HIPAA COMPLIANCE FOR VOYANCE

Similar documents
HIPAA Security Checklist

HIPAA Security Checklist

These rules are subject to change periodically, so it s good to check back once in a while to make sure you re still compliant.

Policy and Procedure: SDM Guidance for HIPAA Business Associates

HIPAA Security Rule Policy Map

HIPAA Security and Privacy Policies & Procedures

Security Rule for IT Staffs. J. T. Ash University of Hawaii System HIPAA Compliance Officer

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

HIPAA Federal Security Rule H I P A A

Support for the HIPAA Security Rule

HIPAA/HITECH Privacy & Security Checklist Assessment HIPAA PRIVACY RULE

HIPAA Compliance Checklist

Guide: HIPPA Compliance. Corporate HIPAA Compliance Guide. Privacy, productivity and remote access. gotomypc.com

How Managed File Transfer Addresses HIPAA Requirements for ephi

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Boerner Consulting, LLC Reinhart Boerner Van Deuren s.c.

HIPAA Security. 1 Security 101 for Covered Entities. Security Topics

HIPAA Regulatory Compliance

HIPAA Privacy and Security. Kate Wakefield, CISSP/MLS/MPA Information Security Analyst

HIPAA Technical Safeguards and (a)(7)(ii) Administrative Safeguards

The simplified guide to. HIPAA compliance

EXHIBIT A. - HIPAA Security Assessment Template -

Healthcare Privacy and Security:

HIPAA COMPLIANCE WHAT YOU NEED TO DO TO ENSURE YOU HAVE CYBERSECURITY COVERED

efolder White Paper: HIPAA Compliance

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Guide: HIPAA. GoToMeeting and HIPAA Compliance. Privacy, productivity and remote support. gotomeeting.com

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Data Backup and Contingency Planning Procedure

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

SECURITY & PRIVACY DOCUMENTATION

A Security Risk Analysis is More Than Meaningful Use

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

HIPAA Controls. Powered by Auditor Mapping.

HIPAA Compliance: What it is, what it means, and what to do about it. Adam Carlson, Security Solutions Consultant Intapp

The Common Controls Framework BY ADOBE

Terms used, but not otherwise defined, in this Agreement shall have the same meaning as those terms in the HIPAA Privacy Rule.

SECURITY ON AWS 8/3/17. AWS Security Standards MORE. By Max Ellsberry

AUTOTASK ENDPOINT BACKUP (AEB) SECURITY ARCHITECTURE GUIDE

HIPAA / HITECH Overview of Capabilities and Protected Health Information

Update on HIPAA Administration and Enforcement. Marissa Gordon-Nguyen, JD, MPH October 7, 2016

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Agenda. Hungry, Hungry HIPAA: Security, Enforcement, Audits, & More. Health Law Institute

Vendor Security Questionnaire

Morningstar ByAllAccounts Service Security & Privacy Overview

HIPAA COMPLIANCE AND

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Summary Analysis: The Final HIPAA Security Rule

A Checklist for Compliance in the Cloud 1. A Checklist for Compliance in the Cloud

U.S. Department of Health and Human Services (HHS) The Office of the National Coordinator for Health Information Technology (ONC)

WHITE PAPER. HIPAA Breaches Continue to Rise: Avoid Becoming a Casualty

HIPAA FINAL SECURITY RULE 2004 WIGGIN AND DANA LLP

How to Respond to a HIPAA Breach. Tuesday, Oct. 25, 2016

HIPAA Compliance and OBS Online Backup

Putting It All Together:

Texas Health Resources

HIPAA Cloud Computing Guidance

Layer Security White Paper

Department of Public Health O F S A N F R A N C I S C O

HIPAA Security Manual

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

RADIAN6 SECURITY, PRIVACY, AND ARCHITECTURE

HIPAA-HITECH: Privacy & Security Updates for 2015

Juniper Vendor Security Requirements

Remote Access to a Healthcare Facility and the IT professional s obligations under HIPAA and the HITECH Act

01.0 Policy Responsibilities and Oversight

Checklist: Credit Union Information Security and Privacy Policies

Employee Security Awareness Training Program

Security and Compliance at Mavenlink

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Five Ways to Improve Electronic Patient Record Handling for HIPAA/HITECH with Managed File Transfer

Security and Privacy Breach Notification

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

Apex Information Security Policy

[DATA SYSTEM]: Privacy and Security October 2013

Data Processing Amendment to Google Apps Enterprise Agreement

HIPAA Security Rule s Technical Safeguards - Compliance

HIPAA Privacy, Security and Breach Notification

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

The following security and privacy-related audits and certifications are applicable to the Lime Services:

