HIPAA – Introduction to Data Security

Data security, as it relates to the HIPAA, involves the protection of individual health data through the implementation of policies/procedures and technologies that assure data integrity, confidentiality, and availability. Individual health data includes any information that can be used to link a person to their medical records. This information includes the patient’s name, telephone number, social security number, medical record number, photographs, geographic region, and specific dates; such as birth, admission, discharge, or death. The HIPAA security standard organizes the data security requirements into four main groups: (1) Administrative Procedures, (2) Physical Safeguards, (3) Technical Security Services, and (4) Technical Security Mechanisms.

(1) Administrative Procedures defines where individual health data are located and specifies formal procedures to protect these data. Some of the processes included are the creation of a contingency plan to guarantee secure data backup and recovery, granting additional data access rights, incident handling, and employee termination procedures. This section also covers policies and procedures for the ongoing maintenance of a secure information technology configuration including computer virus scanning and the routine evaluation of emerging vulnerabilities.

(2) Physical Safeguards – Many organizations already have some Physical Safeguards in place in the form of card access to buildings and formal visitor sign-in procedures. This section expands upon these requirements by specifying additional measures to protect and recover data from physical disasters and intrusion. One example of a procedure mandated by this section is the handling of data backup tapes. With today’s technology, your organization’s entire patient database (not to mention other sensitive company information) can be stored on one magnetic tape that can easily fit into someone’s shirt pocket. You may have the ultimate security plan in place but if backup tapes are kept in relatively insecure places (near the server, on your desk, in your car, even in your own home) a malicious visitor can walk away with your entire organization’s data.

(3) Technical Security Services and (4) Mechanisms protect the access and transmission of sensitive data. Data access is controlled by the three ‘A’s: Authentication, Authorization, and Auditing. Authentication services control who is allowed access to the network by requiring a unique user identity and one or more access control features (such as a password and/or fingerprint). Authorization requirements define that different levels of data access can be assigned to different user identities. Auditing control specifies that systems are in place to record all access to sensitive data and other critical system activity (such as the unauthorized modification of data access rights). Finally, sensitive data that is transmitted outside of your corporate network must be encrypted so unintended recipients cannot read or alter the data.

New computer network vulnerabilities are discovered every day. These vulnerabilities can come from malicious hackers who exploit inherent flaws in existing software or changes to your infrastructure which obsolete existing security precautions. Maintaining data security is a journey, not a destination. Consistent and aggressive diligence is required to ensure the integrity, confidentiality, and availability of your data.

For more information, please Call or E-mail