractors and Their ERP Vendors Comply?
Part One: Event Summary and Market Impact | Product Review: GFI's LANguard Network Security Scanner | The Best ACT! Is Still to Come | HIPAA-Watch for Security Speeds Up Compliance
Part One: Vendor and Product Information | EAM Versus CMMS: What's Right for Your Company? Part One |
Using PKI to Protect Your Business Information |
The CyberAngel: Laptop Recovery and File Encryption All-in-One |
Evaluating Enterprise Software-Business Process or Feature/Function-Based Approach? All the above, Perhaps?
Part Three: Knowledge Bases and User Recommendations |
InsideOut Firewall Reporter Unravels the Mysteries of Your Firewall Logs |
The Future of Secure Remote Password (SRP)
Part Two: Overcoming Obstacles to Success |
The Future of Secure Remote Password (SRP) |
Integrated Security: A New Network Approach
Part Two: The Shift Toward Integration |
Integrated Security: A New Network Approach |
Vendor Analysis: Kaspersky Anti-Virus Products Examined |
6 Immediate Business Improvements Offered by an Online SRM System:
Part 3: Other Points to Consider |
Legacy Single Sign-On: Novell, Evidian, IBM, PassGo, or Computer Associates? |
Fourth Shift's evolution Within SoftBrands' DemandStream |
OKENA Brews Up a StormSystem that Secures All Applications |
Incident Handling and Response Capability: An IT Security Safeguard
Part 2: Establishing the Capability |
Incident Handling and Response Capability: An IT Security Safeguard
Part 1: Are You Ready to Support an Incident Response Capability? |
Outsourcing Security
Part 3: Selecting a Managed Security Services Provider |
Outsourcing Security
Part 2: Measuring the Cost |
Outsourcing Security
Part 1: Noting the Benefits |
Vendor Review: SecureWave Protects Microsoft Operating System Platforms |
Thanks to a Smart Little Company called Lexias, CIOs Can Now Empower their Users to Assist in eBusiness Security |
Feds Buckle Down on Customer Information Security |
Identix Leads Biometric Authentication |
Bootcamp for the Pros; Why Ernst & Young Will Lead Security Auditing Standards |
Vendor Analysis: Interliant's Security Vulnerability Assessment |
OKENA Pioneers Next-Generation Intrusion Prevention |
Social Engineering Can Thwart the Best Laid Security Plans |
Application Single-Sign On: Netegrity, Securant, or Evidian? |
Lost Your Laptop? The CyberAngel® Brings It Back |
InsideOut Makes Firewall Reporting Useful |
The SOAP Opera Progresses - Helping XML to Rule the World |
Talarian and NextSet Team for B2B Solutions |
Tempest Creates a Secure Teapot |
E*Trade Ignores Private Security Warning, But Public Hullaballoo Gets Response |
My Network Engineers are Talking about Implementing Split DNS. What Does that Mean? |
Human-Machine Interaction Company Ramps Up Firewall Product Line |
Security Information Market Heading for Growth |
Alibris Charged with Intercepting Email |
Cart32 in Need of Duct Tape |
Deutsche Telekom to Acquire VoiceStream Wireless |
Study Shows: FBI Alienates Industry Security Experts |
Firewall Cowboyz Set the Stage to Free Innocent Convict |
Symantec Swallows AXENT; Takes on Network Associates |
Novatel Wireless and Diversinet Team Up to Provide Security for Wireless Modems |
Windows 2000 Bug Fixes Posted |
Baltimore Technologies Doubles Revenues, Offers World-Class PKI Hosting |
The Whys and Hows of a Security Vulnerability Assessment |
Earthlink Leads the Way in DSL Security |
PKI and Biometrics Ready for Take-Off |
Secure Transport of EDI and XML for Trading Exchanges |
Can You Trust Entrust? |