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Keys to a more secure data environment

Start the Security Walkthrough

Auditing and Monitoring for HIPAA Compliance. HCCA COMPLIANCE INSTITUTE 2003 April, Presented by: Suzie Draper Sheryl Vacca, CHC

SECURITY PRACTICES OVERVIEW

Meaningful Use & Security Protecting Electronic Health Information in Accordance with the HIPAA Security Rule

HIPAA Privacy, Security and Breach Notification 2017

The HIPAA Security & Privacy Rule How Municipalities Can Prepare for Compliance

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

OpenLAB ELN Supporting 21 CFR Part 11 Compliance

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

NMHC HIPAA Security Training Version

HIPAA Requirements. and Netwrix Auditor Mapping. Toll-free:

PCI DSS Compliance. White Paper Parallels Remote Application Server

HIPAA RISK ADVISOR SAMPLE REPORT

HIPAA & Privacy Compliance Update

Oracle Eloqua HIPAA Advanced Data Security Add-on Cloud Service

HIPAA Compliance and Auditing in the Public Cloud

Transcription:

HIPAA COMPLIANCE FOR VOYANCE How healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class clinical care. MARCH, 2018

3 ABSTRACT 3 INTRODUCTION 3 BACKGROUND 4 DETAILS OF THE SECURITY RULE 7 ADMINISTRATIVE SAFEGUARDS Security Awareness and Training Security Incident Procedures 8 PHYSICAL SAFEGUARDS Media Reuse 8-10 TECHNICAL SAFEGUARDS Access Controls Audit Controls Integrity Transmission Security 11 VOYANCE SECURITY FOR PUBLIC CLOUD 11 SUMMARY 12 REFERENCES

PAGE 3 INTRODUCTION, BACKGROUND ABSTRACT This white paper describes the implications of HIPAA (the Health insurance Portability and Accountability Act of 1996) on IT operations and analytics within a modern access network both wired and wireless. We highlight how healthcare organizations can deploy Nyansa s Voyance analytics platform within a HIPAA-compliant network environment in order to support their mission of delivering best-in-class clinical care. The target audience for this white paper is healthcare IT professionals looking to understand the role of IT analytics and performance management in healthcare without compromising their organizations compliance responsibilities and obligations. INTRODUCTION HIPAA (the Health Insurance Portability and Accountability Act of 1996) is a federal law that sets forth, among other things, data privacy and security requirements for safeguarding medical information that is collected, stored, and processed by healthcare institutions and their service providers and vendors that process some portion of that medical information on behalf of the healthcare institution. HIPAA requires technology vendors that collect, store, or process any personal information related to medical care, called Protected Health Information (PHI), on behalf of healthcare institutions, to also comply with obligations related to privacy, security, and breach notification. The rapidly evolving landscape of healthcare IT, which involves network connected patient monitoring devices, infusion pumps, high bandwidth and latency sensitive applications all using the same shared wireless network to deliver clinical care, now more than ever, has resulted in the need for advanced monitoring, analytics, and assurance solutions centered around client device and application performance within healthcare environments. Analytics solutions like Voyance extract metrics from network data that describe the user experience of clients in the network. Some of these metrics include PHI data in the form of patient MAC and IP addresses. However, Voyance never inspects, collects or transfers packet payload to any Nyansa server. We focus this whitepaper on the key tenets of HIPAA that are relevant to IT operations and analytics and specifically focus on how Voyance can be used to provide a HIPAA-complaint solution within healthcare IT. BACKGROUND Enacted by the U.S. Congress in 1996, HIPAA designates healthcare institutions that collect, store, and process PHI data as Covered Entities (CEs) and their service providers and technology vendors that process some portion of covered medical information as Business Associates (BAs). HIPAA consists of five parts, or Titles. Title II establishes security safeguards, privacy compliance obligations, and security breach notification requirements. And after passage of HIPAA in 1996, the Department of Health and Human Services (HHS) created various implementation rules. The ones applicable to Title II are the Privacy Rule, the Security Rule, and the Breach Notification Rule.

