A large part of my job requires me to dig into security standards to help figure out how to create consulting services to assist customers with achieving compliance. One standard I’ve never looked into before is HIPAA (Health Insurance Portability and Accountability Act of 1996). HIPAA is not a security standard per-se, but rather a set of administrative rules established by the US Department of Health and Human Services to govern how health information is accurately and securely exchanged between medical institutions and other institutions that have a legal need to access patient medical data.
HIPAA is encoded in the US Code of Federal Regulations, Title 45, Parts 160, 162 and 164 (see here for the CFR). Section 164 is the most interesting section for a security professional, as this section describes the security and privacy requirements that must be satisfied by organizations that must comply to HIPAA regulations (these entities are called ‘covered entities’). Unfortunately, Part 164 is further divided into 31 subsections that define the actual security requirements. Rather than digging into each of these sub-sections, I’m going to focus on sub-section 312 which defines the technical safeguards that must be implemented by covered entities. Subsection 312 specifies 5 standard safeguards: access control, audit controls, integrity, person or entity authentication, and transmission security. The code further specifies implementation requirements for each standard. The following mindmap graphically illustrates Subsection 312.
Mindmap of CFR 164, Section 312
As far as legislation goes, the HIPAA Technical Safeguards are fairly well written in terms of striking a good balance between actionable requirements with room for interpretation to make the standard independent of changes in technology (for example, the Encryption safeguards do not name specific encryption algorithms that need to be used). However, the Safeguards are too vague to use alone. Therefore, NIST prepared a Special Publication, SP800-66 Rev1 (found here), that can be used to help interpret the safeguards by mapping them to specific controls described in NIST documentation. In a future post, I’ll further examine NIST SP800-66 and attempt to summarize some of the specific security controls to implement the HIPAA Technical Safeguards.
Tags: Compliance, hipaa
Sta kazete o njenim stopalima?
Po mom misljenju savresena stopala!
Stopala su na njoj najbitnija stavka!
Silkroad Online (silk road gold) is a fantasy MMORPG set in the 7th century AD, along the Silk Road between China and Europe. The game requires no periodic subscription fee, but players can purchase premium items to customize or accelerate gameplay.
Silkroad Online is noted for silk road gold its “Triangular Conflict System” in which characters can select from the three jobs of trader, hunter, and thief to engage each other in player versus player combat. Thieves attack traders who are protected by hunters. Hunters kill thieves getting experience to level up to a higher level of hunter. Traders silk road gold complete trade runs to get experience to level up to a higher level of trader, and thieves kill traders and hunters to level up. Thieves can also steal goods dropped by traders to take to the thieves’ den to exchange for gold and thief experience.
Does it come off of my “data minutes” or anything like that? Should I only tell it to connect to my account when I want to check it? This is my first iphone so I’m not sure how it works. Thanks.
________________
unlock iphone