HIPAA Compliance In 30 Days or Less
With the deadline looming, our security manager gives an assist to the fellow in charge of meeting the mandates of the security rule.
Computerworld - HIPAA. We are all sick of the acronym by now, and the April 20 compliance deadline for the Health Insurance Portability and Accountability Act is looming.
At the state agency where I work, the information security officer (ISO), who is responsible for HIPAA security rule compliance, has spent the past seven months or so writing policies and procedures. He divided them into two groups: "required" (stuff we have to do) and "addressable" (stuff we'd better be thinking about doing).
When I came aboard, only one of the policies had been approved by the agency chiefs. Everything is done by consensus here -- if one chief doesn't like a single sentence, the policy is rejected, edited and then resubmitted. I was starting to panic about the approaching deadline. If we can't get the policies approved, we certainly can't implement them.
I did what any respectable security professional would do under the circumstances. First, I asked each chief to support the policy-approval process. Next, wanting to find a template that would be widely accepted but not wanting to reinvent the wheel, I went to the Web site of the National Institute of Standards and Technology (NIST) and downloaded every available document related to security and compliance with the HIPAA security rule.
Special Publication 800-66, titled "An Introductory Resource Guide for Implementing the Health Insurance Portability and Accountability Act (HIPAA) Security Rule," was just what our ISO needed: a step-by-step guide to compliance. A table on page 13 of this handy document defines each standard of the rule, identifies its section number and outlines implementation specifications, noting which ones are required and which are addressable. Even better, pages 16 through 54 describe various "key activities" and provide sample questions. This was the perfect project outline to give to a HIPAA newbie.
I went one step further and took the NIST outline and plunked it into Microsoft Project, defined major milestones, allocated resources and hung the Gantt chart on my wall. I also printed all of the related NIST documents and put them in a big binder.
I wanted to show my ISO how to formulate a project plan. I wanted him to understand what he was going to be held accountable for and how short the time frame for implementation was.
When I showed the plan to my boss, I felt the need to apologize for my micromanagement. "I don't usually go to this length with a direct report, but I need to get through to this guy that this is the quality of work we expect from him. He
- Mobile First: Securing Information Sprawl Learn how the partnership between Box and MobileIron can help you execute a "mobile first" strategy that manages and secures both mobile apps...
- Cybersecurity Imperatives: Reinvent your Network Security The Rise of CyberSecurity
- Surescripts Case Study- Securing Keys and Certificates Surescripts implemented Venafi's Trust Protection Platform™ to secure digital keys and certificates, ensure the privacy and confidentiality of electronic clinical information for its...
- Ponemon 2014 SSH Security Vulnerability Report According to research by the Ponemon Institute, 3 out of 4 enterprises have no security controls in place for SSH which leaves organizations...
- Responding to New SSL Cybersecurity Threat The featured Gartner research examines current strategies to address new SSL cybersecurity threats and vulnerabilities.
- Deep Dive into Advanced Networking and Security with Hybrid Cloud Security and networking are among the top concerns when moving workloads to the cloud. VMware vCloud® Hybrid Service™ enables you to extend your... All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!