PAGE 4 DETAILS OF THE SECURITY RULE Nyansa takes a dual approach to HIPAA compliance and highlights these two approaches in the discussion that follows. 1. Voyance provides the necessary features with which a Covered Entity can itself help secure its Voyance account and ensure it continues to adhere to the applicable tenets of HIPAA. The discussion that follows covers how a Covered Entity can deploy Voyance to meet the applicable requirements within the Security Rule. 2. Nyansa provides security and policy controls as part our hosted public cloud offering that address the key considerations contemplated within the Privacy and Breach Notification Rules, especially with respect to the obligations of a Business Associate. DETAILS OF THE SECURITY RULE THE SECURITY RULE establishes three buckets of safeguards that need to be implemented in any system that processes PHI: TECHNICAL requirements around data encryption, audit logging, etc. HIPAA itself doesn t provide more detail about what kinds of implementations satisfy these requirements. Rather the specifics of the Security Rule are codified in the Code of Federal Regulations at Title 45 Part 160 and Part 164, Subparts A and C (45 CFR 160 and 164), as the Security Standards for the Protection of Electronic Protected Health Information, which went into effect April 20, 2005. Each of the three safeguards mentioned in the Security Rule consist of various standards, and each standard is broken down into one or more implementation specifications, each of which is either required or addressable. These implementation specifications provide details on the specific security practices a CE, and by extension a BA, must (or should) ensure are included in its environment. The table below outlines the standards, sections and implementation specifics and guidance within the data security rule. The implementation specifications relevant to an IT analytics solution like Voyance are outlined below and described greater detail in the following sections in terms of how a Covered Entity (CE) and Business Associate (BA) can effectively address these requirements. ADMINISTRATIVE - policies and procedures concerning the delineation of personnel who have access to PHI, rolebased privileges, etc. PHYSICAL restrictions around physical access to assets on which PHI is stored or processed

PAGE 5 ADMINISTRATIVE SAFEGUARDS STANDARD Security Management Process ADMINISTRATIVE SAFEGUARDS SECTIONS 164.308(a)(1) Risk Analysis Risk Management Sanction Policy IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Information System Activity Review Assigned Security Responsibility 164.308(a)(2) Workforce Security 164.308(a)(3) Authorization and/or Supervision Information Access Management 164.308(a)(4) Workforce Clearance Procedure Termination Procedures Isolating Health Care Clearinghouse Functions Access Authorization Access Establishment and Modification Security Awareness Training 164.308(a)(5) Security Reminders Protection from Malicious Software Log-in Monitoring Password Management Security Incident Procedures 164.308(a)(6) Response and Reporting Contingency Plan 164.308(a)(7) Data Backup Plan Disaster Recovery Plan Emergency Mode Operation Plan Testing and Revision Procedures Applications and Data Criticality Analysis Evaluation 164.308(a)(8) Business Associate Contracts 164.308(b)(1) Written Contract or Other Arrangement and Other Amendments

PAGE 6 TECHNICAL SAFEGUARDS, PHYSICAL SAFEGUARDS TECHNICAL SAFEGUARDS STANDARD SECTIONS IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Unique User Identification Access Controls 164.312(a)(1) Emergency Access Procedure Automatic Logoff Encryption and Decryption Audit Controls 164.312(b) Integrity 164.312(c)(1) Mechanism to Authenticate ephi Person or Entity Authentication 164.312(d) Transmission Security 164.312(e)(1) Integrity Controls Encryption STANDARD Facility Access Controls PHYSICAL SAFEGUARDS SECTIONS 164.310(a)(1) IMPLEMENTATION SPECIFICATIONS =REQUIRED, =ADDRESSABLE Contingency Operations Facility Security Plan Access Control and Validation Procedures Maintenance Records Workstation Use 164.310(b) Workstation Security 164.310(c) Device and Media Controls 164.310(d)(1) Disposal Media Re-use Accountability Data Backup and Storage

