HIPAA-Watch for Security Speeds Up Compliance Part One: Vendor and Product Information

Laura Taylor - 8/27/2004

HIPAA-Watch for Security Speeds Up Compliance
Part One: Vendor and Product Information
Featured Author - Laura Taylor - August 27, 2004

Executive Summary

HIPAA-Watch for Security is a tool designed to guide organizations through the risk analysis required by the Health Insurance Portability and Accountability Act (HIPAA) compliance process (US). Relevant Technologies, a leading security research and advisory firm, evaluated HIPAA-Watch for Security to verify how well it performed in guiding organizations through the HIPAA security risk analysis process.

Vendor Background and Information

RiskWatch was founded in 1993 in Landover, Maryland (US) with the idea of automating risk assessment modeling for the Department of Defense. Founder, Caroline Hamilton, a statistical modeling expert, put together a prototype for a risk analysis tool and then managed its development into an innovative risk analysis product which was adopted initially by NASA and then the US Patent and Trademark Office.

The original product grew into a full featured product line, and today, HIPAA-Watch for Security (HIPAA-Watch) is just one of seven products in the suite of risk analysis tools offered by RiskWatch. In the last three years, and with the aftermath of 9/11, RiskWatch has seen unprecedented growth and has expanded into international markets. RiskWatch anticipates that its biggest growth in the near term will be in HIPAA and financial compliance (Sarbanes Oxley and Gramm-Leach-Bliley). RiskWatch is actively looking for qualified investors who share the vision of becoming a world leader in risk analysis. Without new investment capital, Relevant Technologies expects that RiskWatch could become a potential acquisition target by a larger information security monolith.

Table 1. Company Information

Company Name	RiskWatch
Employees	14
Headquarters	2568A Riva Road, Suite 300, Annapolis, MD, 21401
Product Name	HIPAA-Watch for Security
Key Features	NIST 800-26 compliant, automatic reporting, auditing, multi-user response system, life cycle management, automated financial calculations: annual loss expectancy, cost benefit analysis, return on investment; customizable
Company URL	www.riskwatch.com
Product URL	www.riskwatch.com/hipaa.asp
Customer Contact	800-448-4666
Investor Inquiries	invest@riskwatch.com

This is Part One of a two-part note.

Part One provides a vendor background and describes Phase I and II of the HIPAA-Watch for Security tool.

Part Two will cover Phase III and IV and will offer product suggestions and user recommendations.

HIPAA Regulation and Compliance Requirements

The Health Insurance Portability and Accountability Act (HIPAA) was signed into law by President Clinton on August 21, 1996 and authorized the Secretary of Health and Human Services to provide Congress mandatory regulations to secure and protect the privacy of patient medical records. The primary purpose of HIPAA was to ensure that patient medical records are kept private and are not exploited. However, the impact of keeping patient records private has been to secure the information technology infrastructure that serves as the steward of patient medical records. Securing the information technology infrastructure is the means to the end for securing the data.

Securing information technology systems, and the physical components that surround them, is anything but simple. There are endless factors that need to be taken into consideration when securing infrastructure, and thanks to HIPAA, non-compliance is a crime with severe penalties including possible fines and prison sentences. HIPAA compliance requires organizations to converge law, technology, and medical information into an understandable mlange of sensibility.

HIPAA-Watch for Security is an effort to guide organizations through the security risk analysis and down the road to compliance, through a carefully thought-out, risk methodology based on a survey approach. I tested out HIPAA-Watch after spending considerable time thinking about all the manual ways to comply with HIPAA while authoring three chapters of HIPAA Security Implementation (SANS, ISBN 0-9743727-2-2) including the chapter on risk analysis. Clearly a software tool is not a replacement for reference books and true understanding; however, if you're crunched for time, and you don't know where to start, what I found is that HIPAA-Watch for Security will jump-start your project and navigate you through a sea of intricate details.

Using HIPAA-Watch for Security

HIPAA-Watch for Security is based on RiskWatch's core risk analysis engine that is embedded in all their products and is currently released at version 9.2, which was released in June 2004. The embedded risk analysis engine guides you logically through four phases of HIPAA compliance enabling you to go back and make corrections, changes, and updates as necessary. The four phases that HIPAA-Watch for Security leads you through consist of the following:

Phase I: definition
Phase II: data
Phase III: evaluation
Phase IV: reports

Phase I assists you in setting up your compliance case boundaries. If you are a large health care organization, it is likely that you may want to create multiple cases. HIPAA-Watch gives you the ability to create as many new cases as necessary. During Phase I, you define functional areas, asset categories, loss categories, threats, vulnerability areas, and safeguards.

Phase I helps you understand what is at risk, what the potential disasters are waiting to occur, and what impact those disasters could have on your organization. Phase I also prompts you to define and analyze your potential losses, vulnerabilities, threats, and safeguards, including how widely they are implemented in the organization.