Standard & Poor's Announces Security Certification |
Check Point Leads Firewall Market |
Fighting Cybercrime on the Internet |
NetWare for Small Business – NetWhy? |
Let Your Hard Drives Tell You Where they Are! |
E&Y Spins-Off eSecurity Online and Unveils Security Vulnerability Assessment Services |
With Record Revenues, AXENT Puts Down a Solid Fist |
NAI Will Pay Trend $12.5 Million Resulting from Law Suit |
Sub7 Tells Chat Rooms All Your Stuff; F-Secure Leads the Battle |
E-Cash Rollout Replaces Amex |
GSA Schedule Partnership Gets Network-1 in the Door |
Los Alamos Loses Top-Secret Information, Again! |
Standard & Poor's Exposes Customers' Security |
The AS/400 Takes You Securely Where You Want to Go |
Trend Micro Steps into PDA/Wireless AntiVirus Information Market |
CryptoSwift Takes Rainbow Revenues Up 620% |
Smart Shoppers Go Abroad for Affordable Information Security Programs |
Anti-Virus Advisories: Rating Them |
The 7 Habits of Highly Effective Security |
Fischer’s Prio! SecureSync ~ A Solution to Enterprise Directory Chaos |
Abandon All Insecurity, Ye Who Enter Here |
Top 10 Excuses For Not Securing Your Website or Network |
Ernst & Young Leads Big 5 in Security |
6 Days After Advisory Posted, AboveNet Gets Hit |
A Firewall is Cheaper Than a Lawyer |
Fixing Security Backdoors:
Red Hat 1, Microsoft 0 |
WAP Forum Specifies RSA’s RC5 Encryption For Wireless |
Netpliance Responds Quickly to Hardware Hack |
Security Stocks Burn Rubber |
DSL Provider Scoops up Netscreen Firewall Goldmine |
Cyclone Untangles Digital Partnerships |
Security Begins on Your Desktop |
Network Associates Hopes to Rekindle the Flame |
Hacker Publication Gets Top Defense Attorney |
Saudi Arabian Network Security Provokes Local Considerations |
Gosh, There’s a Bug in Windows 98 |
Robust Systems are Built from the Bottom Up |
DOJ Keeps Low Profile on Curador; Protect Your IIS Server Today! |
Security Breach: Now What? |
Sendmail, Inc. and Disappearing, Inc. Team Up to Add Enhanced Security |
Is Your Financial Transaction Secure? |
Compaq, HP, IBM, Intel and Microsoft Create New PC Security Alliance |
Expect Boom in Electronic Signatures |
Secure Your Search Engine |
President Proposes Security of Medical Records |
Sendmail Takes Security to the Next Level with Version 3.0 for NT |
CheckPoint & Nokia Team Up to Unleash a Rockin' Security Appliance |
Trend Micro Anti-Virus Server for Microsoft Exchange ~ A Secure Choice For Enterprise Wide Anti Virus Protection. |
Security Snafu at NetBank |
Freeware Vendor's Web Tracking Draws Curses |
The "S" in SAP Doesn't Stand for Security (that goes for PeopleSoft too) |
Content Technologies releases MIMEsweeper PolicyPlus |
Hackers Will Be Out in Full Force On New Year's Eve |
Analysis of Virgin Net's Hacker Scare |
Network Associates RePositions Itself as a Security E-Village |
Lexiguard™: The Coming "Adobe Acrobat" of Encryption |
CyberPeepers from Korean Sites Peek at U.S. Networks |
Would You Hire a Hacker? What Would Your Mother Say? |
@Home Scans Own Customers |
CIOs Need to Be Held Accountable for Security |
New Market for Security Insurance |
At Least Your Boss Can't Read Your Home E-mail, Right? Wrong! |
PrettyPark Virus Litters Cyberspace |
Packard Bell / NEC Leads Secure Etoken Deployment |
Congress Acknowledges Outdated Banking Laws |
How Secure is Your E-Mail? |
Trend Virus Control System - A Centralized Approach to Protection |
VPNs Are Hot, but What Are They? |
ATM Machines Hacked in Moscow |
How To Mitigate Holiday Cybercrime |
Surf's Up at Akamai |