PAGE 7 - ADMINISTRATIVE SAFEGUARDS ADMINISTRATIVE SAFEGUARDS The Security Rule defines administrative safeguards as, administrative actions, and policies and procedures, to manage the selection, development, implementation, and maintenance of security measures to protect electronic protected health information and to manage the conduct of the covered entity s workforce in relation to the protection of that information. A number of the implementation specifications defined as part of the Administrative Safeguards have implications on how an IT operations and analytics solution like Voyance is deployed. These are defined below, together with how Voyance supports these specifications. Security Awareness & Training Specifically, the Security Awareness and Training standard states that covered entities must: Implement a security awareness and training program for all members of its workforce (including management). Security training for all new and existing members of the covered entity s workforce is required by the compliance date of the Security Rule. Voyance provides a number of features that help augment the requirements Covered Entities have under this implementation specification. Log-In Monitoring (Addressed) 164.308(a)(5)(ii)(C) Password Management 164.308(a)(5)(ii)(D) Procedures for monitoring log-in attempts and reporting discrepancies Procedures for creating, changing, and safeguarding passwords Voyance monitors user login attempts and will lock out after repeated failed login attempts Voyance provides an activity log that tracks and shows user login activity for each account this log provides a trail of user logins including user name, login IP, data/time Voyance complements this requirement with a password rotation policy for the application, strong password requirements, and password reuse checks. Security Incident Procedures The purpose of this standard is to require covered entities to address security incidents within their environment. The Security Rule defines a security incident as, the attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system. Response and Reporting (Required) 164.308(a)(6)(ii) Identify and respond to suspected or known security incidents; mitigate, to the extent practicable, harmful effects of security incidents that are known to the covered entity; and document security incidents and their outcomes. Nyansa s Security & Operations (SecOps) team monitors for unusual activity using a combination of automated tools, alert thresholds, and manual audit review. In the event of a breach, impacted customers will be notified and provided with an initial assessment within 48 hours of discovery

PAGE 8 PHYSICAL SAFEGUARDS, TECHNICAL SAFEGUARDS PHYSICAL SAFEGUARDS The Security Rule defines physical safeguards as physical measures, policies, and procedures to protect a covered entity s electronic information systems and related buildings and equipment, from natural and environmental hazards, and unauthorized intrusion. These implementation specifications for physical safeguards are typically outside the scope of an IT operations and analytics solution like Voyance. However, in a later section of this paper, we address how the Voyance backend for our public cloud solution is secured. In this section, we cover the concept of Media Reuse and how it is related to Voyance. Media Re-Use Media Re-Use (Required) 164.310(d)(2)(ii) Implement procedures for removal of electronic protected health information from electronic media before the media are made available for re-use. No user traffic is ever stored on the Voyance crawler, nor does user traffic flow back to the Voyance backend. Furthermore, for the Voyance public cloud solution, Nyansa has strict policies in place whereby no storage customer data individual employee laptops is permitted. Nyansa also offers a private cloud solution where no customer data leaves the customer premise. TECHNICAL SAFEGUARDS The Security Rule defines technical safeguards in 164.304 as the technology and the policy and procedures for its use that protect electronic protected health information and control access to it. Access Controls The Security Rule defines access in 164.304 as the ability or the means necessary to read, write, modify, or communicate data/information or otherwise use any system resource. Access controls provide users with rights and/or privileges to access and perform functions using information systems, applications, programs, or files. Access controls should enable authorized users to access the minimum necessary information needed to perform job functions. electronic information systems that maintain electronic protected health information to allow access only to those persons or software programs that have been granted access rights as specified in 164.308(a)(4) [Information Access Management]. A covered entity can comply with this standard through a combination of access control methods and technical controls. UNIQUE USER IDENTIFICATION (REQUIRED) EMERGENCY ACCESS PROCEDURE (REQUIRED) AUTOMATIC LOGOFF (ADDRESSABLE) ENCRYPTION AND DECRYPTION (ADDRESSABLE) The Access Control standard requires a covered entity to: Implement technical policies and procedures for

PAGE 9 ACCESS CONTROLS Unique User Identification (Required) 164.312(a)(2)(i) Assign a unique name and/ or number for identifying and tracking user identity. Access to the Voyance portal requires a unique username and password whose strength adheres to modern industry standards Voyance supports single-sign on (SSO) with support for SAMLv2 Voyance provides the Covered Entity complete and administrative control to grant and revoke unique users access to the system Voyance supports role-based access for different user roles which allows the Covered Entity to grant permission rights Emergency Access Procedure (Required) 164.312(a)(2)(ii) Establish (and implement as needed) procedures for obtaining necessary electronic protected health information during an emergency. The Voyance platform provides high-availability and redundancy in the event of an outage. Unique user identification is still required in the event of an outage/emergency Nyansa s support staff are available to support access in an emergency without requiring users to be logged into the system. Automatic Logoff (Addressable) 164.312(a)(2)(iii) Implement electronic procedures that terminate an electronic session after a predetermined time of inactivity. Voyance has three different timeout values for session management: (1) Idle Timeout (2) Absolute Timeout (3) Renewal of Idle Timeout. Voyance provides notification approximately 30 seconds before an idle timeout occurs with the option to extend the session. Encryption and Decryption (Addressable) 164.312(a)(2)(iv) Implement a mechanism to encrypt and decrypt electronic protected health information. Data in transit is encrypted over Secure Sockets Layer (SSL, AES-256)