In Phase II, the assets that need to be protected are selected and valued, including values for how much the organization depends on each asset; and the likelihood of a threat occurrence is integrated into the assessment. HIPAA Watch for Security presents you with default values for threat frequencies based on local annual frequency estimates (LAFE) and standard annual frequency estimates. The LAFE value should be a function of your local information such as penetration test data and incident report data, and during phase II, you have the opportunity to modify the LAFE value or use the standard defaults that are built into the product. For example, if your organizational assets are in Kansas City (US) there is a much greater LAFE value for a tornado in Kansas City, Kansas than there would be for Portland, Maine (US) since tornados are much more likely to occur in Kansas City.

During Phase II you can indicate what percentage of the identified potential and existing safeguards have been implemented which is a key feature to take into consideration for life cycle management and project management. At any given time, it is unlikely that all your safeguards are either completely implemented or not. You might have a security policy that is 75 percent completed, a firewall that just entered the procurement phase, and an intrusion detection system that has been implemented at six out of ten locations. You cannot accurately calculate a viable risk analysis without accurately indicating the percentage of implementation that has been completed for each safeguard, and HIPAA-Watch allows you to indicate projects that are not fully implemented as illustrated in figure 1.

Figure 1. Defining Safeguard Costs and Life cycle

Phase II also encompasses setting up a survey of audit questions and setting up the different respondents (by job category) who are best apt to be able to answer these questions, (illustrated in figure 2). You can setup as many respondents as necessary and assign particular questions to these individuals based on their area of expertise which have been designated functional areas. As elsewhere in HIPAA-Watch, these categories can be modified, deleted, or you can add your own job categories. The current functional areas that come bundled with HIPAA-Watch for Security include

admissions or patient intake
billing or collections
business associates
case management or disease management
claims processing
compliance or legal office
facilities management
financial management and budget
health education
health services or utilization management
human resources
information network management
information security officer
information services help desk or technical support
information systems management
internal audit
laboratory
marketing and fund raising
medical records department
medical staff
member, customer, or patient services
mental health or drug alcohol
operations department
patient or member communication
patient or member medical records
pharmacy
physical security officer
physician recruitment and services
policy administration
privacy officer
quality assurance
radiology
respiratory
senior management or executive officers
skilled care or rehabilitation
support services
system users
systems administration
trading partners
underwriting or statistics
volunteer services

The functional areas listed are just the defaults, and can be modified according to how your medical establishment is setup. You may need to add new functional areas such as oncology or pediatrics and HIPAA-Watch allows you to do that.

Figure 2. Identifying the Respondents

Once a respondent has been designated for each functional area, appropriate audit questions are assigned to each respondent. The survey of questions is extensive. Sample questions include the following:

Does your organization retain HIPAA security documentation for six years from the date of creation?
The network automatically scans PCs and workstations for viruses before allowing users to access the network?
Network servers, peripheral devices, and communications equipment are kept in secured areas?
There is an up to date list of all vendors and support personnel who are authorized to enter your building or facility?
Access to system log data is restricted to approved personnel?

When you are setting up the survey questions, it is possible to reference the actual HIPAA control standards with the individual sections cited by their Code of Federal Regulations (CFR) number, depicted in figure 3.

Figure 3. US HIPAA Code is referenced in control standards.

Question sets can be prepared for the first time, or imported from previously composed question set libraries. Upon final configuration of the question sets, Phase III begins.

A highlight of HIPAA-Watch is the flexibility of the survey process. Respondents can be surveyed automatically over a server or over the web, questionnaires can be e-mailed directly, or question diskettes can be created and distributed throughout the organization. Answers are directly imported back into the appropriate case and compiled with audit trails. Once the data has been compiled, then data is ready for Phase III of the risk analysis process: evaluation.

This concludes Part One of a two-part note.

Part One provided the vendor background and described Phase I and II of the HIPAA-Watch for Security tool.

Part Two will detail Phase III and Phase IV and will also offer product suggestions and user recommendations.

References

Department of Health and Human Services, What is HIPAA?
http://www.cms.hhs.gov/hipaa/hipaa1/content/more.asp
July 11, 2004

Department of Health and Human Services, Health Insurance Reform: Security Standards; Final Rule http://www.cms.hhs.gov/hipaa/hipaa2/regulations/security/03-3877.pdf
February 20, 2003

Pabrai, Uday, Getting Started with HIPAA, Premier Press, 2003

SANS Institute, HIPAA Security Implementation, SANS Press, Version 1.0
January 2004

Stoneburner, Goguen, and Feringa, Risk Management Guide for Information Technology Systems, National Institute of Standards, Special Publication 800-30
http://csrc.nist.gov/publications/nistpubs/800-30/sp800-30.pdf
October 2001

Taylor, Laura, Risk Analysis Tools & How They Work, Relevant Technologies, Inc. http://www.riskwatch.com/Press/RiskAnalysis_Tool_EvalB.htm
May 5, 2002

Taylor, Laura, Security Scanning is not Risk Analysis, Jupiter Media http://www.intranetjournal.com/articles/200207/pse_07_14_02a.html
July 14, 2002

Tipton and Krause, Information Security Management Handbook, 4th Edition, Auerbach Publications, 2004

About the Author

Laura Taylor is the President and CEO of Relevant Technologies (http://www.relevanttechnologies.com) a leading provider of original information security content, research advisory services, and best practice IT management consulting services.