PAGE 10 AUDIT CONTROLS, INTEGRITY Audit Controls A covered entity must consider its risk analysis and organizational factors, such as current technical infrastructure, hardware and software security capabilities, to determine reasonable and appropriate audit controls for information systems that contain or use EPHI. Audit Controls (Required) 164.312(b) Implement hardware, software, and/or procedural mechanisms that record and examine activity in information systems that contain or use electronic protected health information. Once unique users and roles are established, all of the users actions within the Voyance environment (i.e. access of and changes to each page within Voyance) are logged and can be reviewed by the Covered Entity administrator or a third party. Integrity Integrity is defined in the Security Rule, at 164.304, as the property that data or information have not been altered or destroyed in an unauthorized manner. Voyance collects a limited set of PHI; specifically, device MAC and IP addresses and relative location of devices. The integrity rule has limited applicability to an out-of-band analytics solution like Voyance. Mechanism to Authenticate Electronic Protected Health Information (Addressed) 164.312(c)(2) Implement electronic mechanisms to corroborate that electronic protected health information has not been altered or destroyed in an unauthorized manner. Voyance is an out of band monitoring and analytics solution. The solution cannot alter any type of PHI information within an environment where Voyance is deployed. A Voyance user cannot delete data from Voyance and Nyansa has audit logs in place to determine if a Nyansa employee has deleted any data from a customer account.

PAGE 11 TRANSMISSION SECURITY Transmission Security The final standard listed in the Technical Safeguards section is Transmission Security. This standard requires a covered entity to: Implement technical security measures to guard against unauthorized access to electronic protected health information that is being transmitted over an electronic communications network. Encryption (Addressed) 164.312(e)(2)(ii) Implement a mechanism to encrypt electronic protected health information whenever deemed appropriate. Voyance encrypts all data in transit is over SSL (TLS 1.2, AES-256) over port 443 VOYANCE SECURITY FOR PUBLIC CLOUD The Voyance public cloud offering, is a secure, cloudbased IT network analytics SaaS service provided by Nyansa and hosted within an AWS virtual private cloud (VPC). Voyance delivers a multi-layered security architecture focused on end-user, back-end, and application security, employing secure access controls, logical isolation, and adherence to state-of-the-art physical and cyber security standards. Voyance collects a limited amount of information that may be considered PHI, namely device MAC and IP addresses and relative location of those devices. The data collected by Voyance is collected exclusively for the purpose of delivering the Voyance service. Voyance s backend infrastructure is hosted in Amazon Web Services (AWS) availability zones and regions that meet the following standards: SOC 1, ATTESTATION STANDARD SEC- TION 801 (FORMERLY SSAE 16) SECURITY: SOC 2 / SOC 3, ATTESTATION STANDARD SECTION 101 The following technologies and processes are required for access to our production systems: TWO-FACTOR AUTHENTICATION is required to access our cloud console ACCESS TO AWS SERVERS IS VIA A VPN TUNNEL using secure certificates and MFA token. ALL ACCESS TO BACKEND PRODUCTION SERVERS are logged by the VPN server and the server authentication logs Successfully implemented, these standards and implementation specifications provide Covered Entities the tools they need to confidently deploy Nyansa Voyance in their HIPAA-compliant environment.

PAGE 12 REFERENCES References HIPAA Security Series #2 - Administrative Safeguards HIPAA Security Series #4 - Technical Safeguards HIPAA Security Series #3 - Physical Safeguards Visit the Office for Civil Rights website, http://www.hhs.gov/ ocr/hipaa, for the latest guidance, FAQs and other information on the Privacy Rule Nyansa Security & Privacy FAQ ABOUT NYANSA Founded September 2013 in Palo Alto, CA by technology professionals from MIT, Meraki, Aruba Networks, and Google, Nyansa is a fast-growing innovator of the next generation of cloud-based IT operation analytics (ITOA) technology. The company is credited with developing the first patented, massively scalable data analytics system architecture for mobile enterprise networks that uniquely extracts, analyzes, and correlates both wired and wireless data across the entire network applications stack. Focusing on real wired and wireless user traffic traversing the network, the Nyansa platform pro-actively predicts problems and suggests resolution for clients, network services, and applications, uniquely applying analytics across multiple customer environments to provide unmatched insight into broader issues experienced by everyone. This gives organizations the ability to effectively cut in half the time and expense related to optimizing IT network operations by radically simplifying and speeding the remediation of wired and wireless problems that affect user performance from the client to the cloud.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback